Totara Release Notes

Totara txp 14.5, 13.13; Totara learn 12.36, 11.45, 10.49, 9.58, 2.9.59, 2.7.65, 2.6.82, 2.5.86, 2.4.81, 2.2.82 are now available

 
David Curry (Core Developer)
Totara txp 14.5, 13.13; Totara learn 12.36, 11.45, 10.49, 9.58, 2.9.59, 2.7.65, 2.6.82, 2.5.86, 2.4.81, 2.2.82 are now available
par David Curry (Core Developer), Monday 25 October 2021, 19:54
Groupe Totara

Hello everyone,

The following versions of Totara TXP/Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

Kind regards,
David Curry

Release 14.5 (26th October 2021):

Important:

    TL-32205       Improved relative completion due date calculation for program and certification assignments

                   Previously, month and year were calculated based on hard-coded constants of
                   30 and 365 days respectively. This has been changed with the introduction
                   of two new database fields that now store proper date offset information.
                   Using this information, completion date difference is now calculated
                   correctly. 
                   
                   The change doesn't affect any existing due dates already calculated for any
                   completions. All newly assigned users will have their due date calculated
                   based on the new approach.


Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32427       Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
    TL-32465       Removed the ability for a privileged user to change their own password without confirming their existing password

                   When a user has sufficient privilege to update their own password using
                   either the 'Edit profile' or 'Manage user logins' mechanisms, there is no
                   confirmation that they know their existing password. This could lead to
                   lockout if an attacker had access to an admin's session, either through
                   physical access to a logged-in computer, or via XSS or a remote desktop
                   exploit.
                   
                   A user may still change their own password (with confirmation) using
                   'Change password'.

    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts

    TL-32602       Made sure session key is required when removing related badge
    TL-32672       Made sure program access is checked when "program viewed" event is triggered via Web API

Performance improvements:

    TL-32547       Improved the performance of the 'certification completion date' dynamic audience rule

Improvements:

    TL-28246       Upgraded PHPMailer library to version 6.5.1
    TL-28271       Upgraded the ChartJS library used in Tui to version 2.9.4
    TL-31552       Added recording the history of goal target date changes

                   This patch adds recording changes to goal target dates, both for personal
                   and company goals. For performance activities, this enables the two goal
                   review question types to display the historic target date setting at the
                   time the goal was selected within the activity.

    TL-31653       Added basic support for mailto links in the weka editor
    TL-31760       Removed empty entries from the "Competency profile" graph when a user has over 12 competencies assigned
    TL-31937       Added a configuration setting to prevent resending program and certification messages on schedule change

                   Introduced a new configuration setting
                   "$CFG->program_message_prevent_resend_on_schedule_change". This is only
                   relevant for rare cases where new message types based on the legacy
                   'prog_eventbased_message' class had been programmed and were carried over
                   from Totara versions prior to Totara 14. When set to true, it switches off
                   the default behaviour of resending program and certification messages on
                   change of the message scheduling.

    TL-32474       Implemented a hook for core roles to assign users with a different context

                   Currently `core_role_get_potential_user_selector()` has some logic to
                   determine whether a context is 'above' a course or 'below' it, and chooses
                   a user selector for assigning roles based on that.
                   
                   The CONTEXT_MODULE is considered 'below' a course, and so the users you can
                   select have to be enrolled on the course. 
                   
                   For some cases, there is nobody enrolled on the course; the admin should be
                   free to choose any user in the system (subject to multi-tenancy rules).

    TL-32598       Improved accessibility of 'Add to admin menu' dropdown that appears on admin pages by adding a label
    TL-32663       Updated environment checks to include checks for the upcoming Totara 15 release

Bug fixes:

    TL-31569       Fixed the display of singular and nested course module activity restrictions in GraphQL
    TL-31679       Added new users's status filter that only shows one 'Requested' option in Seminar events and summary reports

                   Within seminar there are three different requested statuses depending on
                   the type of approval configured. The new filter shows all requested records
                   when the single 'Requested' option is selected.

