Hello everyone,
The following versions of Totara Learn have now been released:
- Release 11.9
- Release 10.15
- Release 9.26
- Release 2.9.38
- Release 2.7.46
- Release 2.6.63
- Release 2.5.69
- Release 2.4.66
- Release 2.2.70
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
Kind regards
Sam Hemelryk
Release 11.9 (4th December 2018):
| Security issues: | ||
| TL-19028 | SCORM package download protection is now on by default Previously this setting was off by default. Turning it on ensures that sites are more secure by default. | |
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
| New features: | ||
| TL-18859 | Add Totara content marketplace and GO1 marketplace Totara content marketplace provides support for browsing and importing external content from content providers directly into your site. Content providers can implement a new "marketplace" plugin type to integrate their content into Totara Learn. The release includes a marketplace plugin for GO1 ([https://totara.go1.com/]), which provides direct access to search and include GO1 aggregated content. When first installed the content marketplace plugin will send an internal notification to site administrators and site managers on the next cron run, letting them know that content marketplaces are available. To prevent this notification and completely disable marketplaces add $CFG->enablecontentmarketplaces = false; in your site's config.php *before* you upgrade your site. | |
| Improvements: | ||
| TL-18963 | Improved the help text for the 'Enable messaging system' setting on the advanced settings page | |
| TL-19145 | Improved terminology for non-graded assignment strings | |
| Bug fixes: | ||
| TL-16529 | Fixed Global Search to accept the parameter type of either 'string' or 'array' Prior to this patch: when user was trying to perform global search, the system would throw an error. It happened because the query from request was a string instead of an array and the global search handler was expecting array data type only. After this patch: the issue has been resolved, global search handler is now accepting either 'string' or 'array' parameter. | |
| TL-16788 | Fixed audience visible learning report's javascript Prior to this patch, with a report using source 'Audience: visible learning', when changing the visibility of an audience, the system would update nothing. This happened because the javascript for the report was looking into the wrong elements and it would not trigger any update to the server side when event triggered. With this patch, given the same scenario, audience visibility of course/program will be updated. | |
| TL-17804 | Fixed certification expiry date not being updated when a user is granted an extension Additional changes include: * new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates * preventing users from requesting extension after the certification expiry | |
| TL-18558 | Fixed display activity restrictions for editing teachers. Editing teachers can see activity restrictions whether they match them or not. | |
| TL-18806 | Prevented prog_write_completion from being used with certification data | |
| TL-18821 | Fixed the rendering of course's topic restriction when using the 'Restriction Set' | |
| TL-18895 | Added warning text to the audience's rules if there are any rules that are referencing a deleted item Prior to the patch: when an item (for example: program, course, position and so on) that was referenced in an audience rule got deleted, there were no obvious way to tell the user that this item had been deleted. With this patch: there will be a warning text, when user is viewing the rule that is still referencing a deleted item. | |
| TL-18932 | Added an ability to detect the broken audience rules when scheduled task starts running to update the audience's members Prior to this patch, when the scheduled task (\totara_cohort\task\update_cohort_task) was running, there was no way that it could detect whether the rules were still referencing to the invalid instance records or not (for example: course, program, user's position, and so on). Therefore, if the rule had a reference to an invalid instance record, audience will not be able update its members correctly. With this patch, it will start checking whether the referenced instance records are valid or not before the process of updating members. If there are any invalid instance records, then the system will send an email out to notify the site administrator. | |
| TL-19000 | Changed Seminar event approver notification type from alert to task so that dashboard task block is created | |
| TL-19122 | Fixed an issue in the recurring courses where after the course restarts the enrolment date remained the date from the original course | |
| TL-19124 | Internal implementation and performance of organisation and position based report restrictions This is a backport of TL-19086, which was included in October evergreen release. | |
| TL-19149 | Made sure completion editor form is submitted correctly when the site is running non-English language | |
| TL-19155 | Fixed Google maps Ok button failure in Behat tests | |
| TL-19158 | Fixed 'Hide/Show' actions on the course/program custom fields page | |
| TL-19160 | Clarified date filter label that 'today' means 'start of today' | |
| TL-19190 | Fixed duplicate rows in the Program Completion report when "Is user assigned?" column is included | |
