Hello everyone,
The following versions of Totara TXP/Learn have now been released:
- Release 14.5
- Release 13.13
- Release 12.36
- Release 11.45
- Release 10.49
- Release 9.58
- Release 2.9.59
- Release 2.7.65
- Release 2.6.82
- Release 2.5.86
- Release 2.4.81
- Release 2.2.82
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
Kind regards,
David Curry
Release 14.5 (26th October 2021):
Important:
TL-32205 Improved relative completion due date calculation for program and certification assignments
Previously, month and year were calculated based on hard-coded constants of
30 and 365 days respectively. This has been changed with the introduction
of two new database fields that now store proper date offset information.
Using this information, completion date difference is now calculated
correctly.
The change doesn't affect any existing due dates already calculated for any
completions. All newly assigned users will have their due date calculated
based on the new approach.
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32427 Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
TL-32465 Removed the ability for a privileged user to change their own password without confirming their existing password
When a user has sufficient privilege to update their own password using
either the 'Edit profile' or 'Manage user logins' mechanisms, there is no
confirmation that they know their existing password. This could lead to
lockout if an attacker had access to an admin's session, either through
physical access to a logged-in computer, or via XSS or a remote desktop
exploit.
A user may still change their own password (with confirmation) using
'Change password'.
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
TL-32602 Made sure session key is required when removing related badge
TL-32672 Made sure program access is checked when "program viewed" event is triggered via Web API
Performance improvements:
TL-32547 Improved the performance of the 'certification completion date' dynamic audience rule
Improvements:
TL-28246 Upgraded PHPMailer library to version 6.5.1
TL-28271 Upgraded the ChartJS library used in Tui to version 2.9.4
TL-31552 Added recording the history of goal target date changes
This patch adds recording changes to goal target dates, both for personal
and company goals. For performance activities, this enables the two goal
review question types to display the historic target date setting at the
time the goal was selected within the activity.
TL-31653 Added basic support for mailto links in the weka editor
TL-31760 Removed empty entries from the "Competency profile" graph when a user has over 12 competencies assigned
TL-31937 Added a configuration setting to prevent resending program and certification messages on schedule change
Introduced a new configuration setting
"$CFG->program_message_prevent_resend_on_schedule_change". This is only
relevant for rare cases where new message types based on the legacy
'prog_eventbased_message' class had been programmed and were carried over
from Totara versions prior to Totara 14. When set to true, it switches off
the default behaviour of resending program and certification messages on
change of the message scheduling.
TL-32474 Implemented a hook for core roles to assign users with a different context
Currently `core_role_get_potential_user_selector()` has some logic to
determine whether a context is 'above' a course or 'below' it, and chooses
a user selector for assigning roles based on that.
The CONTEXT_MODULE is considered 'below' a course, and so the users you can
select have to be enrolled on the course.
For some cases, there is nobody enrolled on the course; the admin should be
free to choose any user in the system (subject to multi-tenancy rules).
TL-32598 Improved accessibility of 'Add to admin menu' dropdown that appears on admin pages by adding a label
TL-32663 Updated environment checks to include checks for the upcoming Totara 15 release
Bug fixes:
TL-31569 Fixed the display of singular and nested course module activity restrictions in GraphQL
TL-31679 Added new users's status filter that only shows one 'Requested' option in Seminar events and summary reports
Within seminar there are three different requested statuses depending on
the type of approval configured. The new filter shows all requested records
when the single 'Requested' option is selected.
TL-32133 Fixed styling of tags in report table
TL-32186 Fixed custom font for PDF export in report builder
TL-32299 Fixed URL on Seminar activity view page to ensure user tours work correctly
TL-32335 Fixed the course module GraphQL type to check if the summary field exists before attempting to fetch it
TL-32349 Fixed linking to a course in the catalogue, to take users directly to the course instead of enrolment options page
Prior to Totara 12 clicking on a course would take you to the course page.
This change resulted in the user being sent directly to the enrolment
options page under certain circumstances. This broke the desired behaviour
when using certain enrolment methods such as the auto-enrol method,
requiring an extra click to get to the course.
This change returns to the previous behaviour - the user is first directed
to the course page where they may be auto-enrolled. They still may end
being redirected to the enrolment options page if there are no
auto-enrolment options for them.
TL-32355 Fixed the display of descriptions in Report builder when they contain nothing but an image
Prior to this this change, images would only be displayed if
accompanied with text.
TL-32361 Fixed the sending of notifications when seminar reservations are cancelled
TL-32363 Fixed the submission of images in "online text" assignments
Previously if you attempted to submit an "online text" assignment with
nothing but an image in it, it would be rejected as an empty submission.
This has been fixed to correctly validate empty submissions.
