Totara Release Notes

Totara Learn Evergreen-20180514, 11.3, 10.9, 9.20, 2.9.32, 2.7.40, 2.6.57, 2.5.64, 2.4.63, 2.2.67

 
David Curry (Core Developer)
Totara Learn Evergreen-20180514, 11.3, 10.9, 9.20, 2.9.32, 2.7.40, 2.6.57, 2.5.64, 2.4.63, 2.2.67
de David Curry (Core Developer) - Sunday, 13 de May de 2018, 23:32
Grupo Totara
Hello Everyone, 


 The following versions of Totara have now been released: 

* Evergreen-20180514
* 11.3
* 10.9
* 9.20
* 2.9.32
* 2.7.40
* 2.6.57
* 2.5.64
* 2.4.63
* 2.2.67 

These versions do contain security fixes and for this reason we strongly recommend upgrading. Each release also includes bug fixes and improvements. 

Thanks to the following people for their contributions to this release: 

 * Marcin Czarnecki at Kineo UK - TL-17387 


Kind Regards,
David Curry

Release Evergreen (14th May 2018):


Key:           + Evergreen only

Security issues:

    TL-17382       Mustache str, pix, and flex helpers no longer support recursive helpers

                   A serious security issue was found in the way in which the String, Pix
                   icon, and Flex icon Mustache helpers processed variable data.
                   An attacker could craft content that would use this parsing to instantiate
                   unexpected helpers and allow them to access context data they should be
                   able to access, and in some cases to allow them to get malicious JavaScript
                   into pages viewed by other users.
                   Failed attempts to get malicious JavaScript into the page could still lead
                   to parsing issues, encoding issues, and JSON encoding issues. Some of which
                   may lead to other exploits.
                   
                   To fix this all three Mustache helpers have been rewritten with new secure
                   API's.
                   The old API's will continue to function in Totara 11, and below.
                   In this Evergreen release and above the new API's should be used, as the
                   old API's have been deprecated to ensure templates are secure.
                   
                   The API changes are as follows. In all cases all core uses have been
                   converted already.
                   If you are using customisations that make use of mustache templates and any
                   of the following helpers we recommend you review those templates as part of
                   the upgrade process.
                   
                   String helper
                   -------------
                   Old API: {{#str}}Identifier, Component, $a (either a string or json
                   containing user data){{/str}}
                   New API: {{#str}}Identifier, Component, A identifier, A component{{/str}}
                   Change notes:
                   It is no longer allowed to pass JSON encoded data as $a, nor to put user
                   data variables into it.
                   The old API has been deprecated, code using it will continue to work but
                   debugging notices will be generated.
                   Support for the old API will be removed in the future.
                   The new API replaces the $a argument with two new arguments that allow a
                   second string to be specified, allowing for one string to be used within
                   another.
                   Conversion notes:
                   If you are not using $a you don't need to change anything.
                   Otherwise if you need to use user data variables within a string you must
                   now prepare the string and include it within the context data. This will
                   need to be done in the PHP handler, and the JS handler if there is one.
                   You should ensure that you sanitise and clean any user data you are using
                   within a string.
                   
                   Flex icon helper
                   ----------------
                   Old API: {{#flex_icon}}Identifier, JSON data (which can contain user
                   data){{/flex_icon}}
                   New API: {{#flex_icon}}Identifier, Alt identifier, Alt component,
                   classes{{/flex_icon}}
                   Change notes:
                   Providing JSON encoded data is no longer supported. Nor can user data
                   variables be passed as any argument.
                   The old API has been deprecated, code using it will continue to work but
                   debugging notices will be generated.
                   Support for the old API will be removed in the future.
                   Conversion notes:
                   For common uses of the helper the new API should be suitable, and is easily
                   converted to. Alt identifier, and alt component are a string identifier and
                   component that point to the alt string in the language system.
                   Classes is a string of space separated list of classes.
                   If you need to set additional HTML attributes, or use user data in the alt
                   text then you will need to change your template so that it no longer uses
                   the helper, and instead uses the flex icon template as a partial.
                   You can find more information about this in our document on [flex
                   icons|https://help.totaralearning.com/display/DEV/Flexible+Icons+API].
                   
