Hello everyone,
The following versions of Totara Learn have now been released:
- Release 14.4
- Release 13.12
- Release 12.35
- Release 11.44
- Release 10.48
- Release 9.57
- Release 2.9.58
- Release 2.7.64
- Release 2.6.81
- Release 2.5.85
- Release 2.4.80
- Release 2.2.81
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Michael Geering at Kineo UK - TL-32157
- Mihail Geshoski at Moodle - TL-31884
- Stewart Fulton at Kineo Pacific - TL-31762
Kind regards
Riana Rossouw
Release 14.4 (22nd September 2021):
Important:
TL-32183 Fixed an issue with user profile fields not being imported in HR import when using field mapping
This is an issue with user profile fields being imported via HR Import and
only effects sites where the profile fields are using field mapping in the
import configuration. If the user element configuration is using 'Empty
fields erase existing data' this may result in existing profile field data
being deleted.
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
TL-31887 Fixed potential blind Server-side request forgery (SSRF) against cURL blocked hosts via redirect
All cURL redirect requests are now performed at the PHP level instead of
relying on native cURL functionality to prevent blind Server-side request
forgery (SSRF)
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Performance improvements:
TL-30416 Improved the performance of IE11 devtools by moving CSS Variable rules onto a dedicated root DOM Node
TL-31570 Delegated the re-grading of final grades of enrolled users within courses when adding a new course module.
Prior to this patch, when a course had a large number of enrolled users and
associated grade records, it would take a long time to add a course module
that has grading enabled. This was due to the re-grading of final grades
occurring immediately when a new course module was added.
With this patch, a new adhoc task is introduced which defers the re-grading
functionality into cron. The re-grading task will be deferred to cron,
every time when a new course module (activity) that enable grading
functionality was added to the course. A course creator, or site
administrator will be able to see the notification banner when viewing the
course that has the re-grading cron task pending. When the cron runs and
all the grade records get processed, the notification banner will not
appear again.
TL-31762 Improved the performance of the totara_icon_url_and_alt function
This function is used, amongst other places, for the display of 'Multi
select' course custom fields. This change will improve the performance of
report builder where these fields have been used.
TL-31863 Improved the performance of session's room selection dialog
Improvements:
TL-29566 Added evidence type custom fields to evidence reports
It is now possible to view and export custom field data on evidence
reports.
TL-30099 Improved accessibility of block show/hide buttons
TL-30101 Improved accessibility of mobile view main navigation
TL-30102 Improved accessibility of the action menus when expanded/collapsed
TL-30103 Improved accessibility of close button in yui dialogs
TL-30173 Improved accessibility of managing selected tiles in content marketplace explorer
TL-30177 Improved accessibility of close button in content marketplace cards
TL-30279 Added the 'aria-sort' attribute to table headers created via tablelib
TL-31162 Added signature to verify that the MS Teams gateway registration request is genuinely from Totara Learn site.
TL-31403 Created a 'program assigned' column for the deprecated 'mandatory' column in the learning plans (program) report source
Investigation showed that the 'Mandatory' column is only an indication
whether the user is still assigned to a program that he previously
completed. This column has now been deprecated and a replacement column
'program assigned' created to reflect the correct meaning.
TL-31438 Created accessible HTML version of certificate activity PDF
In the certificate course module a user can now access a HTML version of
the certificate alongside the existing PDF version. This is to provide an
accessible version of the certificate as the PDF is not currently
accessible. If the certificate is sent via email to the user the user will
be able to access the HTML version from the email via a link.
TL-31447 Added CLI script for changing program start and completion times
The course completion editor allows administrators to change the date and
time when an enrolled user completed a course to a date in the future. If
this course is then later included in a program and the user assigned to
the program, the resulting program completion record may indicate that the
user started and completed the program in the future.
As the program completion editor does not allow changes to the program
start datetime administrators have no easy way to fully correct their
data.
