Hello everyone,
The following versions of Totara Learn have now been released:
- Release Evergreen
- Release 12.15
- Release 11.24
- Release 10.30
- Release 9.41
- Release 2.9.50
- Release 2.7.57
- Release 2.6.74
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Russell England at Kineo USA - TL-23625
Kind regardsSam Hemelryk
Release Evergreen (26th February 2020):
Key: + Evergreen only
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Security issues:
TL-23950 Added sanitisation of send messages before they are displayed in messaging interface
TL-24133 Ensured content was encoded before being used within aria-labels when viewing the users list
Performance improvements:
TL-22894 Added course, program, and certification visibility map tables to improve performance of visibility-related queries
Previously, the database query used to compute which learning items were
visible to the user involved a large number of joins and subqueries to
resolve the roles held by the user in each context, and whether those roles
had the capability to view hidden items. Additionally, it did not take into
account the ability of admins to prohibit roles in category contexts.
In some database management systems, particularly with large numbers of
courses and deep category trees, this approach resulted in unacceptable
performance. This was especially noticeable when computing the number of
items visible in each category in the 'Category' catalogue.
With this patch, we now pre-compute which roles can see each course,
program, and certification in the system, and store the resulting
visibility maps in the database. The creation of this map is quick, and
greatly simplifies queries that involve visibility. It also improves
accuracy in sites that prohibit the capability to view hidden learning
items in some categories.
There is a new scheduled
task, totara_core\task\visibility_map_regenerate_all, which regenerates
the visibility maps every hour by default. Also, whenever a category,
learning item, or roles is updated, an ad_hoc task is queued to regenerate
the appropriate map(s). As such, there may be a delay between when changes
are made, and when items are considered hidden/visible to particular roles
by queries which check visibility.
Improvements:
TL-19290 HTTP only cookies are now enabled by default
TL-22721 Backported MDL-57968 core_message: Remove multiple unnecessary AJAX requests
TL-23127 Removed redundant 'Enable' checkbox for temporary manager expiry date
Temporary managers must always have an expiry date.
TL-23158 Added a new option 'CSV Grade format' to the 'Upload Completion Records' page
Also improved the override method to be able to choose from 'Never',
'Always' and 'Only if more recent'
TL-23278 Improved UI for attendees with course completion archive records
Previously, if a trainer tried to remove seminar attendees with archived
course completions from seminar sessions, an error message appeared without
much explanation.
The behaviour of seminar signups when course completion records are
archived is unusual, as most activity records are removed during the
completion archive process. Seminar signups must be kept in the system for
reporting purposes, so they are flagged as archived and considered to be
locked and unalterable.
This patch makes the following clarifications for trainers and admins
around archived seminar signups:
* Attendees with archived course completions are disabled in the 'Remove
users' form, so a trainer cannot select and remove them from the past
seminar sessions.
* On the 'Take attendance' page, the attendance fields of attendees with
archived course completions are locked and disabled, signifying that they
may not be changed.
* A warning message appears at the top of the 'Take attendance' page if
attendees with archived course completions are present, explaining why
attendance fields are disabled for some or all attendees.
TL-23683 Added support for activity tags in Seminar, SCORM, and Feedback modules
TL-23691 Increased the width of the course selection menu in course completion settings so that longer course names are displayed in full
TL-23832 Improved automated generation of label names
Bug fixes:
TL-7631 Conditional fields when editing certification course sets are now correctly disabled when not relevant
TL-23072 Fixed columns and filters for course and audience tags in the report builder
TL-23081 Prevented learners from requesting manager approval for seminar events that conflict with their existing approval requests
Previously when multiple seminar events existed with manager approval and
the same date and time, learners were able to request approval for
conflicting events. This caused confusion when managers tried to approve
the request but got date conflict errors instead.
This patch ensures that learners can only request approval for seminars
that do not conflict with other seminars they have already requested
approval for.
TL-23173 Fixed error displayed in report builder when user session timed out
TL-23362 Stopped seminar manager reservation links from being displayed when sign-up period is not open
TL-23420 Changed the 'Attendee name' column in seminar reports so that it displays 'Reserved' for manager reservations, instead of being blank
TL-23577 Fixed URL validation in Totara Featured Links and Quick Links blocks to allow local URLs
With the release of Totara 12.9, URL validation in the Featured Link and
Quick Links blocks was changed to allow the use of grid catalogue URLs with
square brackets in the query part. The change removed the ability to use
local URLs (URIs starting with '/') in those blocks.
This fix reenables support for local URLs. Any Featured Links static tiles
that were created with local URLs prior to Totara 12.9, and edited with
Totara 12.9+, will have been converted to a standard URL, and will need to
be manually edited after upgrade and converted back to a local URL.
