Totara Release Notes

Totara TXP 15.5, 14.10, 13.18; Totara learn 12.41, 11.50, 10.54, 9.62, 2.9.62, 2.7.67, 2.6.84, 2.5.88, and 2.4.83 are now available

 
David Curry (Core Developer)
Totara TXP 15.5, 14.10, 13.18; Totara learn 12.41, 11.50, 10.54, 9.62, 2.9.62, 2.7.67, 2.6.84, 2.5.88, and 2.4.83 are now available
par David Curry (Core Developer), Thursday 24 March 2022, 18:17
Groupe Totara
Hello everyone,

The following versions of Totara TXP/Learn have now been released:

Release 15.5
Release 14.10
Release 13.18
Release 12.41
Release 11.50
Release 10.54
Release 9.62
Release 2.9.62
Release 2.7.67
Release 2.6.84
Release 2.5.88
Release 2.4.83


These releases do contain security fixes, and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Kind regards

Dave Curry
Release 15.5 (24th March 2022):

Security issues:

    TL-33486        Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module

                   Previously teachers in an assignment group could modify group overrides for
                   other groups in the same assignment. This has now been fixed.

    TL-33838        Fixed issue with grade report capability not being respected

                   In some cases, a learner was still able to view grades even if the
                   capability had been removed. This has been fixed such that the capability
                   is always checked.


Improvements:

    TL-31790        Install/Upgrade environment check added for MariaDB versions 10.6 and later

                   A new environment check for mariadb database configuration was added for
                   the install & upgrade process 

    TL-33547        Improved layout of labels in legacy course activity adders
    TL-33550        Added support for completion archiving to lesson modules

                   Previously the lesson module did not support completion archiving, this
                   meant that if you used the "Reset completions" functionality under "Course
                   administration" that lesson data persisted. Support for this has been added
                   and now if you reset completions for a course it will also remove lesson
                   timing data, lesson attempt data, and lesson overrides for completed users
                   in the course.


Bug fixes:

    TL-33158        Fixed the handling of incorrect course enrolment timestamps when creating course completion records

                   Previously, the course completion module set the enrolment date to the
                   current time when there were no user enrolment records. This led to the
                   problem where reports that used the completion data showed the wrong
                   enrolment dates.
                   
                   This patch changes this; now the enrolment time is zero when the course
                   completion record is created for unenrolled users. It is only when the user
                   actually enrols in a course that the timeenrolled value in the completion
                   record is updated.

    TL-33173        Fixed database queries failing depending on the locale of the webserver 

                   Due to the fact that float conversion to strings is locale dependent on PHP
                   this can lead to failing database queries if the locale is set to one which
                   uses a different decimal separator (i.e. German uses the comma instead of
                   the dot). Floats like 123.456 would be converted to 123,456.
                   
                   This patch fixes this issue by converting floats to locale-independent
                   strings before using them in database operations.
                   
                   This has been an issue in MySQL and MSSQL.

    TL-33208        Prevented language strings from being HTML-escaped in the search results template

                   Previously, the matchingfilename language string was being HTML-escaped in
                   search results, causing raw HTML to display on the page. The included
                   filename itself is already escaped before being inserted in the language
                   string.

    TL-33403        Fixed a bug that was causing notifications to be sent for closed performance activities
    TL-33430        Fixed due date not immediately updating upon creation of completion records during assignment
    TL-33595        Fixed goals not working when multi tenancy was enabled

                   Previously, goals functionality was not fully working when multi tenancy
                   was enabled, especially if isolation mode was enabled. With this patch
                   goals are now working within the restrictions of multi tenancy. This means
                   that management of company goals can only be done with system permissions
                   by system users. Company goal assignment and personal goals management can
                   be done by tenant users or their managers (depending on how the permissions
                   are set up). There are some restrictions if isolation is enabled, the
                   viewing of company goals or goal frameworks is not possible as tenant users
                   and the links to these pages are not shown in this case.

    TL-33621        Fixed error when showing menu item sortorder event in the logs
    TL-33635        Fixed a JavaScript error on the competencies tab for learning plans

                   Previously if a user could view but not edit competencies within a learning
                   plan, there was a JavaScript error on the page.

