Totara Release Notes

Totara Learn Evergreen-20200429, 12.17, 11.26, 10.32, 9.43, 2.9.51, 2.7.58, 2.6.75, 2.5.80, 2.4.75 and 2.2.76

 
Sam Hemelryk
Totara Learn Evergreen-20200429, 12.17, 11.26, 10.32, 9.43, 2.9.51, 2.7.58, 2.6.75, 2.5.80, 2.4.75 and 2.2.76
de Sam Hemelryk - Tuesday, 28 de April de 2020, 19:34
Grupo Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

  • Mark Ward at Learning Pool - TL-5081
  • Sergey Vidusov at Androgogic - TL-24779

Kind regards
Sam Hemelryk

Release Evergreen (29th April 2020):

Key:           + Evergreen only

Security issues:

    TL-23040       Added a check to the security overview report for poorly configured Oauth 2 issuers

                   A new check has been added to the security overview report that warns the
                   user if there are OAuth 2 issuers configured to not verify users email
                   addresses.
                   The warning is displayed as critical if in addition to this the site has
                   been configured to permit users to share email addresses.

    TL-24490       Shibboleth attributes are now validated against a blacklist of common $_SERVER variables

                   Prior to this change Shibboleth attribute mapping could access any
                   variables stored in $_SERVER, allowing for malicious configurations to be
                   created.
                   All user attributes are now validated to ensure that they are not in a list
                   of commonly available $_SERVER variables that do not belong to Shibboleth.

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.

    TL-24618       Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For

                   If your server is behind multiple reverse proxies that append to
                   the X-Forwarded-For header then you will need to specify a comma
                   separated list of ip addresses or subnets of the reverse proxies to be
                   ignored in order to find the users correct IP address.


New features:

    TL-5081    +   Added a new 'Program Exceptions' report source
    TL-24660   +   Added a new 'Certification Exceptions' report source

Performance improvements:

    TL-24573       Improved performance of lesson status filter in SCORM reports
    TL-24574       Changed type of SCORM attempts filter to a number filter to improve performance by avoiding extra database calls

Improvements:

    TL-5629    +   Added temporary manager and expiry date to HR Import Job Assignment element

                   As part of this the pre-existing Job Assignment import field
                   'managerjobassignmentidnumber' has been renamed to 'managerjaidnumber'.
                   
                   NOTE: CVS or Database sources that do not have field mappings will require
                   the source field name to be updated.

    TL-22533       Improved the accessibility of PDF exports generated by report builder

                   The improvements made include ensuring the table uses correct markup,
                   contains a caption, row and column headers, and improving the use of
                   heading tags.

    TL-23015       Improved accessibility of the full report link in the 'Report graph' block
    TL-23991       Improved the use of wai-aria roles within the primary navigation template
    TL-24173       Updated aria roles of notifications to more accurately reflect their importance
    TL-24433       Improved confirmation dialog information when cloning audiences
    TL-24555       The Redis cache store now warns against changing the serializer setting when in use

                   Added a new warning to the Redis cache store configuration to warn
                   administrators that the serializer setting must not be changed if there is
                   any data in the cache already

    TL-24643       Improved the calculation of months when displaying relative date information

                   Previously, to calculate relative date in months (e.g. "A month ago", "4
                   months ago", etc.) an average number of days per month – 30.5 days –
                   was used in the calculations. As a result, shorter months like February did
                   not always produce the correct outcome. This has now been changed to use
                   date difference which returns more accurate results.

    TL-24676       Added support for hiding of Totara forms elements based on 'value in array' and 'value not in array' conditions
    TL-24825       CLI script admin/cli/cfg.php now logs all changes so that incorrect changes can be identified later

Bug fixes:

    TL-17294       Fixed a reference to the wrong language string within the "Alerts" block
    TL-18762       Learning plan comments now correctly respect the site wide setting to disable comments
    TL-23157   +   Fixed inconsistent sorting of enrolment methods on the course enrolment page
    TL-23459       Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
    TL-24450       Prevented markup from showing in the course activity grouping toggle's alt text

                   When the grouping was toggled the name of the activity contained a span
                   tag. This is now correctly stripped out.

