Hello everyone,
The following versions of Totara Learn have now been released:
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Kineo UK - TL-34115
Release 16.1 (27th May 2022):
Important:
TL-34120 Added disable cron when using maintenance mode
Security issues:
TL-28575 Removed sesskey from audience dialogue request URLs
TL-28739 Removed sesskey from jump value on the course view page
TL-28741 Removed sesskey from the 'Turn editing on' button URL
TL-28742 Removed sesskey from the course completion report AJAX
TL-28743 Removed sesskey from URLs in seminar room, asset and facilitator actions
TL-28744 Removed sesskey from URLs in 'Switch role to' links
TL-29099 Removed sesskey from URLs in the navigation menu
TL-33884 Fixed log code to prevent XSS in log descriptions
Logs generated by some events in Totara could allow XSS in certain situations,
when viewing either Server > Logs or Server > Live Logs. The fix ensures these
XSS payloads will not be executed.. This covers both newly generated and already
existing log entries.
TL-33890 Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
TL-33926 Converted AJAX request when assigning a company goal to a POST request
Previously this Ajax request was a GET request, which allowed the sesskey to be
logged on the server and in browser history.
TL-33952 Fixed audience-based visibility issue on course-related reports
The course-based reports ignored the "Audience-based visibility" setting. For
example, when the course "Audience-based visibility" setting is set to "Enrolled
users only", it doesn't allow non-enrolled users to see the course details. But
in course-based reports, such as "Course Membership Report" and "Course
completion Report", users could see all other course-related entries regardless
of whether they are enrolled.
The new changes apply an additional filter to the course based report query to
check the current user visibility.
TL-34336 Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)
An issue in the logic used to count failed login attempts could result in the
account lockout threshold being bypassed by using simultaneous requests.
TL-34339 Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)
Performance improvements:
TL-33362 Improved the loading time of the course enrolled users page
TL-34063 Improved the performance of the user activity page
Improvements:
TL-20269 Added a setting and scheduled task to delete old records from the course completion log
The course completion log table stores transaction history for the completion
editor, and can grow very large on sites with a lot of activity. A new 'Delete
course completion logs after' setting allows admins to automatically cull the
oldest records from the log. Once those records are deleted, they will no longer
appear in the completion editor as history.
TL-25521 Implemented visibility options for site policies
Site policy visibility can now be set to all users (the default), authenticated
users only, or guest users only.
TL-31660 Improved the help text for Seminar third-party email setting
TL-33365 Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text
When the Totara Mobile app is enabled, courses that are marked as
'Mobile-friendly' will open in the app; those that are not will be opened in the
mobile web browser instead. The behaviour of this setting has not changed, only
the label and help text explaining it.
TL-33439 Improved the help text regarding the use of event roles in seminar activities
TL-33498 Fixed missing legacy Session date/time changed message when removing the last session of a seminar
When the last session of a seminar event is removed, all appropriate users will
now receive a 'Session date/time changed' message with an ical attachment to
allow the removal of the calendar entry from their calendars.
TL-33549 Fixed the cursor styles for disabled inputs
TL-34051 Added spacing on delete topic confirmation modal body text
TL-34145 Improved the select/deselect all functionality when looking at the question bank
TL-34300 Removed broken sorting functionality from the Progress column on the Course completion report
Bug fixes:
TL-30188 Added a warning when editing a role where the role has been assigned in a specific context level
TL-31206 Fixed deprecation notice on cache admin page
TL-32604 Added accessible names to report builder learning component links
TL-33073 Fixed session not being checked when checking sent seminar notifications
TL-33364 Removed the synchronous audience sync action when saving a course
Previously, if an audience enrolment was changed when editing a course the
enrolment of the users in the audiences happened synchronously when saving the
form. This has been changed so that the sync only happens via the already
scheduled adhoc task.