TL-32364 Updated the recommendations tab to always appears on Engage resources and playlists
TL-32366 Ensured that breadcrumbs adhere to the 'navshowcategories' settings within Programs and Certifications
TL-32372 Fixed layout of grading comment bar in quiz essay question
In the admin view of the quiz after grading and adding a comment, a comment
bar is shown with a link to update it. This fixes an alignment issue in the
comment bar.
TL-32395 Fixed the link to the GO1 content marketplace information page
TL-32397 Fixed custom seminar notifications not being sent when filtering multiple event times
Prior to this fix, custom seminar notifications that were configured to be
sent to booked users in combination with selecting multiple event times
(i.e. future, past or in progress) failed to send under certain
circumstances.
TL-32401 Fixed hero image for resources not being displayed for YouTube short-links
TL-32433 Fixed custom seminar notifications being sent to participants with the wrong status
Prior to this fix, custom seminar notifications that were configured to be
sent to booked users only were also sent to users with different
participation status, e.g. cancelled or waitlisted users.
TL-32447 Fixed incorrect warning message when deleting workspace discussion and leaving workspace
TL-32457 Fixed job assignment HR import order
TL-32460 Fixed checks on the container/workspace:workspaceview capability when accessing workspaces so that "prevent" works properly
TL-32461 Ensured course enrolment works correctly when courses are accessed via a Learning Plan using Learning Plan enrolment method
In cases where Audience based visibility is used, with course visibility
set as 'Enrolled users only' an approved plan containing the course could
not be enrolled upon prior to this change.
TL-32488 Fixed embedding of Vimeo videos that have a private URL
Vimeo private videos have a slightly different URL format to standard Vimeo
videos. Embedding one of these into an editor field will now load correctly
instead of showing an error.
TL-32534 Fixed the display of certificate modules using the force download option
Previously the page was attempting to output the 'view as html' button,
even though the button was not being properly initialised for the "force
download" option. This has been resolved so the button only attempts to
render for the "email" or "open in another window" options.
TL-32539 Fixed the translation of resource type for some engage notifications
TL-32541 Ensured availability restrictions are not shown when the associated feature is disabled
The availability restrictions 'Assigned to Organisation' and 'Assigned to
Position' in activity modules are now hidden when the associated feature
disabled in the 'Configure features' section.
TL-32543 Fixed blocks being displayed on the course completion status page
On the 'More details' page for the 'Course completion status' block the
front page blocks incorrectly displayed. This fixes the block display so it
now shows the course navigation blocks.
TL-32561 Fixed a network error for the CSS files used during initial installation
TL-32571 Made sure format options for email header and footer are hidden in theme settings
TL-32572 Fixed an error creating the "Playlist Engagement" report that happened when "Recommendations" was turned off in Engage settings
TL-32577 Fixed redirect when navigating directly to the declare interest page for a Seminar
When navigating directly to the declare interest page for a Seminar and the
user is not logged in the redirect after the user logged in didn't preserve
the URL parameter. This is now preserved and loads the page correctly.
TL-32600 Fixed error when adding Certification ID filter to "Record of Learning: Certifications" report
TL-32607 Prevented columns with compound data from being added to the report toolbar
TL-32620 Fixed a "first column not unique" error in Engage when searching within your library
TL-32626 Fixed deleted workspaces being listed when sharing resource to recipients
TL-32647 Fixed Seminar Start/Finish Date columns for Seminar Sign-In report source
Totara 12 introduced Seminar Start/Finish Date column improvements for
Seminar reports and brought consistency across sources. But the upgrade was
missed and the client data for these columns were hidden and do not display
on the reports. Now it fixed and the following columns were changed when
Totara 12 got improvements.
* replaced 'sessiondate' with 'sessionstartdate' column value for
'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
report sources to make consistency and use it as a single column value for
all seminar report sources
* replaced 'datefinish' with 'sessionfinishdate' column value for
'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
report sources to make consistency and use it as a single column value for
all seminar report sources
TL-32675 Fixed the user validation for the "hierarchy_goal_perform_linked_goals_change_status" GraphQL mutation
TL-32722 Fixed an error in the Weka editor when dragging nodes
TL-32725 Fixed site policies preventing web crawlers from indexing the site
Web crawlers are no longer prevented from indexing sites where the 'Open to
Google' setting is enabled and agreement to site policies are required.
TL-32730 Removed the link for deleted personal goals in performance activity review items
Deleted personal goals are still displayed in completed performance
activities with personal goal review items. Prior to this patch, clicking
the link on the goal title led to an error message. This patch removes the
link.
Database upgrades:
TL-32463 Increased length of the "title" column in the "notification_preference" table to fix issue with migration of the legacy messages
Tui front end framework:
TL-32444 Fixed issue where button text was covered by an additional HTML element
Release 13.13 (26th October 2021):
Important:
TL-32535 Fixed batching of the migration of evidence items and files
The new totara_evidence migration code batches the items migrated and only
loads maximum 1000 items at a time. Unfortunately the code for batching had
an issue: if there are more than 10000 records to be migrated some records
could have been missed. This patch fixes the batching code and makes sure
all existing items are migrated successfully.