    TL-24546       Improved the JavaScript validation for required user profile checkbox fields
    TL-24558       Clarified seminar 'Add via list of IDs' error message

                   When one or more user IDs in a list of potential seminar attendees cannot
                   be found, none of the attendees are signed up to the seminar. The error
                   message displayed when this happens has been updated to make that clear.

    TL-24624       Ensured that attendees created via seminar direct enrolment are always enrolled

                   Previously, when attendees enrolled themselves on a course by signing up to
                   a seminar that required 'Manager and Administrative' approval, and the
                   seminar was already at capacity, the attendees would be added to the
                   waitlist on approval, but not enrolled on the course.
                   
                   This patch makes sure that they are enrolled when their attendance is
                   approved, even if they are added to a waitlist.

    TL-24640       Clarified 'Send later' options for seminar notifications

                   Previously, the options for sending a seminar notification later were
                   'before start of session', 'after end of event', and 'before registration
                   closes'. The 'before start of session' string was accidentally left
                   unchanged when sessions became seminar events in Totara 9.
                   
                   The option labels have been updated to make it clear when notifications
                   will be sent. The new options are:
                    * before event (opening session start time)
                    * after event (closing session end time)
                    * before end of Sign-up period (cut-off point)
                   
                   The logic driving the notifications has not changed, only the strings for
                   the labels.

    TL-24659       Added redirect to fix seminar manager approval links which were using the old endpoint

                   The mod/facetoface/attendees.php endpoint used by managers to approve or
                   deny seminar attendance was moved to mod/facetoface/attendees/approval.php
                   in Totara 12 without a redirect. This caused links in any notifications
                   generated before upgrade to lead to a page that no longer exists.
                   
                   A redirect has been added to ensure that actions in old seminar
                   notifications continue to work.

    TL-24687       Fixed completion date content filter not showing for course completion history report 
    TL-24779       Ensured "inlist" type audience rule SQL parameters use unique names

                   This occurred when multiple inlist rules were added to an audience and were
                   using the IS EMPTY operator.
                   If encountered a fatal error was produced.
                   The inlist rule has now been updated to ensure it uses unique parameter
                   names.

    TL-24781       Fixed missing language string in course upload sanity check error

API changes:

    TL-22910       Send filename* instead of filename in the Content-Disposition response header

                   This patch will particularly resolve the file name corruption (mojibake)
                   when downloading a file with name containing non-ASCII characters on
                   Microsoft Edge 18 or older, by sending the filename* field introduced in
                   RFC 6266.
                   On the other hand, the filename field (without asterisk) is no longer sent
                   to prevent a browser bug in Apple Safari.

    TL-24579       No longer warn via debugging if the selected theme is not available during installation and upgrade

Contributions:

    * Mark Ward at Learning Pool - TL-5081
    * Sergey Vidusov at Androgogic - TL-24779

Release 12.17 (29th April 2020):


Security issues:

    TL-23040       Added a check to the security overview report for poorly configured Oauth 2 issuers

                   A new check has been added to the security overview report that warns the
                   user if there are OAuth 2 issuers configured to not verify users email
                   addresses.
                   The warning is displayed as critical if in addition to this the site has
                   been configured to permit users to share email addresses.

    TL-24490       Shibboleth attributes are now validated against a blacklist of common $_SERVER variables

                   Prior to this change Shibboleth attribute mapping could access any
                   variables stored in $_SERVER, allowing for malicious configurations to be
                   created.
                   All user attributes are now validated to ensure that they are not in a list
                   of commonly available $_SERVER variables that do not belong to Shibboleth.

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.

    TL-24618       Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For

                   If your server is behind multiple reverse proxies that append to
                   the X-Forwarded-For header then you will need to specify a comma
                   separated list of ip addresses or subnets of the reverse proxies to be
                   ignored in order to find the users correct IP address.