    TL-32133       Fixed styling of tags in report table
    TL-32186       Fixed custom font for PDF export in report builder
    TL-32299       Fixed URL on Seminar activity view page to ensure user tours work correctly
    TL-32335       Fixed the course module GraphQL type to check if the summary field exists before attempting to fetch it
    TL-32349       Fixed linking to a course in the catalogue, to take users directly to the course instead of enrolment options page

                   Prior to Totara 12 clicking on a course would take you to the course page.
                   This change resulted in the user being sent directly to the enrolment
                   options page under certain circumstances. This broke the desired behaviour
                   when using certain enrolment methods such as the auto-enrol method,
                   requiring an extra click to get to the course.
                   
                   This change returns to the previous behaviour - the user is first directed
                   to the course page where they may be auto-enrolled. They still may end
                   being redirected to the enrolment options page if there are no
                   auto-enrolment options for them.

    TL-32355       Fixed the display of descriptions in Report builder when they contain nothing but an image

                   Prior to this this change, images would only be displayed if
                   accompanied with text.

    TL-32361       Fixed the sending of notifications when seminar reservations are cancelled
    TL-32363       Fixed the submission of images in "online text" assignments

                   Previously if you attempted to submit an "online text" assignment with
                   nothing but an image in it, it would be rejected as an empty submission.
                   This has been fixed to correctly validate empty submissions.

    TL-32364       Updated the recommendations tab to always appears on Engage resources and playlists
    TL-32366       Ensured that breadcrumbs adhere to the 'navshowcategories' settings within Programs and Certifications
    TL-32372       Fixed layout of grading comment bar in quiz essay question

                   In the admin view of the quiz after grading and adding a comment, a comment
                   bar is shown with a link to update it. This fixes an alignment issue in the
                   comment bar.

    TL-32395       Fixed the link to the GO1 content marketplace information page
    TL-32397       Fixed custom seminar notifications not being sent when filtering multiple event times

                   Prior to this fix, custom seminar notifications that were configured to be
                   sent to booked users in combination with selecting multiple event times
                   (i.e. future, past or in progress) failed to send under certain
                   circumstances.

    TL-32401       Fixed hero image for resources not being displayed for YouTube short-links
    TL-32433       Fixed custom seminar notifications being sent to participants with the wrong status

                   Prior to this fix, custom seminar notifications that were configured to be
                   sent to booked users only were also sent to users with different
                   participation status, e.g. cancelled or waitlisted users.

    TL-32447       Fixed incorrect warning message when deleting workspace discussion and leaving workspace
    TL-32457       Fixed job assignment HR import order
    TL-32460       Fixed checks on the container/workspace:workspaceview capability when accessing workspaces so that "prevent" works properly
    TL-32461       Ensured course enrolment works correctly when courses are accessed via a Learning Plan using Learning Plan enrolment method

                   In cases where Audience based visibility is used, with course visibility
                   set as 'Enrolled users only' an approved plan containing the course could
                   not be enrolled upon prior to this change.

    TL-32488       Fixed embedding of Vimeo videos that have a private URL

                   Vimeo private videos have a slightly different URL format to standard Vimeo
                   videos. Embedding one of these into an editor field will now load correctly
                   instead of showing an error.

    TL-32534       Fixed the display of certificate modules using the force download option

                   Previously the page was attempting to output the 'view as html' button,
                   even though the button was not being properly initialised for the "force
                   download" option. This has been resolved so the button only attempts to
                   render for the "email" or "open in another window" options.

    TL-32539       Fixed the translation of resource type for some engage notifications
    TL-32541       Ensured availability restrictions are not shown when the associated feature is disabled

                   The availability restrictions 'Assigned to Organisation' and 'Assigned to
                   Position' in activity modules are now hidden when the associated feature
                   disabled in the 'Configure features' section.

    TL-32543       Fixed blocks being displayed on the course completion status page

                   On the 'More details' page for the 'Course completion status' block the
                   front page blocks incorrectly displayed. This fixes the block display so it
                   now shows the course navigation blocks.

    TL-32561       Fixed a network error for the CSS files used during initial installation
    TL-32571       Made sure format options for email header and footer are hidden in theme settings
    TL-32572       Fixed an error creating the "Playlist Engagement" report that happened when "Recommendations" was turned off in Engage settings
    TL-32577       Fixed redirect when navigating directly to the declare interest page for a Seminar

                   When navigating directly to the declare interest page for a Seminar and the
                   user is not logged in the redirect after the user logged in didn't preserve
                   the URL parameter. This is now preserved and loads the page correctly.