The provided new script
(totara/program/cli/update_program_completion_start_end.php) allows
administrators to manually change program start and completion datetimes
for assigned users.
Note: this script allows administrators to update multiple program
completion records in a single run. It should therefore be used with care.
TL-31626 Added a hook to allow the overriding of component capability checks
The totara\core\hook\component_access_check hook can now be used to
override capability restrictions.
This hook is not triggered automatically but needs to be executed wherever
overriding of capability checks are allowed, e.g. in performance activity
elements.
TL-31682 ALLOWED_VALUES constraint in install.xml files allows uppercase letters
TL-31764 Added the review type to the element type column in the performance activity report source for linked review questions
TL-31793 Improved capability checks when selecting competencies in linked review elements
When linking competency review elements to a performance element, the
selecting participant was not allowed to view and select relevant
competencies of the subject user without being granted additional
capabilities. With this patch the selecting participant in a performance
activity will be allowed to select competencies assigned to the subject
user regardless of granted capabilities.
TL-31800 Added more user fields for web service create and update functions
\core_user_external::create_users() and \core_user_external::update_users()
can now accept more user profile fields so user creation/update via web
service can now be very similar to the edit profile page's functionality.
The new fields that have been added are:
* maildisplay
* interests
* url
* skype
* institution
* department
* phone1
* phone2
* address
TL-31805 Improved accessibility of Ventura theme settings
TL-31875 Upgraded postcss library to version 7.0.36
TL-31930 Removed admin buttons and headings on pages when viewed within MS Teams
TL-31934 Added logout to configuration tab in MS Teams and hid unwanted headings and configuration options
TL-32024 Removed required accessibility attribute from playlist description
TL-32079 Added ability in the sidepanel comment box component to hide the like (thumbs up) button
TL-32081 Removed attendee date conflict check when copying seminar event
TL-32117 Added information about seminar specific requirements to the "Completion progress details" page
TL-32146 Added Totara Comment placeholder group
A group of placeholders has been implemented which can be used to add
Totara Comment content to notifications. This is not yet in use, but is
available to third-party developers.
TL-32284 Reworded seminar notifications help text
Previously the session booking and session date changed reminder recipients
had the wording "All events(past, ...)".
However, these notifications never go out for past events. This ticket
removed the word "past"; the new wording makes it clear that notifications
only go out for current and future events.
Bug fixes:
TL-31586 Fixed a race condition where the contribute resource card in a workspace would sometimes not be displayed
TL-31603 Fixed the competency bar graph to have a label for each item associated, removing any empty labels at the beginning and the end
TL-31639 Fixed triggering a user_suspended event when suspending a user during upload
TL-31642 Fixed approving and declining seminar booking requests via task notification processing
One way to approve or decline a seminar booking request is by using the
task action buttons that are displayed when clicking the info-icon for a
task notification in the task block. Prior to this patch, there was an
error when using this functionality.
TL-31652 Fixed the room link in seminar notifications not displaying the correct room status
TL-31664 Ensured that the sub-menu is shown when viewing all of the 'Your Library' pages
TL-31709 Fixed multiple event popovers showing at the same time
TL-31722 Fixed theme field in totara_tui_themes_with_variables GraphQL query to use a consistent type
TL-31726 Required checkbox profile fields are treated the same as other custom profile fields when a user logs in
When a new required checkbox custom profile field was added, users who
existed before and after the field was created were treated differently.
Users who existed before the field would be required to check the checkbox
when next logging in. Users created afterwards or who had the checkbox
cleared by an admin would not be prompted on login.
With this patch in place, a required unchecked checkbox is treated like the
other custom profile fields and users will be prompted to check it when
they log in.
TL-31779 Fixed an issue where a user using a URL resource within MS Teams would result in the wrong theme being displayed
TL-31795 Fixed an error where hidden courses were appearing in the "Recommended For You" block
Prior to this patch if a course was marked as hidden but had
self-enrollment enabled, it may have been recommended to users through the
"Recommended for you" block. With this patch in place only courses that a
user is allowed to see and enrol in will be recommended.