Additionally, this patch makes the URL field optional for Featured Links
static tiles, allowing the creation of tiles that are not linked.
TL-23625 Fixed being able to uncheck 'Send to self' for Report Builder scheduled reports
TL-23632 Removed access_token class which references invalid database table
TL-23647 Fixed 'Declare interest' functionality when a user is booked onto a past event
Previously a "When no upcoming events are available" option is enabled for
Seminar, the "Declare interest" functionality worked for no upcoming events
and no past events if a user is booked onto a past event. Now it is fixed
and the user can declare interest if there are no upcoming events and the
user booked onto past events.
TL-23654 Made sure that all courses (completed and in progress) are being reset during re-certification window open stage
The behaviour of manual completions archive remains unchanged (i.e. only
completions or completions via RPL are archived during manual course
reset).
TL-23659 Fixed OAuth compatibility with login block
TL-23672 The log in block now uses the correct Totara connect icon
TL-23673 Made sure audience name is correctly formatted in the breadcrumbs on the Rule Sets page
TL-23674 Fixed the display of server status on Totara Connect Servers page in administration
Previously the server status would not be correctly displayed for a server
where deletion was in progress.
TL-23677 Changed the warning language string about column aggregations to soften the message
TL-23740 Fixed compatibility with UUID PHP extension
TL-23751 Made sure "Manage user reports" and "Manage embedded reports" can be added to the admin dropdown menu
TL-23755 Prevent upload files link on HR Import CSV source settings pages showing when configuration is not complete
When the configuration is not complete clicking the link would result in an
error being shown. The link no longer shows until the minimum configuration
is completed.
TL-23757 Blocks in the bottom region are now contained in a HTML element with "region-bottom" id
Previously this element had the HTML id "region-top"
TL-23772 Made sure export controls in hierarchy frameworks are present only when at least one framework is exists and visible to a user
TL-23776 Made sure aria-hidden works correctly on the YUI dialogues
TL-23808 Fixed seminar manager reservations always being sent to booked state
Prior to this patch, seminar manager reservations were always given a
booked signup state, even if the seminar was set to send bookings to the
waitlist.
This has been fixed, and manager reservations are treated like other
signups. This patch also fixes a bug in the events dashboard that
misrepresented the number of wait-listed users on an overbooked event.
TL-23834 Added horizontal scrolling to wiki revisions table
TL-23852 The current learning block no longer triggers a re-aggregation of program courseset completion
The current learning block in some situations was causing program courseset
completion to be re-aggregated, leading to courseset completion time being
incorrectly updated if the courseset had already been completed.
This has been fixed and the courseset completion date is no longer updated
after it has been initially set.
TL-23903 Fixed slot id generation when displaying multianswer (cloze) questions
TL-23949 Added missing task name string for OAuth system token refresh task
The name string for the OAuth2 system token refresh task was omitted from
TL-20583.
Contributions:
* Russell England at Kineo USA - TL-23625
Release 12.15 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Security issues:
TL-23950 Added sanitisation of send messages before they are displayed in messaging interface
TL-24133 Ensured content was encoded before being used within aria-labels when viewing the users list
Performance improvements:
TL-22894 Added course, program, and certification visibility map tables to improve performance of visibility-related queries
Previously, the database query used to compute which learning items were
visible to the user involved a large number of joins and subqueries to
resolve the roles held by the user in each context, and whether those roles
had the capability to view hidden items. Additionally, it did not take into
account the ability of admins to prohibit roles in category contexts.
In some database management systems, particularly with large numbers of
courses and deep category trees, this approach resulted in unacceptable
performance. This was especially noticeable when computing the number of
items visible in each category in the 'Category' catalogue.
With this patch, we now pre-compute which roles can see each course,
program, and certification in the system, and store the resulting
visibility maps in the database. The creation of this map is quick, and
greatly simplifies queries that involve visibility. It also improves
accuracy in sites that prohibit the capability to view hidden learning
items in some categories.
There is a new scheduled
task, totara_core\task\visibility_map_regenerate_all, which regenerates
the visibility maps every hour by default. Also, whenever a category,
learning item, or roles is updated, an ad_hoc task is queued to regenerate
the appropriate map(s). As such, there may be a delay between when changes
are made, and when items are considered hidden/visible to particular roles
by queries which check visibility.
Improvements:
TL-19290 HTTP only cookies are now enabled by default
TL-22721 Backported MDL-57968 core_message: Remove multiple unnecessary AJAX requests
TL-23127 Removed redundant 'Enable' checkbox for temporary manager expiry date
Temporary managers must always have an expiry date.
TL-23158 Added a new option 'CSV Grade format' to the 'Upload Completion Records' page
TL-23278 Improved UI for attendees with course completion archive records
Previously, if a trainer tried to remove seminar attendees with archived
course completions from seminar sessions, an error message appeared without
much explanation.