                   Pix icon helper
                   ---------------
                   Old API: {{#pix}}Identifier, Component, Alt text{{/pix}}
                   New API: {{#pix}}Identifier, Component, Alt identifier, Alt
                   component{{/pix}}
                   Change notes:
                   Alt text must now point to a translated string, and can no longer contain
                   user data variables.
                   The new API now accepts a string identifier and component pointing to a
                   translated string to use as alt text.
                   The old API has been deprecated, code using it will continue to work but
                   debugging notices will be generated.
                   Support for the old API will be removed in the future.
                   Conversion notes:
                   If the string is a translated string then conversion to the new API should
                   be simple.
                   If you need to use user data variables within the alt text you must now
                   prepare the string and include it within the context data, and change the
                   template to use the pix icon partial template instead of the helper.

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Improvements:

    TL-12620       Automated the selection of job assignments upon a users assignment to an appraisal when possible

                   When an appraisal is activated or when learners are dynamically or manually
                   added to an active appraisal, a learner's job assignment is now
                   automatically linked to their appraisal assignment. Before this change, the
                   learner had to open the appraisal for this to happen.
                   
                   This will only come into effect if the setting "Allow multiple job
                   assignments" is turned OFF.
                   
                   If a user has multiple job assignments, this automatic assignment will not
                   apply. If a user has no job assignment, an empty job assignment will still
                   be automatically created.

    TL-16139   +   Added the ability to add icons into static tiles in the featured links block

                   In the edit content form of a featured links block, there is now an option
                   to select an icon that will show in the background at various sizes. The
                   available icons are all from the themes that have been installed.

    TL-16140   +   Added the ability for gallery tiles in the featured links block to contain other tiles

                   Gallery tile content is now based on other tiles rather than a set of
                   images. Each tile in a gallery tile still has all the normal configuration
                   and visibility associated with it, along with an additional meta tile
                   interface for any tile that can contain other tiles. This is so that meta
                   tiles can define that they cannot contain other meta tiles. There is a new
                   database column for parentid added to the block_totara_featured_links_tiles
                   table, this remembers the relationship between the gallery tile and sub
                   tiles.
                   
                   Note: If there are any custom tiles based on the gallery tile then there is
                   a high probability that they will no longer work as they used to, as the
                   templates and structure has changed.

    TL-16143   +   Added more configuration options to the Gallery Tile in the Featured Links block

                   Options Added:
                    * Transition
                    ** Fade
                    ** Slide
                    * Order
                    ** Random
                    ** Sequential
                    * Controls
                    ** Prev/Next (Arrows on side of tile)
                    ** Position indicator (Dots at the bottom)
                    * Autoplay (Whether the gallery tile should automatically move)
                    * Repeat (If the tile should go back to the start when it gets to the
                   end)
                    * Pause on hover (if hovering over the tile then it will stop moving)
                   
                   The switcher.js JavaScript that changes the gallery tile has been rewritten
                   to use the 3rd party library Slick. This caused large changes to the
                   structure of the html as Slick added a number of elements.

    TL-16178   +   Atto autosave notifications now use standardised components

                   This will require themes using less inheritance to re-compile their CSS

    TL-16344       Implemented user data item for the "Self-registration with approval" authentication plugin
    TL-16356       Implemented user data item for the database module
    TL-16738       Implemented user data items for grades

                   The following user data items have been introduced:
                    * Grades - This item takes care of the Gradebook records, supporting both
                   export and purge.
                    * Temp import - This item is a fail-safe cleanup for the tables which are
                   used by grade import script for temporary storage, supporting only purge.
                    * Improved Individual assignments item - This item includes feedback and
                   grades awarded via advanced grading (Guide and Rubric), supporting both
                   purge and export.