TL-33402 Implemented missing performance activity report response classes
TL-33510 Made the playlist and engage interactors properly respect the share capability
TL-33539 Fixed error accessing courses containing activities with invalid availability settings on PHP 7.4+
TL-33540 Override get_data() to prevent data loss for completion rule
TL-33560 Prevented sending of performance activity reminder notifications for closed and completed participant instances
Prior to this patch, reminder notifications could be sent under certain
circumstances even to participants that had completed their part of a
performance activity. This patch fixes the bug.
TL-33602 Added upgrade step to fix dangling temp manager references in job assignment table
TL-31561 introduced a regression in which temp manager job assignment references
were not properly nulled in the job assignment table. This patch cleans up those
references as part of the upgrade process.
TL-33717 Prevented test course generation for system categories
This fixes a bug in the test data generator for development sites in
totara/generator/cli/maketestsite.php. Prior to this patch it could create test
courses for reserved system categories, leading to error messages in activity
management and workspace areas.
TL-33792 Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
TL-33844 Added support for multilang filter on hierarchy names in 'Self Registration with Approval' form
TL-33855 Engage content is no longer lost if there is an error.
When adding a comment to a workspace or resource, and editing a resource, the
content would be lost if there was a connection or server error after
submission. This change ensures content is preserved so that the user can either
re-submit or preserve the content elsewhere
TL-33883 Updated the managersubject to not be null during the program/certification notification upgrade
TL-33934 Fixed videoJS button display issues in IE11
TL-33939 Hide role tab in user activities page that have no contents
TL-33983 Fixed UTF-8 character set handling for MariaDB 10.6
TL-34029 The Tui modal component now correctly displays button drop shadows
Within modals button drop shadows were being cropped and the tab order
incorrectly included some elements
TL-34035 Fixed discussions appearing multiple times in Workspace discussions when there are many
TL-34046 Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
TL-34048 Fixed seminar attendees link placeholder inline help text
TL-34049 Ensured sheet titles are unique for Excel and ODS when using box/spout library
TL-34071 Fixed loading display issue and missing table headers on mobile for workspace audiences
TL-34098 Updated the modal message when deleting a subject instance
TL-34103 Removed the legacy email footer from the Totara central notifications
TL-34104 Reworded language of default seminar notifications for booking request confirmations
Previously when a booking request was approved there would be default
notifications which said "Your booking request was approved". The default string
for this notification has been shortened to "Your booking was approved".
TL-34106 Removed print button from API documentation page
TL-34115 Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
TL-34116 Fixed booking event resolver to stop sending notifications to users no longer exist
TL-34124 Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
TL-34141 Fixed that guest should not appear as joined in a workspace
TL-34142 Fixed incorrect use of bin icon in 'Your playlist'
TL-34154 Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
TL-34155 Moved enrolment processing for audience's enrolled learning to an adhoc task in the background
Prior to this change course enrolments that were required when a course was
added to, or removed from, an audience's enrolled learning were processed
immediately. This could lead to exceptionally long times wait for the user who
initiated the process. The fix for this issue was to shift this processing to a
background task, these enrolments will now be processed exclusively by cron.
TL-34157 Fixed custom seminar notifications not being sent for subsequent sessions
TL-34161 Updated event reservations notifications phpunit test to avoid intermittent failures
TL-34187 Fixed program and certification notifications sending for each assignment
Previously, users would receive an "assigned" notification for each assignment
method that they were included in the program or certification. Now, they only
get the notification when they are first added to the program or certification,
and only receive the "unassigned" notification when their last assignment method
is removed.
TL-34202 Fixed persistence of Assignment completion criteria
Fixed the issue with completion criteria of an assignment activity not being
saved and retained when the activity is either created or viewed.