The behaviour of seminar signups when course completion records are
archived is unusual, as most activity records are removed during the
completion archive process. Seminar signups must be kept in the system for
reporting purposes, so they are flagged as archived and considered to be
locked and unalterable.
This patch makes the following clarifications for trainers and admins
around archived seminar signups:
* Attendees with archived course completions are disabled in the 'Remove
users' form, so a trainer cannot select and remove them from the past
seminar sessions.
* On the 'Take attendance' page, the attendance fields of attendees with
archived course completions are locked and disabled, signifying that they
may not be changed.
* A warning message appears at the top of the 'Take attendance' page if
attendees with archived course completions are present, explaining why
attendance fields are disabled for some or all attendees.
TL-23683 Added support for activity tags in Seminar, SCORM, and Feedback modules
TL-23691 Increased the width of the course selection menu in course completion settings so that longer course names are displayed in full
TL-23832 Improved automated generation of label names
Bug fixes:
TL-7631 Conditional fields when editing certification course sets are now correctly disabled when not relevant
TL-23072 Fixed columns and filters for course and audience tags in the report builder
TL-23081 Prevented learners from requesting manager approval for seminar events that conflict with their existing approval requests
Previously when multiple seminar events existed with manager approval and
the same date and time, learners were able to request approval for
conflicting events. This caused confusion when managers tried to approve
the request but got date conflict errors instead.
This patch ensures that learners can only request approval for seminars
that do not conflict with other seminars they have already requested
approval for.
TL-23173 Fixed error displayed in report builder when user session timed out
TL-23362 Stopped seminar manager reservation links from being displayed when sign-up period is not open
TL-23420 Changed the 'Attendee name' column in seminar reports so that it displays 'Reserved' for manager reservations, instead of being blank
TL-23577 Fixed URL validation in Totara Featured Links and Quick Links blocks to allow local URLs
With the release of Totara 12.9, URL validation in the Featured Link and
Quick Links blocks was changed to allow the use of grid catalogue URLs with
square brackets in the query part. The change removed the ability to use
local URLs (URIs starting with '/') in those blocks.
This fix reenables support for local URLs. Any Featured Links static tiles
that were created with local URLs prior to Totara 12.9, and edited with
Totara 12.9+, will have been converted to a standard URL, and will need to
be manually edited after upgrade and converted back to a local URL.
TL-23625 Fixed being able to uncheck 'Send to self' for Report Builder scheduled reports
TL-23632 Removed access_token class which references invalid database table
TL-23647 Fixed 'Declare interest' functionality when a user is booked onto a past event
Previously a "When no upcoming events are available" option is enabled for
Seminar, the "Declare interest" functionality worked for no upcoming events
and no past events if a user is booked onto a past event. Now it is fixed
and the user can declare interest if there are no upcoming events and the
user booked onto past events.
TL-23654 Made sure that all courses (completed and in progress) are being reset during re-certification window open stage
The behaviour of manual completions archive remains unchanged (i.e. only
completions or completions via RPL are archived during manual course
reset).
TL-23659 Fixed OAuth compatibility with login block
TL-23672 The log in block now uses the correct Totara connect icon
TL-23673 Made sure audience name is correctly formatted in the breadcrumbs on the Rule Sets page
TL-23674 Fixed the display of server status on Totara Connect Servers page in administration
Previously the server status would not be correctly displayed for a server
where deletion was in progress.
TL-23677 Changed the warning language string about column aggregations to soften the message
TL-23740 Fixed compatibility with UUID PHP extension
TL-23751 Made sure "Manage user reports" and "Manage embedded reports" can be added to the admin dropdown menu
TL-23755 Prevent upload files link on HR Import CSV source settings pages showing when configuration is not complete
When the configuration is not complete clicking the link would result in an
error being shown. The link no longer shows until the minimum configuration
is completed.
TL-23757 Blocks in the bottom region are now contained in a HTML element with "region-bottom" id
Previously this element had the HTML id "region-top"
TL-23772 Made sure export controls in hierarchy frameworks are present only when at least one framework is exists and visible to a user
TL-23776 Made sure aria-hidden works correctly on the YUI dialogues
TL-23808 Fixed seminar manager reservations always being sent to booked state
Prior to this patch, seminar manager reservations were always given a
booked signup state, even if the seminar was set to send bookings to the
waitlist.
This has been fixed, and manager reservations are treated like other
signups. This patch also fixes a bug in the events dashboard that
misrepresented the number of wait-listed users on an overbooked event.
TL-23834 Added horizontal scrolling to wiki revisions table
TL-23852 The current learning block no longer triggers a re-aggregation of program courseset completion
The current learning block in some situations was causing program courseset
completion to be re-aggregated, leading to courseset completion time being
incorrectly updated if the courseset had already been completed.