    TL-16912   +   Added JavaScript polyfill in IE11 to support basic ECMAScript 6 functionality

                   More information can be found here:
                   https://help.totaralearning.com/display/DEV/ES+6+functionality

    TL-16958       Updated language strings to replace outdated references to system roles

                   This issue is a follow up to TL-16582 with further updates to language
                   strings to ensure any outdated references to systems roles are corrected
                   and consistent, in particular changing student to learner and teacher to
                   trainer.

    TL-17142       Enabled use of the HTML editor when creating site policy statements and added the ability to preview

                   An HTML editor is now used when adding and editing Site Policy statements
                   and translations. A preview function was also added. This enables the
                   policy creator to view how the policy will be rendered to users.
                   
                   Anyone upgrading from an earlier version of Totara 11 who has previously
                   added site policies and wants to use html formatting will need to:
                    * Edit the policy text
                    * The text will still be displayed in a text editor, but you will have an
                   option to change the entered format
                    * Make sure you have a copy of the current text somewhere (copy/paste)
                    * Change the format to "HTML format"
                    * Save and re-open the policy OR Preview and click "Continue editing". The
                   policy text will be shown in the HTML editor but will most likely contain
                   no formatting
                    * Replace the current (unformatted) text by pasting back in the copy of
                   the original text
                    * Save

    TL-17383       Improved the wording and grouping of user data items
    TL-17450   +   Added full width top and bottom block regions to the homepage and dashboard

                   In addition to existing block regions (side-pre, main, side-post), there
                   are now 2 new regions (top, bottom) that can show blocks as well.
                   
                   Note: Just because existing blocks can be shown in these regions does not
                   mean those blocks are suited to these areas. There could be excess space or
                   undesirable aesthetics involved. The best blocks for these new regions are
                   those that can display their information in wide columns, for example
                   tabular data, listings or banners.


Bug fixes:

    TL-6476        Removed the weekday-textual and month-textual options from the data source selector for report builder graphs

                   The is_graphable() method was changed to return false for the
                   weekday-textual and month-textual, stopping them from being selected in the
                   data source of a graph. This will not change existing graphs that contain
                   these fields, however if they are edited then a new data source will have
                   to be chosen. You can still display the weekday or month in a data source
                   by using the numeric form.

    TL-15037       Fixed name_link display function of the "Event name" column for the site log report source

                   The Event name (linked to event source) column in the Site Logs reporting
                   source was not fully restoring the event data.

    TL-17387       Fixed managers not being able to allocate reserved spaces when an event was fully booked
    TL-17442       Ensured that the 'deleted' field is displayed correctly in the list of source fields for HR Import
    TL-17458       Fixed a PHP undefined property notice, $allow_delete within the HR Import source settings
    TL-17471       Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
    TL-17485       Stopped irrelevant instructions being shown on some of the plan component detail pages

                   The plan header includes instructions about the component and adding a new
                   one. For objectives, competencies, and programs, the instructions were
                   being shown on both the main page, which lists the component items, and the
                   detail page for each item. These instructions were confusing and irrelevant
                   on the details pages so they have been removed.

    TL-17487       Fixed the completion progress bar not updating the percentage correctly in the "Record of Learning: Courses" report
    TL-17509       Fixed the time assigned column for program and certification report sources

                   The time assigned column for the program completion, program overview,
                   certification completion, and certification overview sources previously
                   displayed the data for timestarted, this patch has two main parts:
                   
                   1) Changes the default header of the current column to "Time started" to be
                   consistent with what it displays
                   2) Adds a new column "Time assigned" to the report source that displays the
                   expected data
                   
                   This means that any existing sites that have a report based on one of the
                   affected sources may want to edit the columns for the report and either add
                   or switch over to the new time assigned column.