| TL-19196 | Backported TL-15368 to fix user tours initialisation on the front page | |
| TL-19215 | Improved handling of text in autocomplete forms Previously when adding HTML tags to an autocomplete field, they would be interpreted by the browser. This issue ensures that they are displayed as plain text, with offending content being removed when the form being reloaded. This is not a security fix as the only person who could be affected is the person who is entering the data, when they are first entering the data (and not on subsequent visits). | |
| TL-19247 | Fixed race condition when adding programs to the program completion block | |
| TL-19248 | Report builder filters supply the report id when changing Previously there were some filters that did not supply the report id when changing the filter. This issue ensures the access checks are done correctly for the report | |
| TL-19249 | Fixed cancel button not working in switch role form in course Previously the cancel button had the same functionality as the 'Save changes' button, changing the users role. With this patch, the cancel button now just redirects back to the course view page. | |
| TL-19250 | Fixed Totara forms file manager element with disabled subdirectories bug when uploading one file only | |
| TL-19256 | Ensured enrolment messages are send correctly after user assignment exceptions have been resolved | |
| TL-19297 | Fixed errors when changing course format to different format on course's editing page | |
| TL-19374 | Removed a trailing space on the output of the certif_status Report Builder display | |
| TL-19439 | Fixed select all checkbox not working in comments report in IE11/Edge | |
| TL-19472 | Fixed temporary manager expiry checkbox not being unchecked when temporary manager removed | |
| TL-19495 | Ensured the course shortname and category fields export correctly on the 'Program overview' Report Builder source | |
| TL-19508 | Removed duplicated options in the 'Show with backdrop' selector on the add new step form in user tours Within a user tour, a moodle form can get 2 selected "default" items. This causes the last item ("No") in chrome to be selected (whereas the first option should be selected). Replication steps (done on Chrome): # Ensure user tours are enabled # Set up a tour with "show backdrop" set to "Yes" # Go to the add step screen # Expand the "Options" step # Inspect element on the "Show with backdrop" select Currently there are 2 options with the selected attribute set - there should only be one. | |
| TL-19512 | In-page confirmation boxes no longer display above menu's When deleting a block from a page, the confirmation box previously displayed on top the menus. The menu now displays on top of the confirmation box. This will require themes using less inheritance to re-compile their CSS. | |
| TL-19598 | Fixed SQL error when updating dynamic audience which includes Job Assignments Manager rule When a dynamic audience which included the job assignments Managers rule was updated an SQL error would be generated if any of the selected Managers had multiple job assignments. This would lead to the dynamic audience members not being updated when the scheduled task was run. | |
| TL-19599 | Fixed deletion of filters and columns in the "All User's Job Assignments" section | |
| TL-19623 | Fixed layout on Assignment's Grade to not collapse each other. | |
Release 10.15 (4th December 2018):
| Security issues: | ||
| TL-19028 | SCORM package download protection is now on by default Previously this setting was off by default. Turning it on ensures that sites are more secure by default. | |
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
| New features: | ||
| TL-18859 | Add Totara content marketplace and GO1 marketplace Totara content marketplace provides support for browsing and importing external content from content providers directly into your site. Content providers can implement a new "marketplace" plugin type to integrate their content into Totara Learn. The release includes a marketplace plugin for GO1 ([https://totara.go1.com/]), which provides direct access to search and include GO1 aggregated content. When first installed the content marketplace plugin will send an internal notification to site administrators and site managers on the next cron run, letting them know that content marketplaces are available. To prevent this notification and completely disable marketplaces add $CFG->enablecontentmarketplaces = false; in your site's config.php *before* you upgrade your site. | |
| Improvements: | ||
| TL-18963 | Improved the help text for the 'Enable messaging system' setting on the advanced settings page | |
| TL-19145 | Improved terminology for non-graded assignment strings | |
| Bug fixes: | ||
| TL-16529 | Fixed Global Search to accept the parameter type of either 'string' or 'array' Prior to this patch: when user was trying to perform global search, the system would throw an error. It happened because the query from request was a string instead of an array and the global search handler was expecting array data type only. After this patch: the issue has been resolved, global search handler is now accepting either 'string' or 'array' parameter. | |
| TL-17804 | Fixed certification expiry date not being updated when a user is granted an extension Additional changes include: * new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates * preventing users from requesting extension after the certification expiry | |