TL-31802 Fixed use of incorrect caret direction icon on category management page
TL-31870 Fixed the new message alert count always showing despite there being no new messages
TL-31908 Removed absolute positioning from Engage Contribution data counter and supplied more useful CSS class names and HTML structure
TL-31927 Fixed issue where deleting a manager on expired temporary manager assignment caused scheduled task to fail
TL-31940 Fixed Tui editors not supporting aria label and description attributes
TL-31944 Added form validation to prevent the creation of lesson activities that specify "no grade" and "completion requires grade"
TL-31975 Fixed a regression where deleted company goals caused an error in "linked review goal participant" page
TL-31989 Fixed notifications without title or subject potentially causing an error on notification page
TL-31993 Fixed an issue where certification exception notifications would be sent multiple times
TL-32009 Fixed competency upload to use current record as default values thus not overwriting the fields 'evidencecount' and 'proficiencyexpected' involuntarily.
TL-32012 Fixed button inside a button on collapsible elements on manage notifications page
TL-32018 Updated validate_param() function to ensure validation works with encoded characters
TL-32020 Fixed the tenant specific footer not appearing on the login page for tenant members.
TL-32026 Added a missing call to set_allow_xss() function in the report builder 'category' filter
TL-32027 Fixed badly rendering Workspace Libraries containing a Playlist in IE11
TL-32050 Added user's field "suspended" into backup and restore step.
Prior to this patch, when a user record was included in a backup file of
the course. The field "suspended" was not included, which newly record of
user that was created by restore will not set the value for field
"suspended".
This patch added the field "suspended" into account of backup and restore
process, hence newly created user records from restore will populate the
value of field "suspended"
TL-32084 Fixed display of column and horizontal bar graphs when exporting to PDF in reports
TL-32100 Fixed scheduled notifications being sent when resolver is disabled
If notifications in the new centralised notification system were configured
with "Before" or "After" schedules, and then the notification trigger was
disabled, then the notifications were still being sent at the scheduled
times. This fix prevents any notification from being sent if the
notification trigger is disabled at the time it should be sent. Note that
any notifications skipped in this way will not be sent later if the
notification trigger is re-enabled.
TL-32154 Fixed user's full name being unintentionally encoded in LTI module requests
TL-32157 Fixed SQL query in recent learning block that caused the dashboard to crash
TL-32169 Fixed overbooking of seminar events when playing the seminar lottery more than once
TL-32170 Removed incorrect escaping of URL in the template for 'Related pages' admin block
TL-32171 Ensured the language string identifiers are in lower case for the CAS authentication type
TL-32231 Removed unused joins in the sql of customfield dataholders for the Torara Catalog
TL-32259 Fixed issue in the start_sheet() function of spout_base Spout library that caused issues creating .CSV downloads
API changes:
TL-31979 Removed SidePanelCommentBox.interactor
The SidePanelCommentBox.interactor was introduced in the previous release
but breaks backward compatibility. Any code that has depended on the prop
since 13.11 or 14.3 will be required to use
:showComment="interactor.can_comment" instead.
Tui front end framework:
TL-31171 Allowed returning new value from produce() in tui/immutable
TL-31977 TagList component emits open event
TL-32112 Updated styling of loading button
TL-32192 TagList component has optional "accessible-name" prop
The TagList component now accepts an optional "accessible-name" property
that can be used to override the default name used in the dropdown's
aria-label.
Contributions:
* Michael Geering at Kineo UK - TL-32157
* Mihail Geshoski at Moodle - TL-31884
* Stewart Fulton at Kineo Pacific - TL-31762
Release 13.12 (22nd September 2021):
Important:
TL-32183 Fixed an issue with user profile fields not being imported in HR import when using field mapping
This is an issue with user profile fields being imported via HR Import and
only effects sites where the profile fields are using field mapping in the
import configuration. If the user element configuration is using 'Empty
fields erase existing data' this may result in existing profile field data
being deleted.