TL-34207 Removed suspended users from 'Transfer ownership' search list in workspaces
TL-34226 Fixed the prevention of adding email attachments when the allowattachments setting is disabled
TL-34227 Fixed percentage grade calculation when viewing the grader report before importing course completion
TL-34231 Adding missing CSS for advanced checkbox supplimentary labels
TL-34234 Ensured '0' value textinput profile fields are displayed on the user profile page
TL-34236 Ensured that workspaces do not appear in Recent Learning block
TL-34247 Fixed JavaScript console error when requesting to join/cancel a private workspace
TL-34306 Fixed JavaScript error when a user tour step was dismissed too quickly
TL-34330 Fixed due date not being updated when time enrolled was edited
TL-34332 Fixed sql error when upgrading with existing records in message_metadata
TL-34353 Added in the additional EU, Canada and Australia endpoints for the Badgr service
Technical changes:
TL-34133 The generate_uuid() function has been deprecated
Please use \core\uuid::generate() instead. If the PECL UUID extension is not
installed, this new function will use random_bytes() instead of mt_rand() which
is more secure.
Tui front end framework:
TL-32798 Changed Delete bootstrap icon from Trash fill to Trash outline
TL-34032 Updated layout of adders to work better on mobile devices
TL-34151 Fixed keyboard navigation in nested Tui modals
Contributions:
* Kineo UK - TL-34115
Release 15.7 (27th May 2022):
Important:
TL-34120 Added disable cron when using maintenance mode
Security issues:
TL-28575 Removed sesskey from audience dialogue request URLs
TL-28739 Removed sesskey parameter from jump value on the course view page
TL-28741 Removed sesskey from the 'Turn editing on' button URL
TL-28742 Removed sesskey from the course completion report AJAX
TL-28743 Removed sesskey from URLs in seminar room, asset and facilitator actions
TL-28744 Removed sesskey from URLs in 'Switch role to' links
TL-29099 Removed sesskey from URLs in the navigation menu
TL-33884 Fixed log code to prevent XSS in log descriptions
Logs generated by some events in Totara could allow XSS in certain situations,
when viewing either Server > Logs or Server > Live Logs. The fix ensures these
XSS payloads will not be executed.. This covers both newly generated and already
existing log entries.
TL-33890 Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
TL-33926 Converted AJAX request when assigning a company goal to a POST request
Previously this Ajax request was a GET request, which allowed the sesskey to be
logged on the server and in browser history.
TL-33952 Fixed audience-based visibility issue on course-related reports
The course-based reports ignored the "Audience-based visibility" setting. For
example, when the course "Audience-based visibility" setting is set to "Enrolled
users only", it doesn't allow non-enrolled users to see the course details. But
in course-based reports, such as "Course Membership Report" and "Course
completion Report", users could see all other course-related entries regardless
of whether they are enrolled.
The new changes apply an additional filter to the course based report query to
check the current user visibility.
TL-34336 Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)
An issue in the logic used to count failed login attempts could result in the
account lockout threshold being bypassed by using simultaneous requests.
TL-34339 Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)
Performance improvements:
TL-33362 Improved the loading time of the course enrolled users page
Improvements:
TL-20269 Added a setting and scheduled task to delete old records from the course completion log
The course completion log table stores transaction history for the completion
editor, and can grow very large on sites with a lot of activity. A new 'Delete
course completion logs after' setting allows admins to automatically cull the
oldest records from the log. Once those records are deleted, they will no longer
appear in the completion editor as history.
TL-25521 Implemented visibility options for site policies
Site policy visibility can now be set to all users (the default), authenticated
users only, or guest users only.
TL-31660 Improved the help text for Seminar third-party email setting
TL-33365 Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text
When the Totara Mobile app is enabled, courses that are marked as
'Mobile-friendly' will open in the app; those that are not will be opened in the
mobile web browser instead. The behaviour of this setting has not changed, only
the label and help text explaining it.
TL-33439 Improved the help text regarding the use of event roles in seminar activities
TL-33498 Fixed missing legacy Session date/time changed message when removing the last session of a seminar
When the last session of a seminar event is removed, all appropriate users will
now receive a 'Session date/time changed' message with an ical attachment to
allow the removal of the calendar entry from their calendars.