This has been fixed and the courseset completion date is no longer updated
after it has been initially set.
TL-23903 Fixed slot id generation when displaying multianswer (cloze) questions
TL-23949 Added missing task name string for OAuth system token refresh task
The name string for the OAuth2 system token refresh task was omitted from
TL-20583.
Contributions:
* Russell England at Kineo USA - TL-23625
Release 11.24 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Security issues:
TL-23950 Added sanitisation of send messages before they are displayed in messaging interface
TL-24133 Ensured content was encoded before being used within aria-labels when viewing the users list
Improvements:
TL-23127 Removed redundant 'Enable' checkbox for temporary manager expiry date
Temporary managers must always have an expiry date.
TL-23683 Added support for activity tags in Seminar, SCORM, and Feedback modules
TL-23691 Increased the width of the course selection menu in course completion settings so that longer course names are displayed in full
TL-23832 Improved automated generation of label names
Bug fixes:
TL-7631 Conditional fields when editing certification course sets are now correctly disabled when not relevant
TL-23072 Fixed columns and filters for course and audience tags in the report builder
TL-23173 Fixed error displayed in report builder when user session timed out
TL-23625 Fixed being able to uncheck 'Send to self' for Report Builder scheduled reports
TL-23647 Fixed 'Declare interest' functionality when a user is booked onto a past event
Previously a "When no upcoming events are available" option is enabled for
Seminar, the "Declare interest" functionality worked for no upcoming events
and no past events if a user is booked onto a past event. Now it is fixed
and the user can declare interest if there are no upcoming events and the
user booked onto past events.
TL-23673 Made sure audience name is correctly formatted in the breadcrumbs on the Rule Sets page
TL-23740 Fixed compatibility with UUID PHP extension
TL-23768 Added manager reservations to seminar wait-list report
TL-23852 The current learning block no longer triggers a re-aggregation of program courseset completion
The current learning block in some situations was causing program courseset
completion to be re-aggregated, leading to courseset completion time being
incorrectly updated if the courseset had already been completed.
This has been fixed and the courseset completion date is no longer updated
after it has been initially set.
TL-23871 The quiz navigation block now correctly scrolls you to a question when clicking on the question navigation link
This is a backport of Moodle MDL-65883
TL-23903 Fixed slot id generation when displaying multianswer (cloze) questions
Contributions:
* Russell England at Kineo USA - TL-23625
Release 10.30 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Security issues:
TL-23950 Added sanitisation of send messages before they are displayed in messaging interface
TL-24133 Ensured content was encoded before being used within aria-labels when viewing the users list
Bug fixes:
TL-7631 Conditional fields when editing certification course sets are now correctly disabled when not relevant
TL-23740 Fixed compatibility with UUID PHP extension
TL-23852 The current learning block no longer triggers a re-aggregation of program courseset completion
The current learning block in some situations was causing program courseset
completion to be re-aggregated, leading to courseset completion time being
incorrectly updated if the courseset had already been completed.
This has been fixed and the courseset completion date is no longer updated
after it has been initially set.
TL-23871 The quiz navigation block now correctly scrolls you to a question when clicking on the question navigation link
This is a backport of Moodle MDL-65883
TL-23903 Fixed slot id generation when displaying multianswer (cloze) questions
Release 9.41 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Security issues:
TL-24133 Ensured content was encoded before being used within aria-labels when viewing the users list
Bug fixes:
TL-7631 Conditional fields when editing certification course sets are now correctly disabled when not relevant
TL-23740 Fixed compatibility with UUID PHP extension
TL-23852 The current learning block no longer triggers a re-aggregation of program courseset completion
The current learning block in some situations was causing program courseset
completion to be re-aggregated, leading to courseset completion time being
incorrectly updated if the courseset had already been completed.
This has been fixed and the courseset completion date is no longer updated
after it has been initially set.
Release 2.9.50 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Security issues:
TL-24133 Ensured content was encoded before being used within aria-labels when viewing the users list
Release 2.7.57 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.
Release 2.6.74 (26th February 2020):
Important:
TL-23764 Chrome 80: SameSite=None is now only set if you are using secure cookies and HTTPS
Prior to this change if you were not running your Totara site over HTTPS,
and upgraded to Chrome 80 then you not be able to log into your site.
This was because Chrome 80 was rejecting the cookie as it had the SameSite
attribute set to None and the Secure flag was not set (as you were not
running over HTTPS).
After upgrading SameSite will be left for Chrome to default a value for.
You will be able to log in, but may find that third party content on your
site does not work.
In order to ensure that your site performs correctly please upgrade your
site to use HTTPS and enable the Secure Cookies setting within Totara if it
is not already enabled.