| TL-18558 | Fixed display activity restrictions for editing teachers. Editing teachers can see activity restrictions whether they match them or not. | |
| TL-18806 | Prevented prog_write_completion from being used with certification data | |
| TL-18895 | Added warning text to the audience's rules if there are any rules that are referencing a deleted item Prior to the patch: when an item (for example: program, course, position and so on) that was referenced in an audience rule got deleted, there were no obvious way to tell the user that this item had been deleted. With this patch: there will be a warning text, when user is viewing the rule that is still referencing a deleted item. | |
| TL-18932 | Added an ability to detect the broken audience rules when scheduled task starts running to update the audience's members Prior to this patch, when the scheduled task (\totara_cohort\task\update_cohort_task) was running, there was no way that it could detect whether the rules were still referencing to the invalid instance records or not (for example: course, program, user's position, and so on). Therefore, if the rule had a reference to an invalid instance record, audience will not be able update its members correctly. With this patch, it will start checking whether the referenced instance records are valid or not before the process of updating members. If there are any invalid instance records, then the system will send an email out to notify the site administrator. | |
| TL-19000 | Changed Seminar event approver notification type from alert to task so that dashboard task block is created | |
| TL-19122 | Fixed an issue in the recurring courses where after the course restarts the enrolment date remained the date from the original course | |
| TL-19124 | Internal implementation and performance of organisation and position based report restrictions This is a backport of TL-19086, which was included in October evergreen release. | |
| TL-19149 | Made sure completion editor form is submitted correctly when the site is running non-English language | |
| TL-19155 | Fixed Google maps Ok button failure in Behat tests | |
| TL-19160 | Clarified date filter label that 'today' means 'start of today' | |
| TL-19190 | Fixed duplicate rows in the Program Completion report when "Is user assigned?" column is included | |
| TL-19215 | Improved handling of text in autocomplete forms Previously when adding HTML tags to an autocomplete field, they would be interpreted by the browser. This issue ensures that they are displayed as plain text, with offending content being removed when the form being reloaded. This is not a security fix as the only person who could be affected is the person who is entering the data, when they are first entering the data (and not on subsequent visits). | |
| TL-19247 | Fixed race condition when adding programs to the program completion block | |
| TL-19248 | Report builder filters supply the report id when changing Previously there were some filters that did not supply the report id when changing the filter. This issue ensures the access checks are done correctly for the report | |
| TL-19250 | Fixed Totara forms file manager element with disabled subdirectories bug when uploading one file only | |
| TL-19256 | Ensured enrolment messages are send correctly after user assignment exceptions have been resolved | |
| TL-19312 | Added the 'readonlyemptyfield' string that was missing from customfields | |
| TL-19374 | Removed a trailing space on the output of the certif_status Report Builder display | |
| TL-19472 | Fixed temporary manager expiry checkbox not being unchecked when temporary manager removed | |
| TL-19495 | Ensured the course shortname and category fields export correctly on the 'Program overview' Report Builder source | |
| TL-19512 | In-page confirmation boxes no longer display above menu's When deleting a block from a page, the confirmation box previously displayed on top the menus. The menu now displays on top of the confirmation box. This will require themes using less inheritance to re-compile their CSS. | |
| TL-19598 | Fixed SQL error when updating dynamic audience which includes Job Assignments Manager rule When a dynamic audience which included the job assignments Managers rule was updated an SQL error would be generated if any of the selected Managers had multiple job assignments. This would lead to the dynamic audience members not being updated when the scheduled task was run. | |
Release 9.26 (4th December 2018):
| Security issues: | ||
| TL-19028 | SCORM package download protection is now on by default Previously this setting was off by default. Turning it on ensures that sites are more secure by default. | |
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
| Improvements: | ||
| TL-18963 | Improved the help text for the 'Enable messaging system' setting on the advanced settings page | |
| Bug fixes: | ||
| TL-17804 | Fixed certification expiry date not being updated when a user is granted an extension Additional changes include: * new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates * preventing users from requesting extension after the certification expiry | |
| TL-18558 | Fixed display activity restrictions for editing teachers. Editing teachers can see activity restrictions whether they match them or not. | |