Performance improvements:

    TL-24573       Improved performance of lesson status filter in SCORM reports
    TL-24574       Changed type of SCORM attempts filter to a number filter to improve performance by avoiding extra database calls

Improvements:

    TL-22533       Improved the accessibility of PDF exports generated by report builder

                   The improvements made include ensuring the table uses correct markup,
                   contains a caption, row and column headers, and improving the use of
                   heading tags.

    TL-23015       Improved accessibility of the full report link in the 'Report graph' block
    TL-23991       Improved the use of wai-aria roles within the primary navigation template
    TL-24173       Updated aria roles of notifications to more accurately reflect their importance
    TL-24433       Improved confirmation dialog information when cloning audiences
    TL-24555       The Redis cache store now warns against changing the serializer setting when in use

                   Added a new warning to the Redis cache store configuration to warn
                   administrators that the serializer setting must not be changed if there is
                   any data in the cache already

    TL-24643       Improved the calculation of months when displaying relative date information

                   Previously, to calculate relative date in months (e.g. "A month ago", "4
                   months ago", etc.) an average number of days per month – 30.5 days –
                   was used in the calculations. As a result, shorter months like February did
                   not always produce the correct outcome. This has now been changed to use
                   date difference which returns more accurate results.

    TL-24676       Added support for hiding of Totara forms elements based on 'value in array' and 'value not in array' conditions
    TL-24825       CLI script admin/cli/cfg.php now logs all changes so that incorrect changes can be identified later

Bug fixes:

    TL-17294       Fixed a reference to the wrong language string within the "Alerts" block
    TL-18762       Learning plan comments now correctly respect the site wide setting to disable comments
    TL-23459       Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
    TL-24450       Prevented markup from showing in the course activity grouping toggle's alt text

                   When the grouping was toggled the name of the activity contained a span
                   tag. This is now correctly stripped out.

    TL-24546       Improved the JavaScript validation for required user profile checkbox fields
    TL-24558       Clarified seminar 'Add via list of IDs' error message

                   When one or more user IDs in a list of potential seminar attendees cannot
                   be found, none of the attendees are signed up to the seminar. The error
                   message displayed when this happens has been updated to make that clear.

    TL-24624       Ensured that attendees created via seminar direct enrolment are always enrolled

                   Previously, when attendees enrolled themselves on a course by signing up to
                   a seminar that required 'Manager and Administrative' approval, and the
                   seminar was already at capacity, the attendees would be added to the
                   waitlist on approval, but not enrolled on the course.
                   
                   This patch makes sure that they are enrolled when their attendance is
                   approved, even if they are added to a waitlist.

    TL-24640       Clarified 'Send later' options for seminar notifications

                   Previously, the options for sending a seminar notification later were
                   'before start of session', 'after end of event', and 'before registration
                   closes'. The 'before start of session' string was accidentally left
                   unchanged when sessions became seminar events in Totara 9.
                   
                   The option labels have been updated to make it clear when notifications
                   will be sent. The new options are:
                    * before event (opening session start time)
                    * after event (closing session end time)
                    * before end of Sign-up period (cut-off point)
                   
                   The logic driving the notifications has not changed, only the strings for
                   the labels.

    TL-24659       Added redirect to fix seminar manager approval links which were using the old endpoint

                   The mod/facetoface/attendees.php endpoint used by managers to approve or
                   deny seminar attendance was moved to mod/facetoface/attendees/approval.php
                   in Totara 12 without a redirect. This caused links in any notifications
                   generated before upgrade to lead to a page that no longer exists.
                   
                   A redirect has been added to ensure that actions in old seminar
                   notifications continue to work.

    TL-24687       Fixed completion date content filter not showing for course completion history report 
    TL-24779       Ensured "inlist" type audience rule SQL parameters use unique names

                   This occurred when multiple inlist rules were added to an audience and were
                   using the IS EMPTY operator.
                   If encountered a fatal error was produced.
                   The inlist rule has now been updated to ensure it uses unique parameter
                   names.