    TL-32600       Fixed error when adding Certification ID filter to "Record of Learning: Certifications" report
    TL-32607       Prevented columns with compound data from being added to the report toolbar
    TL-32620       Fixed a "first column not unique" error in Engage when searching within your library
    TL-32626       Fixed deleted workspaces being listed when sharing resource to recipients
    TL-32647       Fixed Seminar Start/Finish Date columns for Seminar Sign-In report source

                   Totara 12 introduced Seminar Start/Finish Date column improvements for
                   Seminar reports and brought consistency across sources. But the upgrade was
                   missed and the client data for these columns were hidden and do not display
                   on the reports. Now it fixed and the following columns were changed when
                   Totara 12 got improvements.
                   * replaced 'sessiondate' with 'sessionstartdate' column value for
                   'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
                   report sources to make consistency and use it as a single column value for
                   all seminar report sources
                    * replaced 'datefinish' with 'sessionfinishdate' column value for
                   'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
                   report sources to make consistency and use it as a single column value for
                   all seminar report sources

    TL-32675       Fixed the user validation for the "hierarchy_goal_perform_linked_goals_change_status" GraphQL mutation
    TL-32722       Fixed an error in the Weka editor when dragging nodes
    TL-32725       Fixed site policies preventing web crawlers from indexing the site

                   Web crawlers are no longer prevented from indexing sites where the 'Open to
                   Google' setting is enabled and agreement to site policies are required.

    TL-32730       Removed the link for deleted personal goals in performance activity review items

                   Deleted personal goals are still displayed in completed performance
                   activities with personal goal review items. Prior to this patch, clicking
                   the link on the goal title led to an error message. This patch removes the
                   link.


Database upgrades:

    TL-32463       Increased length of the "title" column in the "notification_preference" table to fix issue with migration of the legacy messages

Tui front end framework:

    TL-32444       Fixed issue where button text was covered by an additional HTML element

Release 13.13 (26th October 2021):

Important:

    TL-32535       Fixed batching of the migration of evidence items and files

                   The new totara_evidence migration code batches the items migrated and only
                   loads maximum 1000 items at a time. Unfortunately the code for batching had
                   an issue: if there are more than 10000 records to be migrated some records
                   could have been missed. This patch fixes the batching code and makes sure
                   all existing items are migrated successfully.


Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32427       Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts

    TL-32602       Made sure session key is required when removing related badge
    TL-32672       Made sure program access is checked when "program viewed" event is triggered via Web API

Performance improvements:

    TL-32547       Improved the performance of the 'certification completion date' dynamic audience rule

Improvements:

    TL-28246       Upgraded PHPMailer library to version 6.5.1
    TL-28271       Upgraded the ChartJS library used in Tui to version 2.9.4
    TL-31653       Added basic support for mailto links in the weka editor
    TL-31937       Added a configuration setting to prevent resending program and certification messages on schedule change

                   Introduced a new configuration setting
                   "$CFG->program_message_prevent_resend_on_schedule_change". When set to
                   true, it switches off the default behaviour of resending program and
                   certification messages on change of the message scheduling.

    TL-32663       Updated environment checks to include checks for the upcoming Totara 15 release

Bug fixes:

    TL-31569       Fixed the display of singular and nested course module activity restrictions in GraphQL
    TL-31679       Added new users's status filter that only shows one 'Requested' option in Seminar events and summary reports

                   Within seminar there are three different requested statuses depending on
                   the type of approval configured. The new filter shows all requested records
                   when the single 'Requested' option is selected.

    TL-32133       Fixed styling of tags in report table
    TL-32186       Fixed custom font for PDF export in report builder
    TL-32335       Fixed the course module GraphQL type to check if the summary field exists before attempting to fetch it
    TL-32349       Fixed linking to a course in the catalogue, to take users directly to the course instead of enrolment options page

                   Prior to Totara 12 clicking on a course would take you to the course page.
                   This change resulted in the user being sent directly to the enrolment
                   options page under certain circumstances. This broke the desired behaviour
                   when using certain enrolment methods such as the auto-enrol method,
                   requiring an extra click to get to the course.
                   