Security issues:
TL-31887 Fixed potential blind Server-side request forgery (SSRF) against cURL blocked hosts via redirect
All cURL redirect requests are now performed at the PHP level instead of
relying on native cURL functionality to prevent blind Server-side request
forgery (SSRF)
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Performance improvements:
TL-30416 Improved the performance of IE11 devtools by moving CSS Variable rules onto a dedicated root DOM Node
TL-31570 Delegated the re-grading of final grades of enrolled users within courses when adding a new course module.
Prior to this patch, when a course had a large number of enrolled users and
associated grade records, it would take a long time to add a course module
that has grading enabled. This was due to the re-grading of final grades
occurring immediately when a new course module was added.
With this patch, a new adhoc task is introduced which defers the re-grading
functionality into cron. The re-grading task will be deferred to cron,
every time when a new course module (activity) that enable grading
functionality was added to the course. A course creator, or site
administrator will be able to see the notification banner when viewing the
course that has the re-grading cron task pending. When the cron runs and
all the grade records get processed, the notification banner will not
appear again.
TL-31762 Improved the performance of the totara_icon_url_and_alt function
This function is used, amongst other places, for the display of 'Multi
select' course custom fields. This change will improve the performance of
report builder where these fields have been used.
TL-31863 Improved the performance of session's room selection dialog
Improvements:
TL-29566 Added evidence type custom fields to evidence reports
It is now possible to view and export custom field data on evidence
reports.
TL-30099 Improved accessibility of block show/hide buttons
TL-30101 Improved accessibility of mobile view main navigation
TL-30102 Improved accessibility of the action menus when expanded/collapsed
TL-30103 Improved accessibility of close button in yui dialogs
TL-30173 Improved accessibility of managing selected tiles in content marketplace explorer
TL-30177 Improved accessibility of close button in content marketplace cards
TL-31403 Created a 'program assigned' column for the deprecated 'mandatory' column in the learning plans (program) report source
Investigation showed that the 'Mandatory' column is only an indication
whether the user is still assigned to a program that he previously
completed. This column has now been deprecated and a replacement column
'program assigned' created to reflect the correct meaning.
TL-31438 Created accessible HTML version of certificate activity PDF
In the certificate course module a user can now access a HTML version of
the certificate alongside the existing PDF version. This is to provide an
accessible version of the certificate as the PDF is not currently
accessible. If the certificate is sent via email to the user the user will
be able to access the HTML version from the email via a link.
TL-31447 Added CLI script for changing program start and completion times
The course completion editor allows administrators to change the date and
time when an enrolled user completed a course to a date in the future. If
this course is then later included in a program and the user assigned to
the program, the resulting program completion record may indicate that the
user started and completed the program in the future.
As the program completion editor does not allow changes to the program
start datetime administrators have no easy way to fully correct their
data.
The provided new script
(totara/program/cli/update_program_completion_start_end.php) allows
administrators to manually change program start and completion datetimes
for assigned users.
Note: this script allows administrators to update multiple program
completion records in a single run. It should therefore be used with care.
TL-31682 ALLOWED_VALUES constraint in install.xml files allows uppercase letters
TL-31800 Added more user fields for web service create and update functions
\core_user_external::create_users() and \core_user_external::update_users()
can now accept more user profile fields so user creation/update via web
service can now be very similar to the edit profile page's functionality.
The new fields that have been added are:
* maildisplay
* interests
* url
* skype
* institution
* department
* phone1
* phone2
* address
TL-31875 Upgraded postcss library to version 7.0.36
TL-31930 Removed admin buttons and headings on pages when viewed within MS Teams
TL-31934 Added logout to configuration tab in MS Teams and hid unwanted headings and configuration options
TL-32081 Removed attendee date conflict check when copying seminar event
TL-32284 Reworded seminar notifications help text
Previously the session booking and session date changed reminder recipients
had the wording "All events(past, ...)".