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32427 Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
TL-32602 Made sure session key is required when removing related badge
TL-32672 Made sure program access is checked when "program viewed" event is triggered via Web API
Performance improvements:
TL-32547 Improved the performance of the 'certification completion date' dynamic audience rule
Improvements:
TL-28246 Upgraded PHPMailer library to version 6.5.1
TL-28271 Upgraded the ChartJS library used in Tui to version 2.9.4
TL-31653 Added basic support for mailto links in the weka editor
TL-31937 Added a configuration setting to prevent resending program and certification messages on schedule change
Introduced a new configuration setting
"$CFG->program_message_prevent_resend_on_schedule_change". When set to
true, it switches off the default behaviour of resending program and
certification messages on change of the message scheduling.
TL-32663 Updated environment checks to include checks for the upcoming Totara 15 release
Bug fixes:
TL-31569 Fixed the display of singular and nested course module activity restrictions in GraphQL
TL-31679 Added new users's status filter that only shows one 'Requested' option in Seminar events and summary reports
Within seminar there are three different requested statuses depending on
the type of approval configured. The new filter shows all requested records
when the single 'Requested' option is selected.
TL-32133 Fixed styling of tags in report table
TL-32186 Fixed custom font for PDF export in report builder
TL-32335 Fixed the course module GraphQL type to check if the summary field exists before attempting to fetch it
TL-32349 Fixed linking to a course in the catalogue, to take users directly to the course instead of enrolment options page
Prior to Totara 12 clicking on a course would take you to the course page.
This change resulted in the user being sent directly to the enrolment
options page under certain circumstances. This broke the desired behaviour
when using certain enrolment methods such as the auto-enrol method,
requiring an extra click to get to the course.
This change returns to the previous behaviour - the user is first directed
to the course page where they may be auto-enrolled. They still may end
being redirected to the enrolment options page if there are no
auto-enrolment options for them.
TL-32355 Fixed the display of descriptions in Report builder when they contain nothing but an image
Prior to this this change, images would only be displayed if
accompanied with text.
TL-32361 Fixed the sending of notifications when seminar reservations are cancelled
TL-32363 Fixed the submission of images in "online text" assignments
Previously if you attempted to submit an "online text" assignment with
nothing but an image in it, it would be rejected as an empty submission.
This has been fixed to correctly validate empty submissions.
TL-32366 Ensured that breadcrumbs adhere to the 'navshowcategories' settings within Programs and Certifications
TL-32372 Fixed layout of grading comment bar in quiz essay question
In the admin view of the quiz after grading and adding a comment, a comment
bar is shown with a link to update it. This fixes an alignment issue in the
comment bar.
TL-32395 Fixed the link to the GO1 content marketplace information page
TL-32397 Fixed custom seminar notifications not being sent when filtering multiple event times
Prior to this fix, custom seminar notifications that were configured to be
sent to booked users in combination with selecting multiple event times
(i.e. future, past or in progress) failed to send under certain
circumstances.
TL-32433 Fixed custom seminar notifications being sent to participants with the wrong status
Prior to this fix, custom seminar notifications that were configured to be
sent to booked users only were also sent to users with different
participation status, e.g. cancelled or waitlisted users.
TL-32447 Fixed incorrect warning message when deleting workspace discussion and leaving workspace
TL-32457 Fixed job assignment HR import order
TL-32460 Fixed checks on the container/workspace:workspaceview capability when accessing workspaces so that "prevent" works properly
TL-32461 Ensured course enrolment works correctly when courses are accessed via a Learning Plan using Learning Plan enrolment method
In cases where Audience based visibility is used, with course visibility
set as 'Enrolled users only' an approved plan containing the course could
not be enrolled upon prior to this change.
TL-32488 Fixed embedding of Vimeo videos that have a private URL
Vimeo private videos have a slightly different URL format to standard Vimeo
videos. Embedding one of these into an editor field will now load correctly
instead of showing an error.
TL-32534 Fixed the display of certificate modules using the force download option
Previously the page was attempting to output the 'view as html' button,
even though the button was not being properly initialised for the "force
download" option. This has been resolved so the button only attempts to
render for the "email" or "open in another window" options.
TL-32539 Fixed the translation of resource type for some engage notifications
TL-32543 Fixed blocks being displayed on the course completion status page
On the 'More details' page for the 'Course completion status' block the
front page blocks incorrectly displayed. This fixes the block display so it
now shows the course navigation blocks.