TL-33549 Fixed the cursor styles for disabled inputs
TL-34145 Improved the select/deselect all functionality when looking at the question bank
TL-34300 Removed broken sorting functionality from the Progress column on the Course completion report
Bug fixes:
TL-30188 Added a warning when editing a role where the role has been assigned in a specific context level
TL-31206 Fixed deprecation notice on cache admin page
TL-32604 Added accessible names to report builder learning component links
TL-33073 Fixed session not being checked when checking sent seminar notifications
TL-33364 Removed the synchronous audience sync action when saving a course
Previously, if an audience enrolment was changed when editing a course the
enrolment of the users in the audiences happened synchronously when saving the
form. This has been changed so that the sync only happens via the already
scheduled adhoc task.
TL-33402 Implemented missing performance activity report response classes
TL-33510 Made the playlist and engage interactors properly respect the share capability
TL-33539 Fixed error accessing courses containing activities with invalid availability settings on PHP 7.4+
TL-33540 Override get_data() to prevent data loss for completion rule
TL-33560 Prevented sending of performance activity reminder notifications for closed and completed participant instances
Prior to this patch, reminder notifications could be sent under certain
circumstances even to participants that had completed their part of a
performance activity. This patch fixes the bug.
TL-33602 Added upgrade step to fix dangling temp manager references in job assignment table
TL-31561 introduced a regression in which temp manager job assignment references
were not properly nulled in the job assignment table. This patch cleans up those
references as part of the upgrade process.
TL-33694 Fixed the issue that learner can request approval for seminar event when signup window is closed
TL-33717 Prevented test course generation for system categories
This fixes a bug in the test data generator for development sites in
totara/generator/cli/maketestsite.php. Prior to this patch it could create test
courses for reserved system categories, leading to error messages in activity
management and workspace areas.
TL-33792 Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
TL-33855 Engage content is no longer lost if there is an error.
When adding a comment to a workspace or resource, and editing a resource, the
content would be lost if there was a connection or server error after
submission. This change ensures content is preserved so that the user can either
re-submit or preserve the content elsewhere
TL-33883 Updated the managersubject to not be null during the program/certification notification upgrade
TL-33934 Fixed videoJS button display issues in IE11
TL-34029 The Tui modal component now correctly displays button drop shadows
Within modals button drop shadows were being cropped and the tab order
incorrectly included some elements
TL-34035 Fixed discussions appearing multiple times in Workspace discussions when there are many
TL-34046 Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
TL-34048 Fixed seminar attendees link placeholder inline help text
TL-34049 Ensured sheet titles are unique for Excel and ODS when using box/spout library
TL-34098 Updated the modal message when deleting a subject instance
TL-34103 Removed the legacy email footer from the Totara central notifications
TL-34106 Removed print button from API documentation page
TL-34115 Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
TL-34116 Fixed booking event resolver to stop sending notifications to users no longer exist
TL-34124 Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
TL-34141 Fixed that guest should not appear as joined in a workspace
TL-34142 Fixed incorrect use of bin icon in 'Your playlist'
TL-34154 Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
TL-34155 Moved enrolment processing for audience's enrolled learning to an adhoc task in the background
Prior to this change course enrolments that were required when a course was
added to, or removed from, an audience's enrolled learning were processed
immediately. This could lead to exceptionally long times wait for the user who
initiated the process. The fix for this issue was to shift this processing to a
background task, these enrolments will now be processed exclusively by cron.
TL-34157 Fixed custom seminar notifications not being sent for subsequent sessions
TL-34187 Fixed program and certification notifications sending for each assignment
Previously, users would receive an "assigned" notification for each assignment
method that they were included in the program or certification. Now, they only
get the notification when they are first added to the program or certification,
and only receive the "unassigned" notification when their last assignment method
is removed.
TL-34202 Fixed persistence of Assignment completion criteria
Fixed the issue with completion criteria of an assignment activity not being
saved and retained when the activity is either created or viewed.