    TL-17522       Fixed inconsistent styling on the "Add new objective" button in learning plans

                   The padding on the "Add new objective" button was inconsistent with the
                   same button in other components. The missing class has been added to make
                   the styling consistent.

    TL-17528       Removed some duplicated content from the audience member alert notification
    TL-17534       Stopped time being added by the Totara form utc10 date picker

                   TL-16921 introduced the date time pickers of the utc10 totara form element.
                   As an unintended consequence, the time was being added by the input element
                   that caused validation to fail. This patch stops the time being added by
                   the date picker

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Contributions:

    * Marcin Czarnecki at Kineo UK - TL-17387

Release 11.3 (14th May 2018):



Security issues:

    TL-17382       Mustache str, pix, and flex helpers no longer support recursive helpers

                   A serious security issue was found in the way in which the String, Pix
                   icon, and Flex icon Mustache helpers processed variable data.
                   An attacker could craft content that would use this parsing to instantiate
                   unexpected helpers and allow them to access context data they should be
                   able to access, and in some cases to allow them to get malicious JavaScript
                   into pages viewed by other users.
                   Failed attempts to get malicious JavaScript into the page could still lead
                   to parsing issues, encoding issues, and JSON encoding issues. Some of which
                   may lead to other exploits.

                   To fix this all uses of these three mustache helpers in core code have been
                   reviewed, and any uses of them that were using user data variables have
                   been updated to ensure that they are secure.
                   
                   In this months Evergreen release and above the API for these three helpers
                   has been revised. User data variables can no longer be used in Mustache
                   template helpers.
                   
                   We strongly recommend all users review any customisations they have that
                   make use of Mustache templates to ensure that any helpers being used don't
                   make use of context data variables coming from user input.
                   If you find helpers that are using variables containing user data we
                   strongly recommend preparing new pre-resolved context variables in PHP or
                   JavaScript and not passing that information through the helpers.

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Improvements:

    TL-12620       Automated the selection of job assignments upon a users assignment to an appraisal when possible

                   When an appraisal is activated or when learners are dynamically or manually
                   added to an active appraisal, a learner's job assignment is now
                   automatically linked to their appraisal assignment. Before this change, the
                   learner had to open the appraisal for this to happen.
                   
                   This will only come into effect if the setting "Allow multiple job
                   assignments" is turned OFF.
                   
                   If a user has multiple job assignments, this automatic assignment will not
                   apply. If a user has no job assignment, an empty job assignment will still
                   be automatically created.

    TL-16344       Implemented user data item for the "Self-registration with approval" authentication plugin
    TL-16356       Implemented user data item for the database module
    TL-16738       Implemented user data items for grades

                   The following user data items have been introduced:
                    * Grades - This item takes care of the Gradebook records, supporting both
                   export and purge.
                    * Temp import - This item is a fail-safe cleanup for the tables which are
                   used by grade import script for temporary storage, supporting only purge.
                    * Improved Individual assignments item - This item includes feedback and
                   grades awarded via advanced grading (Guide and Rubric), supporting both
                   purge and export.

    TL-16958       Updated language strings to replace outdated references to system roles

                   This issue is a follow up to TL-16582 with further updates to language
                   strings to ensure any outdated references to systems roles are corrected
                   and consistent, in particular changing student to learner and teacher to
                   trainer.

    TL-17142       Enabled use of the HTML editor when creating site policy statements and added the ability to preview

                   An HTML editor is now used when adding and editing Site Policy statements
                   and translations. A preview function was also added. This enables the
                   policy creator to view how the policy will be rendered to users.
                   