    TL-33638        Fixed minor JavaScript issue when changing drop zones on a drag and drop question
    TL-33706        Fixed the room link placeholder for Seminar notifications

                   Previously if you added the [session:room:link] placeholder to a seminar
                   notification the link it displayed was incorrect for virtual rooms. This
                   has been fixed to match the correct output used by the [session:rooms]
                   placeholder.

    TL-33726        Fixed missing details in seminar session facilitator confirmation notification

                   Initialised the details field before sending any notification.

    TL-33780        Fixed notifications not inheriting from immediate natural parent context

                   A bug meant that notification preferences that were created in the
                   immediate parent "natural" context of an "extended" context were not being
                   considered when determining notifications that apply in the extended
                   context. This bug did not affect any core Totara functionality, because the
                   existing notifications were not configured in this way, but may have
                   affected third-party development.

    TL-33782        Fixed SCORM modules not being loaded in mobile browsers and in the mobile app

Tui front end framework:

    TL-31967        Fixed issue where collapsing the tables on the 'manually rate competencies' page would remove the table header
    TL-33497        Fixed error modal "copy all" in IE 11
    TL-33572        Fixed visual clipping on the ParticipantGeneralInformation TUI component

Recommendations engine:

    TL-33600        Fixed the headers of exported `item_data_x.csv` files for the recommendation engine

                   The headers that related to the course tags and engage topics were being
                   prefixed with 'topic_' string. This would cause buggy computations in the
                   recommendation engine when some tags and labels shared the same name. This
                   bug is fixed so tags and labels will have relevant prefixes 'tag_' and
                   'topic_', respectively.

    TL-33681        The warning issue with the new APScheduler package is resolved
    TL-33682        Fixed the favicon issue after Flask upgrade
    TL-33696        Updated the requirements file with specific library versions

                   Prior to this change only directly added libraries were recorded in the
                   requirements.txt. Any dependencies for these libraries would load the most
                   recent version it could, which could result in things breaking if a new
                   version introduced a breaking change and did not report it correctly.
                   
                   With this patch, we have pinned all dependencies to specific versions that
                   we have tested works with the recommendations engine.

Contributions:

    * Brad Simpson at Kineo USA - TL-33547

Release 14.10 (24th March 2022):

Security issues:

    TL-33486        Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module

                   Previously teachers in an assignment group could modify group overrides for
                   other groups in the same assignment. This has now been fixed.

    TL-33838        Fixed issue with grade report capability not being respected

                   In some cases, a learner was still able to view grades even if the
                   capability had been removed. This has been fixed such that the capability
                   is always checked.


Improvements:

    TL-31790        Install/Upgrade environment check added for MariaDB versions 10.6 and later

                   A new environment check for mariadb database configuration was added for
                   the install & upgrade process 

    TL-33547        Improved layout of labels in legacy course activity adders
    TL-33550        Added support for completion archiving to lesson modules

                   Previously the lesson module did not support completion archiving, this
                   meant that if you used the "Reset completions" functionality under "Course
                   administration" that lesson data persisted. Support for this has been added
                   and now if you reset completions for a course it will also remove lesson
                   timing data, lesson attempt data, and lesson overrides for completed users
                   in the course.


Bug fixes:

    TL-33158        Fixed the handling of incorrect course enrolment timestamps when creating course completion records

                   Previously, the course completion module set the enrolment date to the
                   current time when there were no user enrolment records. This led to the
                   problem where reports that used the completion data showed the wrong
                   enrolment dates.
                   
                   This patch changes this; now the enrolment time is zero when the course
                   completion record is created for unenrolled users. It is only when the user
                   actually enrols in a course that the timeenrolled value in the completion
                   record is updated.

    TL-33173        Fixed database queries failing depending on the locale of the webserver 

                   Due to the fact that float conversion to strings is locale dependent on PHP
                   this can lead to failing database queries if the locale is set to one which
                   uses a different decimal separator (i.e. German uses the comma instead of
                   the dot). Floats like 123.456 would be converted to 123,456.
                   
                   This patch fixes this issue by converting floats to locale-independent
                   strings before using them in database operations.
                   
                   This has been an issue in MySQL and MSSQL.

    TL-33208        Prevented language strings from being HTML-escaped in the search results template

                   Previously, the matchingfilename language string was being HTML-escaped in
                   search results, causing raw HTML to display on the page. The included
                   filename itself is already escaped before being inserted in the language
                   string.