TL-34207 Removed suspended users from 'Transfer ownership' search list in workspaces
TL-34227 Fixed percentage grade calculation when viewing the grader report before importing course completion
TL-34231 Adding missing CSS for advanced checkbox supplimentary labels
TL-34234 Ensured '0' value textinput profile fields are displayed on the user profile page
TL-34236 Ensured that workspaces do not appear in Recent Learning block
TL-34306 Fixed JavaScript error when a user tour step was dismissed too quickly
TL-34332 Fixed sql error when upgrading with existing records in message_metadata
TL-34353 Added in the additional EU, Canada and Australia endpoints for the Badgr service
Technical changes:
TL-34133 The generate_uuid() function has been deprecated
Please use \core\uuid::generate() instead. If the PECL UUID extension is not
installed, this new function will use random_bytes() instead of mt_rand() which
is more secure.
Tui front end framework:
TL-34151 Fixed keyboard navigation in nested Tui modals
Contributions:
* Kineo UK - TL-34115
Release 14.12 (27th May 2022):
Important:
TL-34120 Added disable cron when using maintenance mode
Security issues:
TL-28575 Removed sesskey from audience dialogue request URLs
TL-28739 Removed sesskey parameter from jump value on the course view page
TL-28741 Removed sesskey from the 'Turn editing on' button URL
TL-28742 Removed sesskey from the course completion report AJAX
TL-28743 Removed sesskey from URLs in seminar room, asset and facilitator actions
TL-28744 Removed sesskey from URLs in 'Switch role to' links
TL-29099 Removed sesskey from URLs in the navigation menu
TL-33884 Fixed log code to prevent XSS in log descriptions
Logs generated by some events in Totara could allow XSS in certain situations,
when viewing either Server > Logs or Server > Live Logs. The fix ensures these
XSS payloads will not be executed.. This covers both newly generated and already
existing log entries.
TL-33890 Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
TL-33926 Converted AJAX request when assigning a company goal to a POST request
Previously this Ajax request was a GET request, which allowed the sesskey to be
logged on the server and in browser history.
TL-33952 Fixed audience-based visibility issue on course-related reports
The course-based reports ignored the "Audience-based visibility" setting. For
example, when the course "Audience-based visibility" setting is set to "Enrolled
users only", it doesn't allow non-enrolled users to see the course details. But
in course-based reports, such as "Course Membership Report" and "Course
completion Report", users could see all other course-related entries regardless
of whether they are enrolled.
The new changes apply an additional filter to the course based report query to
check the current user visibility.
TL-34336 Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)
An issue in the logic used to count failed login attempts could result in the
account lockout threshold being bypassed by using simultaneous requests.
TL-34339 Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)
Performance improvements:
TL-33362 Improved the loading time of the course enrolled users page
Improvements:
TL-25521 Implemented visibility options for site policies
Site policy visibility can now be set to all users (the default), authenticated
users only, or guest users only.
TL-31660 Improved the help text for Seminar third-party email setting
TL-33365 Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text
When the Totara Mobile app is enabled, courses that are marked as
'Mobile-friendly' will open in the app; those that are not will be opened in the
mobile web browser instead. The behaviour of this setting has not changed, only
the label and help text explaining it.
TL-33439 Improved the help text regarding the use of event roles in seminar activities
TL-33498 Fixed missing legacy Session date/time changed message when removing the last session of a seminar
When the last session of a seminar event is removed, all appropriate users will
now receive a 'Session date/time changed' message with an ical attachment to
allow the removal of the calendar entry from their calendars.
TL-33549 Fixed the cursor styles for disabled inputs
TL-34145 Improved the select/deselect all functionality when looking at the question bank
TL-34300 Removed broken sorting functionality from the Progress column on the Course completion report
Bug fixes:
TL-30188 Added a warning when editing a role where the role has been assigned in a specific context level
TL-31206 Fixed deprecation notice on cache admin page
TL-32604 Added accessible names to report builder learning component links
TL-33073 Fixed session not being checked when checking sent seminar notifications
TL-33402 Implemented missing performance activity report response classes
TL-33510 Made the playlist and engage interactors properly respect the share capability
TL-33539 Fixed error accessing courses containing activities with invalid availability settings on PHP 7.4+
TL-33540 Override get_data() to prevent data loss for completion rule
TL-33560 Prevented sending of performance activity reminder notifications for closed and completed participant instances
Prior to this patch, reminder notifications could be sent under certain
circumstances even to participants that had completed their part of a
performance activity. This patch fixes the bug.