                   Anyone upgrading from an earlier version of Totara 11 who has previously
                   added site policies and wants to use html formatting will need to:
                    * Edit the policy text
                    * The text will still be displayed in a text editor, but you will have an
                   option to change the entered format
                    * Make sure you have a copy of the current text somewhere (copy/paste)
                    * Change the format to "HTML format"
                    * Save and re-open the policy OR Preview and click "Continue editing". The
                   policy text will be shown in the HTML editor but will most likely contain
                   no formatting
                    * Replace the current (unformatted) text by pasting back in the copy of
                   the original text
                    * Save

    TL-17383       Improved the wording and grouping of user data items

Bug fixes:

    TL-6476        Removed the weekday-textual and month-textual options from the data source selector for report builder graphs

                   The is_graphable() method was changed to return false for the
                   weekday-textual and month-textual, stopping them from being selected in the
                   data source of a graph. This will not change existing graphs that contain
                   these fields, however if they are edited then a new data source will have
                   to be chosen. You can still display the weekday or month in a data source
                   by using the numeric form.

    TL-15037       Fixed name_link display function of the "Event name" column for the site log report source

                   The Event name (linked to event source) column in the Site Logs reporting
                   source was not fully restoring the event data.

    TL-17387       Fixed managers not being able to allocate reserved spaces when an event was fully booked
    TL-17442       Ensured that the 'deleted' field is displayed correctly in the list of source fields for HR Import
    TL-17458       Fixed a PHP undefined property notice, $allow_delete within the HR Import source settings
    TL-17471       Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
    TL-17485       Stopped irrelevant instructions being shown on some of the plan component detail pages

                   The plan header includes instructions about the component and adding a new
                   one. For objectives, competencies, and programs, the instructions were
                   being shown on both the main page, which lists the component items, and the
                   detail page for each item. These instructions were confusing and irrelevant
                   on the details pages so they have been removed.

    TL-17487       Fixed the completion progress bar not updating the percentage correctly in the "Record of Learning: Courses" report
    TL-17509       Fixed the time assigned column for program and certification report sources

                   The time assigned column for the program completion, program overview,
                   certification completion, and certification overview sources previously
                   displayed the data for timestarted, this patch has two main parts:
                   
                   1) Changes the default header of the current column to "Time started" to be
                   consistent with what it displays
                   2) Adds a new column "Time assigned" to the report source that displays the
                   expected data
                   
                   This means that any existing sites that have a report based on one of the
                   affected sources may want to edit the columns for the report and either add
                   or switch over to the new time assigned column.

    TL-17522       Fixed inconsistent styling on the "Add new objective" button in learning plans

                   The padding on the "Add new objective" button was inconsistent with the
                   same button in other components. The missing class has been added to make
                   the styling consistent.

    TL-17528       Removed some duplicated content from the audience member alert notification
    TL-17534       Stopped time being added by the Totara form utc10 date picker

                   TL-16921 introduced the date time pickers of the utc10 totara form element.
                   As an unintended consequence, the time was being added by the input element
                   that caused validation to fail. This patch stops the time being added by
                   the date picker

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Contributions:

    * Marcin Czarnecki at Kineo UK - TL-17387    

Release 10.9 (14th May 2018):



Security issues:

    TL-17382       Mustache str, pix, and flex helpers no longer support recursive helpers

                   A serious security issue was found in the way in which the String, Pix
                   icon, and Flex icon Mustache helpers processed variable data.
                   An attacker could craft content that would use this parsing to instantiate
                   unexpected helpers and allow them to access context data they should be
                   able to access, and in some cases to allow them to get malicious JavaScript
                   into pages viewed by other users.
                   Failed attempts to get malicious JavaScript into the page could still lead
                   to parsing issues, encoding issues, and JSON encoding issues. Some of which
                   may lead to other exploits.

                   To fix this all uses of these three mustache helpers in core code have been
                   reviewed, and any uses of them that were using user data variables have
                   been updated to ensure that they are secure.
                   
                   In this months Evergreen release and above the API for these three helpers
                   has been revised. User data variables can no longer be used in Mustache
                   template helpers.
                   