    TL-24781       Fixed missing language string in course upload sanity check error

API changes:

    TL-22910       Send filename* instead of filename in the Content-Disposition response header

                   This patch will particularly resolve the file name corruption (mojibake)
                   when downloading a file with name containing non-ASCII characters on
                   Microsoft Edge 18 or older, by sending the filename* field introduced in
                   RFC 6266.
                   On the other hand, the filename field (without asterisk) is no longer sent
                   to prevent a browser bug in Apple Safari.

    TL-24579       No longer warn via debugging if the selected theme is not available during installation and upgrade

Contributions:

    * Sergey Vidusov at Androgogic - TL-24779

Release 11.26 (29th April 2020):


Security issues:

    TL-23040       Added a check to the security overview report for poorly configured Oauth 2 issuers

                   A new check has been added to the security overview report that warns the
                   user if there are OAuth 2 issuers configured to not verify users email
                   addresses.
                   The warning is displayed as critical if in addition to this the site has
                   been configured to permit users to share email addresses.

    TL-24490       Shibboleth attributes are now validated against a blacklist of common $_SERVER variables

                   Prior to this change Shibboleth attribute mapping could access any
                   variables stored in $_SERVER, allowing for malicious configurations to be
                   created.
                   All user attributes are now validated to ensure that they are not in a list
                   of commonly available $_SERVER variables that do not belong to Shibboleth.

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.

    TL-24618       Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For

                   If your server is behind multiple reverse proxies that append to
                   the X-Forwarded-For header then you will need to specify a comma
                   separated list of ip addresses or subnets of the reverse proxies to be
                   ignored in order to find the users correct IP address.


Improvements:

    TL-24433       Improved confirmation dialog information when cloning audiences
    TL-24643       Improved the calculation of months when displaying relative date information

                   Previously, to calculate relative date in months (e.g. "A month ago", "4
                   months ago", etc.) an average number of days per month – 30.5 days –
                   was used in the calculations. As a result, shorter months like February did
                   not always produce the correct outcome. This has now been changed to use
                   date difference which returns more accurate results.


Bug fixes:

    TL-17294       Fixed a reference to the wrong language string within the "Alerts" block
    TL-18762       Learning plan comments now correctly respect the site wide setting to disable comments
    TL-23459       Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
    TL-24779       Ensured "inlist" type audience rule SQL parameters use unique names

                   This occurred when multiple inlist rules were added to an audience and were
                   using the IS EMPTY operator.
                   If encountered a fatal error was produced.
                   The inlist rule has now been updated to ensure it uses unique parameter
                   names.


API changes:

    TL-22910       Send filename* instead of filename in the Content-Disposition response header

                   This patch will particularly resolve the file name corruption (mojibake)
                   when downloading a file with name containing non-ASCII characters on
                   Microsoft Edge 18 or older, by sending the filename* field introduced in
                   RFC 6266.
                   On the other hand, the filename field (without asterisk) is no longer sent
                   to prevent a browser bug in Apple Safari.

    TL-24579       No longer warn via debugging if the selected theme is not available during installation and upgrade

Contributions:

    * Sergey Vidusov at Androgogic - TL-24779

Release 10.32 (29th April 2020):


Security issues:

    TL-24490       Shibboleth attributes are now validated against a blacklist of common $_SERVER variables

                   Prior to this change Shibboleth attribute mapping could access any
                   variables stored in $_SERVER, allowing for malicious configurations to be
                   created.
                   All user attributes are now validated to ensure that they are not in a list
                   of commonly available $_SERVER variables that do not belong to Shibboleth.

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.

    TL-24618       Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For

                   If your server is behind multiple reverse proxies that append to
                   the X-Forwarded-For header then you will need to specify a comma
                   separated list of ip addresses or subnets of the reverse proxies to be
                   ignored in order to find the users correct IP address.