TL-33602 Added upgrade step to fix dangling temp manager references in job assignment table
TL-31561 introduced a regression in which temp manager job assignment references
were not properly nulled in the job assignment table. This patch cleans up those
references as part of the upgrade process.
TL-33694 Fixed the issue that learner can request approval for seminar event when signup window is closed
TL-33717 Prevented test course generation for system categories
This fixes a bug in the test data generator for development sites in
totara/generator/cli/maketestsite.php. Prior to this patch it could create test
courses for reserved system categories, leading to error messages in activity
management and workspace areas.
TL-33792 Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
TL-33844 Added support for multilang filter on hierarchy names in 'Self Registration with Approval' form
TL-33855 Engage content is no longer lost if there is an error.
When adding a comment to a workspace or resource, and editing a resource, the
content would be lost if there was a connection or server error after
submission. This change ensures content is preserved so that the user can either
re-submit or preserve the content elsewhere
TL-33883 Updated the managersubject to not be null during the program/certification notification upgrade
TL-33934 Fixed videoJS button display issues in IE11
TL-34029 The Tui modal component now correctly displays button drop shadows
Within modals button drop shadows were being cropped and the tab order
incorrectly included some elements
TL-34035 Fixed discussions appearing multiple times in Workspace discussions when there are many
TL-34046 Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
TL-34049 Ensured sheet titles are unique for Excel and ODS when using box/spout library
TL-34098 Updated the modal message when deleting a subject instance
TL-34103 Removed the legacy email footer from the Totara central notifications
TL-34106 Removed print button from API documentation page
TL-34115 Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
TL-34116 Fixed booking event resolver to stop sending notifications to users no longer exist
TL-34124 Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
TL-34141 Fixed that guest should not appear as joined in a workspace
TL-34142 Fixed incorrect use of bin icon in 'Your playlist'
TL-34154 Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
TL-34155 Moved enrolment processing for audience's enrolled learning to an adhoc task in the background
Prior to this change course enrolments that were required when a course was
added to, or removed from, an audience's enrolled learning were processed
immediately. This could lead to exceptionally long times wait for the user who
initiated the process. The fix for this issue was to shift this processing to a
background task, these enrolments will now be processed exclusively by cron.
TL-34157 Fixed custom seminar notifications not being sent for subsequent sessions
TL-34187 Fixed program and certification notifications sending for each assignment
Previously, users would receive an "assigned" notification for each assignment
method that they were included in the program or certification. Now, they only
get the notification when they are first added to the program or certification,
and only receive the "unassigned" notification when their last assignment method
is removed.
TL-34202 Fixed persistence of Assignment completion criteria
Fixed the issue with completion criteria of an assignment activity not being
saved and retained when the activity is either created or viewed.
TL-34207 Removed suspended users from 'Transfer ownership' search list in workspaces
TL-34227 Fixed percentage grade calculation when viewing the grader report before importing course completion
TL-34231 Adding missing CSS for advanced checkbox supplimentary labels
TL-34234 Ensured '0' value textinput profile fields are displayed on the user profile page
TL-34236 Ensured that workspaces do not appear in Recent Learning block
TL-34332 Fixed sql error when upgrading with existing records in message_metadata
TL-34353 Added in the additional EU, Canada and Australia endpoints for the Badgr service
TL-34371 Fix bug in basetime calculation in programs
Technical changes:
TL-34133 The generate_uuid() function has been deprecated
Please use \core\uuid::generate() instead. If the PECL UUID extension is not
installed, this new function will use random_bytes() instead of mt_rand() which
is more secure.