However, these notifications never go out for past events. This ticket
removed the word "past"; the new wording makes it clear that notifications
only go out for current and future events.
Bug fixes:
TL-31586 Fixed a race condition where the contribute resource card in a workspace would sometimes not be displayed
TL-31603 Fixed the competency bar graph to have a label for each item associated, removing any empty labels at the beginning and the end
TL-31639 Fixed triggering a user_suspended event when suspending a user during upload
TL-31652 Fixed the room link in seminar notifications not displaying the correct room status
TL-31664 Ensured that the sub-menu is shown when viewing all of the 'Your Library' pages
TL-31709 Fixed multiple event popovers showing at the same time
TL-31722 Fixed theme field in totara_tui_themes_with_variables GraphQL query to use a consistent type
TL-31726 Required checkbox profile fields are treated the same as other custom profile fields when a user logs in
When a new required checkbox custom profile field was added, users who
existed before and after the field was created were treated differently.
Users who existed before the field would be required to check the checkbox
when next logging in. Users created afterwards or who had the checkbox
cleared by an admin would not be prompted on login.
With this patch in place, a required unchecked checkbox is treated like the
other custom profile fields and users will be prompted to check it when
they log in.
TL-31779 Fixed an issue where a user using a URL resource within MS Teams would result in the wrong theme being displayed
TL-31795 Fixed an error where hidden courses were appearing in the "Recommended For You" block
Prior to this patch if a course was marked as hidden but had
self-enrollment enabled, it may have been recommended to users through the
"Recommended for you" block. With this patch in place only courses that a
user is allowed to see and enrol in will be recommended.
TL-31802 Fixed use of incorrect caret direction icon on category management page
TL-31870 Fixed the new message alert count always showing despite there being no new messages
TL-31908 Removed absolute positioning from Engage Contribution data counter and supplied more useful CSS class names and HTML structure
TL-31927 Fixed issue where deleting a manager on expired temporary manager assignment caused scheduled task to fail
TL-31944 Added form validation to prevent the creation of lesson activities that specify "no grade" and "completion requires grade"
TL-32009 Fixed competency upload to use current record as default values thus not overwriting the fields 'evidencecount' and 'proficiencyexpected' involuntarily.
TL-32018 Updated validate_param() function to ensure validation works with encoded characters
TL-32020 Fixed the tenant specific footer not appearing on the login page for tenant members.
TL-32026 Added a missing call to set_allow_xss() function in the report builder 'category' filter
TL-32027 Fixed badly rendering Workspace Libraries containing a Playlist in IE11
TL-32050 Added user's field "suspended" into backup and restore step.
Prior to this patch, when a user record was included in a backup file of
the course. The field "suspended" was not included, which newly record of
user that was created by restore will not set the value for field
"suspended".
This patch added the field "suspended" into account of backup and restore
process, hence newly created user records from restore will populate the
value of field "suspended"
TL-32084 Fixed display of column and horizontal bar graphs when exporting to PDF in reports
TL-32154 Fixed user's full name being unintentionally encoded in LTI module requests
TL-32157 Fixed SQL query in recent learning block that caused the dashboard to crash
TL-32169 Fixed overbooking of seminar events when playing the seminar lottery more than once
TL-32170 Removed incorrect escaping of URL in the template for 'Related pages' admin block
TL-32171 Ensured the language string identifiers are in lower case for the CAS authentication type
TL-32231 Removed unused joins in the sql of customfield dataholders for the Torara Catalog
API changes:
TL-31979 Removed SidePanelCommentBox.interactor
The SidePanelCommentBox.interactor was introduced in the previous release
but breaks backward compatibility. Any code that has depended on the prop
since 13.11 or 14.3 will be required to use
:showComment="interactor.can_comment" instead.