                   This change returns to the previous behaviour - the user is first directed
                   to the course page where they may be auto-enrolled. They still may end
                   being redirected to the enrolment options page if there are no
                   auto-enrolment options for them.

    TL-32355       Fixed the display of descriptions in Report builder when they contain nothing but an image

                   Prior to this this change, images would only be displayed if
                   accompanied with text.

    TL-32361       Fixed the sending of notifications when seminar reservations are cancelled
    TL-32363       Fixed the submission of images in "online text" assignments

                   Previously if you attempted to submit an "online text" assignment with
                   nothing but an image in it, it would be rejected as an empty submission.
                   This has been fixed to correctly validate empty submissions.

    TL-32366       Ensured that breadcrumbs adhere to the 'navshowcategories' settings within Programs and Certifications
    TL-32372       Fixed layout of grading comment bar in quiz essay question

                   In the admin view of the quiz after grading and adding a comment, a comment
                   bar is shown with a link to update it. This fixes an alignment issue in the
                   comment bar.

    TL-32395       Fixed the link to the GO1 content marketplace information page
    TL-32397       Fixed custom seminar notifications not being sent when filtering multiple event times

                   Prior to this fix, custom seminar notifications that were configured to be
                   sent to booked users in combination with selecting multiple event times
                   (i.e. future, past or in progress) failed to send under certain
                   circumstances.

    TL-32433       Fixed custom seminar notifications being sent to participants with the wrong status

                   Prior to this fix, custom seminar notifications that were configured to be
                   sent to booked users only were also sent to users with different
                   participation status, e.g. cancelled or waitlisted users.

    TL-32447       Fixed incorrect warning message when deleting workspace discussion and leaving workspace
    TL-32457       Fixed job assignment HR import order
    TL-32460       Fixed checks on the container/workspace:workspaceview capability when accessing workspaces so that "prevent" works properly
    TL-32461       Ensured course enrolment works correctly when courses are accessed via a Learning Plan using Learning Plan enrolment method

                   In cases where Audience based visibility is used, with course visibility
                   set as 'Enrolled users only' an approved plan containing the course could
                   not be enrolled upon prior to this change.

    TL-32488       Fixed embedding of Vimeo videos that have a private URL

                   Vimeo private videos have a slightly different URL format to standard Vimeo
                   videos. Embedding one of these into an editor field will now load correctly
                   instead of showing an error.

    TL-32534       Fixed the display of certificate modules using the force download option

                   Previously the page was attempting to output the 'view as html' button,
                   even though the button was not being properly initialised for the "force
                   download" option. This has been resolved so the button only attempts to
                   render for the "email" or "open in another window" options.

    TL-32539       Fixed the translation of resource type for some engage notifications
    TL-32543       Fixed blocks being displayed on the course completion status page

                   On the 'More details' page for the 'Course completion status' block the
                   front page blocks incorrectly displayed. This fixes the block display so it
                   now shows the course navigation blocks.

    TL-32561       Fixed a network error for the CSS files used during initial installation
    TL-32572       Fixed an error creating the "Playlist Engagement" report that happened when "Recommendations" was turned off in Engage settings
    TL-32577       Fixed redirect when navigating directly to the declare interest page for a Seminar

                   When navigating directly to the declare interest page for a Seminar and the
                   user is not logged in the redirect after the user logged in didn't preserve
                   the URL parameter. This is now preserved and loads the page correctly.

    TL-32600       Fixed error when adding Certification ID filter to "Record of Learning: Certifications" report
    TL-32607       Prevented columns with compound data from being added to the report toolbar
    TL-32620       Fixed a "first column not unique" error in Engage when searching within your library
    TL-32626       Fixed deleted workspaces being listed when sharing resource to recipients
    TL-32647       Fixed Seminar Start/Finish Date columns for Seminar Sign-In report source