TL-32561 Fixed a network error for the CSS files used during initial installation
TL-32572 Fixed an error creating the "Playlist Engagement" report that happened when "Recommendations" was turned off in Engage settings
TL-32577 Fixed redirect when navigating directly to the declare interest page for a Seminar
When navigating directly to the declare interest page for a Seminar and the
user is not logged in the redirect after the user logged in didn't preserve
the URL parameter. This is now preserved and loads the page correctly.
TL-32600 Fixed error when adding Certification ID filter to "Record of Learning: Certifications" report
TL-32607 Prevented columns with compound data from being added to the report toolbar
TL-32620 Fixed a "first column not unique" error in Engage when searching within your library
TL-32626 Fixed deleted workspaces being listed when sharing resource to recipients
TL-32647 Fixed Seminar Start/Finish Date columns for Seminar Sign-In report source
Totara 12 introduced Seminar Start/Finish Date column improvements for
Seminar reports and brought consistency across sources. But the upgrade was
missed and the client data for these columns were hidden and do not display
on the reports. Now it fixed and the following columns were changed when
Totara 12 got improvements.
* replaced 'sessiondate' with 'sessionstartdate' column value for
'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
report sources to make consistency and use it as a single column value for
all seminar report sources
* replaced 'datefinish' with 'sessionfinishdate' column value for
'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
report sources to make consistency and use it as a single column value for
all seminar report sources
TL-32722 Fixed an error in the Weka editor when dragging nodes
TL-32725 Fixed site policies preventing web crawlers from indexing the site
Web crawlers are no longer prevented from indexing sites where the 'Open to
Google' setting is enabled and agreement to site policies are required.
Release 12.36 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32427 Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Improvements:
TL-32316 The upload repository has a new setting to whitelist accepted mimetypes
A new setting Mimetype whitelist has been added to the upload repository
that will restrict the files users can upload to just those set.
This does not have any impact on any of the other repository types.
Bug fixes:
TL-32186 Fixed custom font for PDF export in report builder
TL-32264 Removed an unnecessary error logging when the system tried to update a grade
TL-32349 Fixed linking to a course in the catalogue, to take users directly to the course instead of enrolment options page
Prior to Totara 12 clicking on a course would take you to the course page.
This change resulted in the user being sent directly to the enrolment
options page under certain circumstances. This broke the desired behaviour
when using certain enrolment methods such as the auto-enrol method,
requiring an extra click to get to the course.
This change returns to the previous behaviour - the user is first directed
to the course page where they may be auto-enrolled. They still may end
being redirected to the enrolment options page if there are no
auto-enrolment options for them.
TL-32355 Fixed the display of descriptions in Report builder when they contain nothing but an image
Prior to this this change, images would only be displayed if
accompanied with text.
TL-32395 Fixed the link to the GO1 content marketplace information page
TL-32461 Ensured course enrolment works correctly when courses are accessed via a Learning Plan using Learning Plan enrolment method
In cases where Audience based visibility is used, with course visibility
set as 'Enrolled users only' an approved plan containing the course could
not be enrolled upon prior to this change.
TL-32534 Fixed the display of certificate modules using the force download option
Previously the page was attempting to output the 'view as html' button,
even though the button was not being properly initialised for the "force
download" option. This has been resolved so the button only attempts to
render for the "email" or "open in another window" options.
TL-32577 Fixed redirect when navigating directly to the declare interest page for a Seminar
When navigating directly to the declare interest page for a Seminar and the
user is not logged in the redirect after the user logged in didn't preserve
the URL parameter. This is now preserved and loads the page correctly.
TL-32725 Fixed site policies preventing web crawlers from indexing the site
Web crawlers are no longer prevented from indexing sites where the 'Open to
Google' setting is enabled and agreement to site policies are required.
Release 11.45 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32427 Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Bug fixes:
TL-32534 Fixed the display of certificate modules using the force download option
Previously the page was attempting to output the 'view as html' button,
even though the button was not being properly initialised for the "force
download" option. This has been resolved so the button only attempts to
render for the "email" or "open in another window" options.
TL-32725 Fixed site policies preventing web crawlers from indexing the site
Web crawlers are no longer prevented from indexing sites where the 'Open to
Google' setting is enabled and agreement to site policies are required.
Release 10.49 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32427 Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 9.58 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 2.9.59 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 2.7.65 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 2.6.82 (26th October 2021):
Security issues:
TL-28248 Fixed XSS issue in CAS authentication module when using the CAS as proxy
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 2.5.86 (26th October 2021):
Security issues:
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 2.4.81 (26th October 2021):
Security issues:
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts
Release 2.2.82 (26th October 2021):
Security issues:
TL-32467 Fixed user error messages to prevent disclosure of information
The same error message is now displayed for deleted, non-existing, or
non-accessible users, to prevent disclosure of information about deleted or
hidden accounts