                   We strongly recommend all users review any customisations they have that
                   make use of Mustache templates to ensure that any helpers being used don't
                   make use of context data variables coming from user input.
                   If you find helpers that are using variables containing user data we
                   strongly recommend preparing new pre-resolved context variables in PHP or
                   JavaScript and not passing that information through the helpers.

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Improvements:

    TL-16958       Updated language strings to replace outdated references to system roles

                   This issue is a follow up to TL-16582 with further updates to language
                   strings to ensure any outdated references to systems roles are corrected
                   and consistent, in particular changing student to learner and teacher to
                   trainer.


Bug fixes:

    TL-6476        Removed the weekday-textual and month-textual options from the data source selector for report builder graphs

                   The is_graphable() method was changed to return false for the
                   weekday-textual and month-textual, stopping them from being selected in the
                   data source of a graph. This will not change existing graphs that contain
                   these fields, however if they are edited then a new data source will have
                   to be chosen. You can still display the weekday or month in a data source
                   by using the numeric form.

    TL-15037       Fixed name_link display function of the "Event name" column for the site log report source

                   The Event name (linked to event source) column in the Site Logs reporting
                   source was not fully restoring the event data.

    TL-17387       Fixed managers not being able to allocate reserved spaces when an event was fully booked
    TL-17471       Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
    TL-17485       Stopped irrelevant instructions being shown on some of the plan component detail pages

                   The plan header includes instructions about the component and adding a new
                   one. For objectives, competencies, and programs, the instructions were
                   being shown on both the main page, which lists the component items, and the
                   detail page for each item. These instructions were confusing and irrelevant
                   on the details pages so they have been removed.

    TL-17487       Fixed the completion progress bar not updating the percentage correctly in the "Record of Learning: Courses" report
    TL-17509       Fixed the time assigned column for program and certification report sources

                   The time assigned column for the program completion, program overview,
                   certification completion, and certification overview sources previously
                   displayed the data for timestarted, this patch has two main parts:
                   
                   1) Changes the default header of the current column to "Time started" to be
                   consistent with what it displays
                   2) Adds a new column "Time assigned" to the report source that displays the
                   expected data
                   
                   This means that any existing sites that have a report based on one of the
                   affected sources may want to edit the columns for the report and either add
                   or switch over to the new time assigned column.

    TL-17522       Fixed inconsistent styling on the "Add new objective" button in learning plans

                   The padding on the "Add new objective" button was inconsistent with the
                   same button in other components. The missing class has been added to make
                   the styling consistent.

    TL-17528       Removed some duplicated content from the audience member alert notification
    TL-17534       Stopped time being added by the Totara form utc10 date picker

                   TL-16921 introduced the date time pickers of the utc10 totara form element.
                   As an unintended consequence, the time was being added by the input element
                   that caused validation to fail. This patch stops the time being added by
                   the date picker

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Contributions:

    * Marcin Czarnecki at Kineo UK - TL-17387  

Release 9.20 (14th May 2018):



Security issues:

    TL-17382       Mustache str, pix, and flex helpers no longer support recursive helpers

                   A serious security issue was found in the way in which the String, Pix
                   icon, and Flex icon Mustache helpers processed variable data.
                   An attacker could craft content that would use this parsing to instantiate
                   unexpected helpers and allow them to access context data they should be
                   able to access, and in some cases to allow them to get malicious JavaScript
                   into pages viewed by other users.
                   Failed attempts to get malicious JavaScript into the page could still lead
                   to parsing issues, encoding issues, and JSON encoding issues. Some of which
                   may lead to other exploits.

                   To fix this all uses of these three mustache helpers in core code have been
                   reviewed, and any uses of them that were using user data variables have
                   been updated to ensure that they are secure.
                   
                   In this months Evergreen release and above the API for these three helpers
                   has been revised. User data variables can no longer be used in Mustache
                   template helpers.
                   