Contributions:
* Michael Geering at Kineo UK - TL-32157
* Stewart Fulton at Kineo Pacific - TL-31762
Release 12.35 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
TL-31887 Fixed potential blind Server-side request forgery (SSRF) against cURL blocked hosts via redirect
All cURL redirect requests are now performed at the PHP level instead of
relying on native cURL functionality to prevent blind Server-side request
forgery (SSRF)
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Performance improvements:
TL-31570 Delegated the re-grading of final grades of enrolled users within courses when adding a new course module.
Prior to this patch, when a course had a large number of enrolled users and
associated grade records, it would take a long time to add a course module
that has grading enabled. This was due to the re-grading of final grades
occurring immediately when a new course module was added.
With this patch, a new adhoc task is introduced which defers the re-grading
functionality into cron. The re-grading task will be deferred to cron,
every time when a new course module (activity) that enable grading
functionality was added to the course. A course creator, or site
administrator will be able to see the notification banner when viewing the
course that has the re-grading cron task pending. When the cron runs and
all the grade records get processed, the notification banner will not
appear again.
TL-31762 Improved the performance of the totara_icon_url_and_alt function
This function is used, amongst other places, for the display of 'Multi
select' course custom fields. This change will improve the performance of
report builder where these fields have been used.
Improvements:
TL-31403 Created a 'program assigned' column for the deprecated 'mandatory' column in the learning plans (program) report source
Investigation showed that the 'Mandatory' column is only an indication
whether the user is still assigned to a program that he previously
completed. This column has now been deprecated and a replacement column
'program assigned' created to reflect the correct meaning.
TL-31438 Created accessible HTML version of certificate activity PDF
In the certificate course module a user can now access a HTML version of
the certificate alongside the existing PDF version. This is to provide an
accessible version of the certificate as the PDF is not currently
accessible. If the certificate is sent via email to the user the user will
be able to access the HTML version from the email via a link.
TL-31447 Added CLI script for changing program start and completion times
The course completion editor allows administrators to change the date and
time when an enrolled user completed a course to a date in the future. If
this course is then later included in a program and the user assigned to
the program, the resulting program completion record may indicate that the
user started and completed the program in the future.
As the program completion editor does not allow changes to the program
start datetime administrators have no easy way to fully correct their
data.
The provided new script
(totara/program/cli/update_program_completion_start_end.php) allows
administrators to manually change program start and completion datetimes
for assigned users.
Note: this script allows administrators to update multiple program
completion records in a single run. It should therefore be used with care.
TL-32284 Reworded seminar notifications help text
Previously the session booking and session date changed reminder recipients
had the wording "All events(past, ...)".
However, these notifications never go out for past events. This ticket
removed the word "past"; the new wording makes it clear that notifications
only go out for current and future events.
Bug fixes:
TL-31639 Fixed triggering a user_suspended event when suspending a user during upload
TL-31726 Required checkbox profile fields are treated the same as other custom profile fields when a user logs in
When a new required checkbox custom profile field was added, users who
existed before and after the field was created were treated differently.
Users who existed before the field would be required to check the checkbox
when next logging in. Users created afterwards or who had the checkbox
cleared by an admin would not be prompted on login.
With this patch in place, a required unchecked checkbox is treated like the
other custom profile fields and users will be prompted to check it when
they log in.
TL-31927 Fixed issue where deleting a manager on expired temporary manager assignment caused scheduled task to fail
TL-31944 Added form validation to prevent the creation of lesson activities that specify "no grade" and "completion requires grade"
TL-32009 Fixed competency upload to use current record as default values thus not overwriting the fields 'evidencecount' and 'proficiencyexpected' involuntarily.
TL-32050 Added user's field "suspended" into backup and restore step.
Prior to this patch, when a user record was included in a backup file of
the course. The field "suspended" was not included, which newly record of
user that was created by restore will not set the value for field
"suspended".