Tui front end framework:
TL-34151 Fixed keyboard navigation in nested Tui modals
Contributions:
* Kineo UK - TL-34115
Release 13.20 (27th May 2022):
Important:
TL-34120 Added disable cron when using maintenance mode
Security issues:
TL-28575 Removed sesskey from audience dialogue request URLs
TL-28739 Removed sesskey parameter from jump value on the course view page
TL-28741 Removed sesskey from the 'Turn editing on' button URL
TL-28742 Removed sesskey from the course completion report AJAX
TL-28743 Removed sesskey from URLs in seminar room, asset and facilitator actions
TL-28744 Removed sesskey from URLs in 'Switch role to' links
TL-29099 Removed sesskey from URLs in the navigation menu
TL-33884 Fixed log code to prevent XSS in log descriptions
Logs generated by some events in Totara could allow XSS in certain situations,
when viewing either Server > Logs or Server > Live Logs. The fix ensures these
XSS payloads will not be executed.. This covers both newly generated and already
existing log entries.
TL-33890 Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
TL-33926 Converted AJAX request when assigning a company goal to a POST request
Previously this Ajax request was a GET request, which allowed the sesskey to be
logged on the server and in browser history.
TL-33952 Fixed audience-based visibility issue on course-related reports
The course-based reports ignored the "Audience-based visibility" setting. For
example, when the course "Audience-based visibility" setting is set to "Enrolled
users only", it doesn't allow non-enrolled users to see the course details. But
in course-based reports, such as "Course Membership Report" and "Course
completion Report", users could see all other course-related entries regardless
of whether they are enrolled.
The new changes apply an additional filter to the course based report query to
check the current user visibility.
TL-34336 Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)
An issue in the logic used to count failed login attempts could result in the
account lockout threshold being bypassed by using simultaneous requests.
TL-34339 Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)
Performance improvements:
TL-33362 Improved the loading time of the course enrolled users page
Improvements:
TL-25521 Implemented visibility options for site policies
Site policy visibility can now be set to all users (the default), authenticated
users only, or guest users only.
TL-31660 Improved the help text for Seminar third-party email setting
TL-33365 Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text
When the Totara Mobile app is enabled, courses that are marked as
'Mobile-friendly' will open in the app; those that are not will be opened in the
mobile web browser instead. The behaviour of this setting has not changed, only
the label and help text explaining it.
TL-33439 Improved the help text regarding the use of event roles in seminar activities
TL-33498 Fixed missing legacy Session date/time changed message when removing the last session of a seminar
When the last session of a seminar event is removed, all appropriate users will
now receive a 'Session date/time changed' message with an ical attachment to
allow the removal of the calendar entry from their calendars.
TL-33549 Fixed the cursor styles for disabled inputs
TL-34125 Provided a script to restore Pre-migrated evidence types for imported evidence
TL-34145 Improved the select/deselect all functionality when looking at the question bank
TL-34300 Removed broken sorting functionality from the Progress column on the Course completion report
Bug fixes:
TL-30188 Added a warning when editing a role where the role has been assigned in a specific context level
TL-31206 Fixed deprecation notice on cache admin page
TL-33560 Prevented sending of performance activity reminder notifications for closed and completed participant instances
Prior to this patch, reminder notifications could be sent under certain
circumstances even to participants that had completed their part of a
performance activity. This patch fixes the bug.
TL-33602 Added upgrade step to fix dangling temp manager references in job assignment table
TL-31561 introduced a regression in which temp manager job assignment references
were not properly nulled in the job assignment table. This patch cleans up those
references as part of the upgrade process.
TL-33694 Fixed the issue that learner can request approval for seminar event when signup window is closed
TL-33717 Prevented test course generation for system categories
This fixes a bug in the test data generator for development sites in
totara/generator/cli/maketestsite.php. Prior to this patch it could create test
courses for reserved system categories, leading to error messages in activity
management and workspace areas.