    TL-33403        Fixed a bug that was causing notifications to be sent for closed performance activities
    TL-33430        Fixed due date not immediately updating upon creation of completion records during assignment
    TL-33595        Fixed goals not working when multi tenancy was enabled

                   Previously, goals functionality was not fully working when multi tenancy
                   was enabled, especially if isolation mode was enabled. With this patch
                   goals are now working within the restrictions of multi tenancy. This means
                   that management of company goals can only be done with system permissions
                   by system users. Company goal assignment and personal goals management can
                   be done by tenant users or their managers (depending on how the permissions
                   are set up). There are some restrictions if isolation is enabled, the
                   viewing of company goals or goal frameworks is not possible as tenant users
                   and the links to these pages are not shown in this case.

    TL-33621        Fixed error when showing menu item sortorder event in the logs
    TL-33706        Fixed the room link placeholder for Seminar notifications

                   Previously if you added the [session:room:link] placeholder to a seminar
                   notification the link it displayed was incorrect for virtual rooms. This
                   has been fixed to match the correct output used by the [session:rooms]
                   placeholder.

    TL-33726        Fixed missing details in seminar session facilitator confirmation notification

                   Initialised the details field before sending any notification.

    TL-33780        Fixed notifications not inheriting from immediate natural parent context

                   A bug meant that notification preferences that were created in the
                   immediate parent "natural" context of an "extended" context were not being
                   considered when determining notifications that apply in the extended
                   context. This bug did not affect any core Totara functionality, because the
                   existing notifications were not configured in this way, but may have
                   affected third-party development.


Tui front end framework:

    TL-31967        Fixed issue where collapsing the tables on the 'manually rate competencies' page would remove the table header
    TL-33497        Fixed error modal "copy all" in IE 11
    TL-33572        Fixed visual clipping on the ParticipantGeneralInformation TUI component

Recommendations engine:

    TL-33600        Fixed the headers of exported `item_data_x.csv` files for the recommendation engine

                   The headers that related to the course tags and engage topics were being
                   prefixed with 'topic_' string. This would cause buggy computations in the
                   recommendation engine when some tags and labels shared the same name. This
                   bug is fixed so tags and labels will have relevant prefixes 'tag_' and
                   'topic_', respectively.

    TL-33696        Updated the requirements file with specific library versions

                   Prior to this change only directly added libraries were recorded in the
                   requirements.txt. Any dependencies for these libraries would load the most
                   recent version it could, which could result in things breaking if a new
                   version introduced a breaking change and did not report it correctly.
                   
                   With this patch, we have pinned all dependencies to specific versions that
                   we have tested works with the recommendations engine.

Contributions:

    * Brad Simpson at Kineo USA - TL-33547

Release 13.18 (24th March 2022):

Security issues:

    TL-33486        Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module

                   Previously teachers in an assignment group could modify group overrides for
                   other groups in the same assignment. This has now been fixed.

    TL-33838        Fixed issue with grade report capability not being respected

                   In some cases, a learner was still able to view grades even if the
                   capability had been removed. This has been fixed such that the capability
                   is always checked.


Improvements:

    TL-31790        Install/Upgrade environment check added for MariaDB versions 10.6 and later

                   A new environment check for mariadb database configuration was added for
                   the install & upgrade process 

    TL-33547        Improved layout of labels in legacy course activity adders

Bug fixes:

    TL-33158        Fixed the handling of incorrect course enrolment timestamps when creating course completion records

                   Previously, the course completion module set the enrolment date to the
                   current time when there were no user enrolment records. This led to the
                   problem where reports that used the completion data showed the wrong
                   enrolment dates.
                   
                   This patch changes this; now the enrolment time is zero when the course
                   completion record is created for unenrolled users. It is only when the user
                   actually enrols in a course that the timeenrolled value in the completion
                   record is updated.

    TL-33208        Prevented language strings from being HTML-escaped in the search results template

                   Previously, the matchingfilename language string was being HTML-escaped in
                   search results, causing raw HTML to display on the page. The included
                   filename itself is already escaped before being inserted in the language
                   string.