                   Totara 12 introduced Seminar Start/Finish Date column improvements for
                   Seminar reports and brought consistency across sources. But the upgrade was
                   missed and the client data for these columns were hidden and do not display
                   on the reports. Now it fixed and the following columns were changed when
                   Totara 12 got improvements.
                   * replaced 'sessiondate' with 'sessionstartdate' column value for
                   'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
                   report sources to make consistency and use it as a single column value for
                   all seminar report sources
                    * replaced 'datefinish' with 'sessionfinishdate' column value for
                   'rb_source_facetofcae_sessions' and 'rb_source_facetoface_signin' seminar
                   report sources to make consistency and use it as a single column value for
                   all seminar report sources

    TL-32722       Fixed an error in the Weka editor when dragging nodes
    TL-32725       Fixed site policies preventing web crawlers from indexing the site

                   Web crawlers are no longer prevented from indexing sites where the 'Open to
                   Google' setting is enabled and agreement to site policies are required.


Release 12.36 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32427       Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Improvements:

    TL-32316       The upload repository has a new setting to whitelist accepted mimetypes

                   A new setting Mimetype whitelist has been added to the upload repository
                   that will restrict the files users can upload to just those set.
                   
                   This does not have any impact on any of the other repository types.


Bug fixes:

    TL-32186       Fixed custom font for PDF export in report builder
    TL-32264       Removed an unnecessary error logging when the system tried to update a grade
    TL-32349       Fixed linking to a course in the catalogue, to take users directly to the course instead of enrolment options page

                   Prior to Totara 12 clicking on a course would take you to the course page.
                   This change resulted in the user being sent directly to the enrolment
                   options page under certain circumstances. This broke the desired behaviour
                   when using certain enrolment methods such as the auto-enrol method,
                   requiring an extra click to get to the course.
                   
                   This change returns to the previous behaviour - the user is first directed
                   to the course page where they may be auto-enrolled. They still may end
                   being redirected to the enrolment options page if there are no
                   auto-enrolment options for them.

    TL-32355       Fixed the display of descriptions in Report builder when they contain nothing but an image

                   Prior to this this change, images would only be displayed if
                   accompanied with text.

    TL-32395       Fixed the link to the GO1 content marketplace information page
    TL-32461       Ensured course enrolment works correctly when courses are accessed via a Learning Plan using Learning Plan enrolment method

                   In cases where Audience based visibility is used, with course visibility
                   set as 'Enrolled users only' an approved plan containing the course could
                   not be enrolled upon prior to this change.

    TL-32534       Fixed the display of certificate modules using the force download option

                   Previously the page was attempting to output the 'view as html' button,
                   even though the button was not being properly initialised for the "force
                   download" option. This has been resolved so the button only attempts to
                   render for the "email" or "open in another window" options.

    TL-32577       Fixed redirect when navigating directly to the declare interest page for a Seminar

                   When navigating directly to the declare interest page for a Seminar and the
                   user is not logged in the redirect after the user logged in didn't preserve
                   the URL parameter. This is now preserved and loads the page correctly.

    TL-32725       Fixed site policies preventing web crawlers from indexing the site

                   Web crawlers are no longer prevented from indexing sites where the 'Open to
                   Google' setting is enabled and agreement to site policies are required.


Release 11.45 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32427       Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Bug fixes:

    TL-32534       Fixed the display of certificate modules using the force download option

                   Previously the page was attempting to output the 'view as html' button,
                   even though the button was not being properly initialised for the "force
                   download" option. This has been resolved so the button only attempts to
                   render for the "email" or "open in another window" options.

    TL-32725       Fixed site policies preventing web crawlers from indexing the site

                   Web crawlers are no longer prevented from indexing sites where the 'Open to
                   Google' setting is enabled and agreement to site policies are required.


Release 10.49 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32427       Fixed unreleased grade disclosure via web service mod_quiz_get_user_attempts
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 9.58 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 2.9.59 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 2.7.65 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 2.6.82 (26th October 2021):

Security issues:

    TL-28248       Fixed XSS issue in CAS authentication module when using the CAS as proxy
    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 2.5.86 (26th October 2021):

Security issues:

    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 2.4.81 (26th October 2021):

Security issues:

    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts


Release 2.2.82 (26th October 2021):

Security issues:

    TL-32467       Fixed user error messages to prevent disclosure of information

                   The same error message is now displayed for deleted, non-existing, or
                   non-accessible users, to prevent disclosure of information about deleted or
                   hidden accounts