                   We strongly recommend all users review any customisations they have that
                   make use of Mustache templates to ensure that any helpers being used don't
                   make use of context data variables coming from user input.
                   If you find helpers that are using variables containing user data we
                   strongly recommend preparing new pre-resolved context variables in PHP or
                   JavaScript and not passing that information through the helpers.

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Improvements:

    TL-16958       Updated language strings to replace outdated references to system roles

                   This issue is a follow up to TL-16582 with further updates to language
                   strings to ensure any outdated references to systems roles are corrected
                   and consistent, in particular changing student to learner and teacher to
                   trainer.


Bug fixes:

    TL-6476        Removed the weekday-textual and month-textual options from the data source selector for report builder graphs

                   The is_graphable() method was changed to return false for the
                   weekday-textual and month-textual, stopping them from being selected in the
                   data source of a graph. This will not change existing graphs that contain
                   these fields, however if they are edited then a new data source will have
                   to be chosen. You can still display the weekday or month in a data source
                   by using the numeric form.

    TL-15037       Fixed name_link display function of the "Event name" column for the site log report source

                   The Event name (linked to event source) column in the Site Logs reporting
                   source was not fully restoring the event data.

    TL-17387       Fixed managers not being able to allocate reserved spaces when an event was fully booked
    TL-17471       Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
    TL-17528       Removed some duplicated content from the audience member alert notification
    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Contributions:

    * Marcin Czarnecki at Kineo UK - TL-17387  

Release 2.9.32 (14th May 2018):



Security issues:

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Improvements:

    TL-16958       Updated language strings to replace outdated references to system roles

                   This issue is a follow up to TL-16582 with further updates to language
                   strings to ensure any outdated references to systems roles are corrected
                   and consistent, in particular changing student to learner and teacher to
                   trainer.


Bug fixes:

    TL-6476        Removed the weekday-textual and month-textual options from the data source selector for report builder graphs

                   The is_graphable() method was changed to return false for the
                   weekday-textual and month-textual, stopping them from being selected in the
                   data source of a graph. This will not change existing graphs that contain
                   these fields, however if they are edited then a new data source will have
                   to be chosen. You can still display the weekday or month in a data source
                   by using the numeric form.

    TL-17387       Fixed managers not being able to allocate reserved spaces when an event was fully booked
    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Contributions:

    * Marcin Czarnecki at Kineo UK - TL-17387

:

    TL-17389       

Release 2.7.40 (14th May 2018):



Security issues:

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Bug fixes:

    TL-6476        Removed the weekday-textual and month-textual options from the data source selector for report builder graphs

                   The is_graphable() method was changed to return false for the
                   weekday-textual and month-textual, stopping them from being selected in the
                   data source of a graph. This will not change existing graphs that contain
                   these fields, however if they are edited then a new data source will have
                   to be chosen. You can still display the weekday or month in a data source
                   by using the numeric form.

    TL-17387       Fixed managers not being able to allocate reserved spaces when an event was fully booked
    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Contributions:

    * Marcin Czarnecki at Kineo UK - TL-17387

Release 2.6.57 (14th May 2018):



Security issues:

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Bug fixes:

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Release 2.5.64 (14th May 2018):



Security issues:

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Bug fixes:

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Release 2.4.63 (14th May 2018):



Security issues:

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins
    TL-17527       Seminar attendance can no longer be used to export sensitive user data

                   Previously it was possible for a site administrator to configure Seminar
                   attendance exports to contain sensitive user data, such as a user's hashed
                   password. User fields containing sensitive data can no longer be included
                   in Seminar attendance exports.


Bug fixes:

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly

Release 2.2.67 (14th May 2018):



Security issues:

    TL-17436       Added additional validation on caller component when exporting to portfolio
    TL-17440       Added additional validation when exporting forum attachments using portfolio plugins
    TL-17445       Added additional validation when exporting assignments using portfolio plugins

Bug fixes:

    TL-17535       Fixed hard-coded links to the community site that were not being redirected properly