    TL-33595        Fixed goals not working when multi tenancy was enabled

                   Previously, goals functionality was not fully working when multi tenancy
                   was enabled, especially if isolation mode was enabled. With this patch
                   goals are now working within the restrictions of multi tenancy. This means
                   that management of company goals can only be done with system permissions
                   by system users. Company goal assignment and personal goals management can
                   be done by tenant users or their managers (depending on how the permissions
                   are set up). There are some restrictions if isolation is enabled, the
                   viewing of company goals or goal frameworks is not possible as tenant users
                   and the links to these pages are not shown in this case.

    TL-33706        Fixed the room link placeholder for Seminar notifications

                   Previously if you added the [session:room:link] placeholder to a seminar
                   notification the link it displayed was incorrect for virtual rooms. This
                   has been fixed to match the correct output used by the [session:rooms]
                   placeholder.

    TL-33755        Fixed a bug that was causing overdue notifications to be sent for close performance activities

Tui front end framework:

    TL-31967        Fixed issue where collapsing the tables on the 'manually rate competencies' page would remove the table header
    TL-33497        Fixed error modal "copy all" in IE 11
    TL-33572        Fixed visual clipping on the ParticipantGeneralInformation TUI component

Recommendations engine:

    TL-33696        Updated the requirements file with specific library versions

                   Prior to this change only directly added libraries were recorded in the
                   requirements.txt. Any dependencies for these libraries would load the most
                   recent version it could, which could result in things breaking if a new
                   version introduced a breaking change and did not report it correctly.
                   
                   With this patch, we have pinned all dependencies to specific versions that
                   we have tested works with the recommendations engine.

Contributions:

    * Brad Simpson at Kineo USA - TL-33547

Release 12.41 (24th March 2022):

Security issues:

    TL-33486        Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module

                   Previously teachers in an assignment group could modify group overrides for
                   other groups in the same assignment. This has now been fixed.

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.

    TL-33838        Fixed issue with grade report capability not being respected

                   In some cases, a learner was still able to view grades even if the
                   capability had been removed. This has been fixed such that the capability
                   is always checked.


Bug fixes:

    TL-28557        Backported TL-32970 to make sure no error message appears when expanding categories in navigation block
    TL-33158        Fixed the handling of incorrect course enrolment timestamps when creating course completion records

                   Previously, the course completion module set the enrolment date to the
                   current time when there were no user enrolment records. This led to the
                   problem where reports that used the completion data showed the wrong
                   enrolment dates.
                   
                   This patch changes this; now the enrolment time is zero when the course
                   completion record is created for unenrolled users. It is only when the user
                   actually enrols in a course that the timeenrolled value in the completion
                   record is updated.

    TL-33208        Prevented language strings from being HTML-escaped in the search results template

                   Previously, the matchingfilename language string was being HTML-escaped in
                   search results, causing raw HTML to display on the page. The included
                   filename itself is already escaped before being inserted in the language
                   string.


Release 11.50 (24th March 2022):

Security issues:

    TL-33486        Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module

                   Previously teachers in an assignment group could modify group overrides for
                   other groups in the same assignment. This has now been fixed.

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 10.54 (24th March 2022):

Security issues:

    TL-33486        Cherry-picked MDL-61114 to ensure that assignment overrides observe group membership in the assignment module

                   Previously teachers in an assignment group could modify group overrides for
                   other groups in the same assignment. This has now been fixed.

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 9.62 (24th March 2022):

Security issues:

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 2.9.62 (24th March 2022):

Security issues:

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 2.7.67 (24th March 2022):

Security issues:

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 2.6.84 (24th March 2022):

Security issues:

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 2.5.88 (24th March 2022):

Security issues:

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.


Release 2.4.83 (24th March 2022):

Security issues:

    TL-33756        Improved validation of badge criteria to prevent SQL injection

                   The profile completion criteria for course badges was vulnerable to SQL
                   injection. The attacker was required to be logged in as a user
                   with a role that has the `moodle/badges:configurecriteria` capability. The
                   Editing Trainer role includes this capability. 
                   This vulnerability has been fixed.
                   
                   To check for indicators of compromise, search for "Badge criteria created"
                   and "Badge criteria updated" events in Totara's site logs and then review
                   the corresponding badges. If an exploit has been attempted, error messages
                   around invalid strings will be shown on the Criteria tab for affected
                   badges.