| TL-18806 | Prevented prog_write_completion from being used with certification data | |
| TL-18895 | Added warning text to the audience's rules if there are any rules that are referencing a deleted item Prior to the patch: when an item (for example: program, course, position and so on) that was referenced in an audience rule got deleted, there were no obvious way to tell the user that this item had been deleted. With this patch: there will be a warning text, when user is viewing the rule that is still referencing a deleted item. | |
| TL-18932 | Added an ability to detect the broken audience rules when scheduled task starts running to update the audience's members Prior to this patch, when the scheduled task (\totara_cohort\task\update_cohort_task) was running, there was no way that it could detect whether the rules were still referencing to the invalid instance records or not (for example: course, program, user's position, and so on). Therefore, if the rule had a reference to an invalid instance record, audience will not be able update its members correctly. With this patch, it will start checking whether the referenced instance records are valid or not before the process of updating members. If there are any invalid instance records, then the system will send an email out to notify the site administrator. | |
| TL-19000 | Changed Seminar event approver notification type from alert to task so that dashboard task block is created | |
| TL-19122 | Fixed an issue in the recurring courses where after the course restarts the enrolment date remained the date from the original course | |
| TL-19124 | Internal implementation and performance of organisation and position based report restrictions This is a backport of TL-19086, which was included in October evergreen release. | |
| TL-19155 | Fixed Google maps Ok button failure in Behat tests | |
| TL-19195 | Fixed display issue when using "Hide if there is nothing to display" setting in the report table block If the setting "Hide if there is nothing to display" was set for the report table block then the block would hide even if there was data. The setting now works correctly and only hides the block if the report contains no data. | |
| TL-19215 | Improved handling of text in autocomplete forms Previously when adding HTML tags to an autocomplete field, they would be interpreted by the browser. This issue ensures that they are displayed as plain text, with offending content being removed when the form being reloaded. This is not a security fix as the only person who could be affected is the person who is entering the data, when they are first entering the data (and not on subsequent visits). | |
| TL-19248 | Report builder filters supply the report id when changing Previously there were some filters that did not supply the report id when changing the filter. This issue ensures the access checks are done correctly for the report | |
| TL-19250 | Fixed Totara forms file manager element with disabled subdirectories bug when uploading one file only | |
| TL-19312 | Added the 'readonlyemptyfield' string that was missing from customfields | |
Release 2.9.38 (4th December 2018):
| Security issues: | ||
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
| Bug fixes: | ||
| TL-17804 | Fixed certification expiry date not being updated when a user is granted an extension Additional changes include: * new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates * preventing users from requesting extension after the certification expiry | |
| TL-18806 | Prevented prog_write_completion from being used with certification data | |
Release 2.7.46 (4th December 2018):
| Security issues: | ||
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
| Bug fixes: | ||
| TL-17804 | Fixed certification expiry date not being updated when a user is granted an extension Additional changes include: * new baseline expiry field in the completion editor which is used to calculate subsequent expiry dates * preventing users from requesting extension after the certification expiry | |
| TL-18806 | Prevented prog_write_completion from being used with certification data | |
Release 2.6.63 (4th December 2018):
| Security issues: | ||
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
Release 2.5.69 (4th December 2018):
| Security issues: | ||
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
| TL-19669 | Backported MDL-64222 security fix for badges | |
Release 2.4.66 (4th December 2018):
| Security issues: | ||
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |
Release 2.2.70 (4th December 2018):
| Security issues: | ||
| TL-19365 | CSRF protection was added to the login page, and HTML blocks on user pages now prevent self-XSS Cross-site request forgery is now prevented on the login page. This means that alternate login pages cannot be supported anymore and as such this feature was deprecated. The change may also interfere with incorrectly designed custom authentication plugins. Previously configured alternate login pages would not work after upgrade; if attempting to log in on the alternate page, users would be directed to the regular login page and presented with an error message asking them to retry log in, where it will be successful. To keep using vulnerable alternate login pages, the administrator would need to disable CSRF protection on the login page in config.php. | |