Improvements:

    TL-24518       Removed redundant parameter from the full text search support lang string

Bug fixes:

    TL-23459       Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
    TL-24779       Ensured "inlist" type audience rule SQL parameters use unique names

                   This occurred when multiple inlist rules were added to an audience and were
                   using the IS EMPTY operator.
                   If encountered a fatal error was produced.
                   The inlist rule has now been updated to ensure it uses unique parameter
                   names.


API changes:

    TL-22910       Send filename* instead of filename in the Content-Disposition response header

                   This patch will particularly resolve the file name corruption (mojibake)
                   when downloading a file with name containing non-ASCII characters on
                   Microsoft Edge 18 or older, by sending the filename* field introduced in
                   RFC 6266.
                   On the other hand, the filename field (without asterisk) is no longer sent
                   to prevent a browser bug in Apple Safari.

    TL-24579       No longer warn via debugging if the selected theme is not available during installation and upgrade

Contributions:

    * Sergey Vidusov at Androgogic - TL-24779

Release 9.43 (29th April 2020):


Security issues:

    TL-24490       Shibboleth attributes are now validated against a blacklist of common $_SERVER variables

                   Prior to this change Shibboleth attribute mapping could access any
                   variables stored in $_SERVER, allowing for malicious configurations to be
                   created.
                   All user attributes are now validated to ensure that they are not in a list
                   of commonly available $_SERVER variables that do not belong to Shibboleth.

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.

    TL-24618       Backported MDL-67861: IP addresses can be spoofed using X-Forwarded-For

                   If your server is behind multiple reverse proxies that append to
                   the X-Forwarded-For header then you will need to specify a comma
                   separated list of ip addresses or subnets of the reverse proxies to be
                   ignored in order to find the users correct IP address.


Bug fixes:

    TL-23459       Made sure Quiz activity takes passing grade requirement into account when restoring from course backups made with Totara 2.7 or earlier
    TL-24779       Ensured "inlist" type audience rule SQL parameters use unique names

                   This occurred when multiple inlist rules were added to an audience and were
                   using the IS EMPTY operator.
                   If encountered a fatal error was produced.
                   The inlist rule has now been updated to ensure it uses unique parameter
                   names.


API changes:

    TL-22910       Send filename* instead of filename in the Content-Disposition response header

                   This patch will particularly resolve the file name corruption (mojibake)
                   when downloading a file with name containing non-ASCII characters on
                   Microsoft Edge 18 or older, by sending the filename* field introduced in
                   RFC 6266.
                   On the other hand, the filename field (without asterisk) is no longer sent
                   to prevent a browser bug in Apple Safari.


Contributions:

    * Sergey Vidusov at Androgogic - TL-24779

Release 2.9.51 (29th April 2020):


Security issues:

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.


Bug fixes:

    TL-24779       Ensured "inlist" type audience rule SQL parameters use unique names

                   This occurred when multiple inlist rules were added to an audience and were
                   using the IS EMPTY operator.
                   If encountered a fatal error was produced.
                   The inlist rule has now been updated to ensure it uses unique parameter
                   names.


Contributions:

    * Sergey Vidusov at Androgogic - TL-24779

Release 2.7.58 (29th April 2020):


Security issues:

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.


Release 2.6.75 (29th April 2020):


Security issues:

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.


Release 2.5.80 (29th April 2020):


Security issues:

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.


Release 2.4.75 (29th April 2020):


Security issues:

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.


API changes:

    TL-24579       No longer warn via debugging if the selected theme is not available during installation and upgrade

Release 2.2.76 (29th April 2020):


Security issues:

    TL-24587       HTML block no longer allows self-XSS

                   Prior to this change, users could perform XSS attacks on themselves by
                   adding an HTML block when customising their dashboard, giving it malicious
                   content, saving it, and then editing it again.
                   When customised, a dashboard is only visible to the owning user. However
                   admins could still experience the malicious block using the login as
                   functionality.
                   
                   This has now been fixed, and when editing an HTML block on user pages the
                   content is cleaned before it is loaded into the editor.


API changes:

    TL-24579       No longer warn via debugging if the selected theme is not available during installation and upgrade