TL-33792 Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
TL-33934 Fixed videoJS button display issues in IE11
TL-34029 The Tui modal component now correctly displays button drop shadows
Within modals button drop shadows were being cropped and the tab order
incorrectly included some elements
TL-34035 Fixed discussions appearing multiple times in Workspace discussions when there are many
TL-34038 Prevented program re-enrolment message sometimes not being sent
TL-34046 Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
TL-34049 Ensured sheet titles are unique for Excel and ODS when using box/spout library
TL-34098 Updated the modal message when deleting a subject instance
TL-34115 Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
TL-34124 Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
TL-34141 Fixed that guest should not appear as joined in a workspace
TL-34142 Fixed incorrect use of bin icon in 'Your playlist'
TL-34154 Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
TL-34155 Moved enrolment processing for audience's enrolled learning to an adhoc task in the background
Prior to this change course enrolments that were required when a course was
added to, or removed from, an audience's enrolled learning were processed
immediately. This could lead to exceptionally long times wait for the user who
initiated the process. The fix for this issue was to shift this processing to a
background task, these enrolments will now be processed exclusively by cron.
TL-34207 Removed suspended users from 'Transfer ownership' search list in workspaces
TL-34227 Fixed percentage grade calculation when viewing the grader report before importing course completion
TL-34234 Ensured '0' value textinput profile fields are displayed on the user profile page
TL-34236 Ensured that workspaces do not appear in Recent Learning block
TL-34353 Added in the additional EU, Canada and Australia endpoints for the Badgr service
Technical changes:
TL-34133 The generate_uuid() function has been deprecated
Please use \core\uuid::generate() instead. If the PECL UUID extension is not
installed, this new function will use random_bytes() instead of mt_rand() which
is more secure.
Contributions:
* Kineo UK - TL-34115
Release 12.43 (27th May 2022):
Security issues:
TL-28575 Removed sesskey from audience dialogue request URLs
TL-28739 Removed sesskey parameter from jump value on the course view page
TL-28741 Removed sesskey from the 'Turn editing on' button URL
TL-28742 Removed sesskey from the course completion report AJAX
TL-28743 Removed sesskey from URLs in seminar room, asset and facilitator actions
TL-28744 Removed sesskey from URLs in 'Switch role to' links
TL-29099 Removed sesskey from URLs in the navigation menu
TL-33890 Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
TL-33926 Converted AJAX request when assigning a company goal to a POST request
Previously this Ajax request was a GET request, which allowed the sesskey to be
logged on the server and in browser history.
TL-34336 Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)
An issue in the logic used to count failed login attempts could result in the
account lockout threshold being bypassed by using simultaneous requests.
TL-34339 Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)
TL-34340 Ensured user identity fields are consistently sanitised (MSA-22-0010 / CVE-2022-30596)
Improvements:
TL-34300 Removed broken sorting functionality from the Progress column on the Course completion report
Bug fixes:
TL-33602 Added upgrade step to fix dangling temp manager references in job assignment table
TL-31561 introduced a regression in which temp manager job assignment references
were not properly nulled in the job assignment table. This patch cleans up those
references as part of the upgrade process.
TL-34124 Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
TL-34155 Moved enrolment processing for audience's enrolled learning to an adhoc task in the background
Prior to this change course enrolments that were required when a course was
added to, or removed from, an audience's enrolled learning were processed
immediately. This could lead to exceptionally long times wait for the user who
initiated the process. The fix for this issue was to shift this processing to a
background task, these enrolments will now be processed exclusively by cron.
Technical changes:
TL-34133 The generate_uuid() function has been deprecated
Please use \core\uuid::generate() instead. If the PECL UUID extension is not
installed, this new function will use random_bytes() instead of mt_rand() which
is more secure.
Release 11.52 (27th May 2022):
Bug fixes:
TL-33602 Added upgrade step to fix dangling temp manager references in job assignment table
TL-31561 introduced a regression in which temp manager job assignment references
were not properly nulled in the job assignment table. This patch cleans up those
references as part of the upgrade process.