This patch added the field "suspended" into account of backup and restore
process, hence newly created user records from restore will populate the
value of field "suspended"
TL-32169 Fixed overbooking of seminar events when playing the seminar lottery more than once
TL-32171 Ensured the language string identifiers are in lower case for the CAS authentication type
Contributions:
* Mihail Geshoski at Moodle - TL-31884
* Stewart Fulton at Kineo Pacific - TL-31762
Release 11.44 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
TL-31887 Fixed potential blind Server-side request forgery (SSRF) against cURL blocked hosts via redirect
All cURL redirect requests are now performed at the PHP level instead of
relying on native cURL functionality to prevent blind Server-side request
forgery (SSRF)
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Improvements:
TL-31438 Created accessible HTML version of certificate activity PDF
In the certificate course module a user can now access a HTML version of
the certificate alongside the existing PDF version. This is to provide an
accessible version of the certificate as the PDF is not currently
accessible. If the certificate is sent via email to the user the user will
be able to access the HTML version from the email via a link.
TL-31447 Added CLI script for changing program start and completion times
The course completion editor allows administrators to change the date and
time when an enrolled user completed a course to a date in the future. If
this course is then later included in a program and the user assigned to
the program, the resulting program completion record may indicate that the
user started and completed the program in the future.
As the program completion editor does not allow changes to the program
start datetime administrators have no easy way to fully correct their
data.
The provided new script
(totara/program/cli/update_program_completion_start_end.php) allows
administrators to manually change program start and completion datetimes
for assigned users.
Note: this script allows administrators to update multiple program
completion records in a single run. It should therefore be used with care.
Bug fixes:
TL-31639 Fixed triggering a user_suspended event when suspending a user during upload
TL-31927 Fixed issue where deleting a manager on expired temporary manager assignment caused scheduled task to fail
TL-32050 Added user's field "suspended" into backup and restore step.
Prior to this patch, when a user record was included in a backup file of
the course. The field "suspended" was not included, which newly record of
user that was created by restore will not set the value for field
"suspended".
This patch added the field "suspended" into account of backup and restore
process, hence newly created user records from restore will populate the
value of field "suspended"
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 10.48 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
TL-31887 Fixed potential blind Server-side request forgery (SSRF) against cURL blocked hosts via redirect
All cURL redirect requests are now performed at the PHP level instead of
relying on native cURL functionality to prevent blind Server-side request
forgery (SSRF)
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Bug fixes:
TL-31927 Fixed issue where deleting a manager on expired temporary manager assignment caused scheduled task to fail
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 9.57 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Bug fixes:
TL-31927 Fixed issue where deleting a manager on expired temporary manager assignment caused scheduled task to fail
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 2.9.58 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
TL-32429 Removed ability of site administrators to read arbitrary files via TeX preamble
Previously, if all of the relevant TeX packages were installed and
configured, a site administrator could read arbitrary files readable by the
HTTP server system account via TeX, preamble. This included reading the
config.php file and recovering the database credentials, listing system
accounts and gaining access to user-uploaded content which posed a risk to
shared hosting environments.
TL-32430 Fixed a PHP type juggling vulnerability in external DB authentication
Prior to this fix, a PHP type juggling vulnerability caused by loosely
typed comparison could result in authentication bypass for users with
password hash starting with "0e" on sites using the "External database"
authentication plugin.
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 2.7.64 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 2.6.81 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 2.5.85 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 2.4.80 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
Contributions:
* Mihail Geshoski at Moodle - TL-31884
Release 2.2.81 (22nd September 2021):
Security issues:
TL-31884 Fixed potential SQL injection risks in enrollib.php
Note that actual SQL injection is not currently possible in Totara as the
vulnerable method is not accessible in a way that would make Totara
vulnerable. This patch modifies an existing method to ensure SQL injection
is prevented even if it were to be used incorrectly in future.
Contributions:
* Mihail Geshoski at Moodle - TL-31884