Totara Release Notes

Totara TXP 16.1, 15.7, 14.12, 13.20; Totara learn 12.43 and 11.52 are now available

 
David Curry (Core Developer)
Totara TXP 16.1, 15.7, 14.12, 13.20; Totara learn 12.43 and 11.52 are now available
بواسطة Thursday, 26 May 2022, 8:03 PM - David Curry (Core Developer)
مجموعة Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

  • Kineo UK - TL-34115

Release 16.1 (27th May 2022):

Important:

    TL-34120       Added disable cron when using maintenance mode

Security issues:

    TL-28575       Removed sesskey from audience dialogue request URLs
    TL-28739       Removed sesskey from jump value on the course view page
    TL-28741       Removed sesskey from the 'Turn editing on' button URL
    TL-28742       Removed sesskey from the course completion report AJAX
    TL-28743       Removed sesskey from URLs in seminar room, asset and facilitator actions
    TL-28744       Removed sesskey from URLs in 'Switch role to' links
    TL-29099       Removed sesskey from URLs in the navigation menu
    TL-33884       Fixed log code to prevent XSS in log descriptions

                   Logs generated by some events in Totara could allow XSS in certain situations,
                   when viewing either Server > Logs or Server > Live Logs. The fix ensures these
                   XSS payloads will not be executed.. This covers both newly generated and already
                   existing log entries.

    TL-33890       Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
    TL-33926       Converted AJAX request when assigning a company goal to a POST request

                   Previously this Ajax request was a GET request, which allowed the sesskey to be
                   logged on the server and in browser history.

    TL-33952       Fixed audience-based visibility issue on course-related reports

                   The course-based reports ignored the "Audience-based visibility" setting. For
                   example, when the course "Audience-based visibility" setting is set to "Enrolled
                   users only", it doesn't allow non-enrolled users to see the course details. But
                   in course-based reports, such as "Course Membership Report" and "Course
                   completion Report", users could see all other course-related entries regardless
                   of whether they are enrolled.
                   
                   The new changes apply an additional filter to the course based report query to
                   check the current user visibility. 

    TL-34336       Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)

                   An issue in the logic used to count failed login attempts could result in the
                   account lockout threshold being bypassed by using simultaneous requests.

    TL-34339       Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)

Performance improvements:

    TL-33362       Improved the loading time of the course enrolled users page
    TL-34063       Improved the performance of the user activity page

Improvements:

    TL-20269       Added a setting and scheduled task to delete old records from the course completion log

                   The course completion log table stores transaction history for the completion
                   editor, and can grow very large on sites with a lot of activity. A new 'Delete
                   course completion logs after' setting allows admins to automatically cull the
                   oldest records from the log. Once those records are deleted, they will no longer
                   appear in the completion editor as history.

    TL-25521       Implemented visibility options for site policies

                   Site policy visibility can now be set to all users (the default), authenticated
                   users only, or guest users only.

    TL-31660       Improved the help text for Seminar third-party email setting
    TL-33365       Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text

                   When the Totara Mobile app is enabled, courses that are marked as
                   'Mobile-friendly' will open in the app; those that are not will be opened in the
                   mobile web browser instead. The behaviour of this setting has not changed, only
                   the label and help text explaining it.

    TL-33439       Improved the help text regarding the use of event roles in seminar activities
    TL-33498       Fixed missing legacy Session date/time changed message when removing the last session of a seminar

                   When the last session of a seminar event is removed, all appropriate users will
                   now receive a 'Session date/time changed' message with an ical attachment to
                   allow the removal of the calendar entry from their calendars.

    TL-33549       Fixed the cursor styles for disabled inputs
    TL-34051       Added spacing on delete topic confirmation modal body text
    TL-34145       Improved the select/deselect all functionality when looking at the question bank
    TL-34300       Removed broken sorting functionality from the Progress column on the Course completion report

Bug fixes:

    TL-30188       Added a warning when editing a role where the role has been assigned in a specific context level
    TL-31206       Fixed deprecation notice on cache admin page
    TL-32604       Added accessible names to report builder learning component links
    TL-33073       Fixed session not being checked when checking sent seminar notifications
    TL-33364       Removed the synchronous audience sync action when saving a course

                   Previously, if an audience enrolment was changed when editing a course the
                   enrolment of the users in the audiences happened synchronously when saving the
                   form. This has been changed so that the sync only happens via the already
                   scheduled adhoc task.

    TL-33402       Implemented missing performance activity report response classes
    TL-33510       Made the playlist and engage interactors properly respect the share capability
    TL-33539       Fixed error accessing courses containing activities with invalid availability settings on PHP 7.4+
    TL-33540       Override get_data() to prevent data loss for completion rule
    TL-33560       Prevented sending of performance activity reminder notifications for closed and completed participant instances

                   Prior to this patch, reminder notifications could be sent under certain
                   circumstances even to participants that had completed their part of a
                   performance activity. This patch fixes the bug.

    TL-33602       Added upgrade step to fix dangling temp manager references in job assignment table

                   TL-31561 introduced a regression in which temp manager job assignment references
                   were not properly nulled in the job assignment table. This patch cleans up those
                   references as part of the upgrade process.

    TL-33717       Prevented test course generation for system categories

                   This fixes a bug in the test data generator for development sites in
                   totara/generator/cli/maketestsite.php. Prior to this patch it could create test
                   courses for reserved system categories, leading to error messages in activity
                   management and workspace areas.

    TL-33792       Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
    TL-33844       Added support for multilang filter on hierarchy names in 'Self Registration with Approval' form
    TL-33855       Engage content is no longer lost if there is an error.

                   When adding a comment to a workspace or resource, and editing a resource, the
                   content would be lost if there was a connection or server error after
                   submission. This change ensures content is preserved so that the user can either
                   re-submit or preserve the content elsewhere

    TL-33883       Updated the managersubject to not be null during the program/certification notification upgrade 
    TL-33934       Fixed videoJS button display issues in IE11
    TL-33939       Hide role tab in user activities page that have no contents
    TL-33983       Fixed UTF-8 character set handling for MariaDB 10.6
    TL-34029       The Tui modal component now correctly displays button drop shadows

                   Within modals button drop shadows were being cropped and the tab order
                   incorrectly included some elements

    TL-34035       Fixed discussions appearing multiple times in Workspace discussions when there are many
    TL-34046       Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
    TL-34048       Fixed seminar attendees link placeholder inline help text
    TL-34049       Ensured sheet titles are unique for Excel and ODS when using box/spout library
    TL-34071       Fixed loading display issue and missing table headers on mobile for workspace audiences
    TL-34098       Updated the modal message when deleting a subject instance 
    TL-34103       Removed the legacy email footer from the Totara central notifications
    TL-34104       Reworded language of default seminar notifications for booking request confirmations

                   Previously when a booking request was approved there would be default
                   notifications which said "Your booking request was approved". The default string
                   for this notification has been shortened to "Your booking was approved".

    TL-34106       Removed print button from API documentation page
    TL-34115       Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
    TL-34116       Fixed booking event resolver to stop sending notifications to users no longer exist
    TL-34124       Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
    TL-34141       Fixed that guest should not appear as joined in a workspace
    TL-34142       Fixed incorrect use of bin icon in 'Your playlist'
    TL-34154       Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
    TL-34155       Moved enrolment processing for audience's enrolled learning to an adhoc task in the background

                   Prior to this change course enrolments that were required when a course was
                   added to, or removed from, an audience's enrolled learning were processed
                   immediately. This could lead to exceptionally long times wait for the user who
                   initiated the process. The fix for this issue was to shift this processing to a
                   background task, these enrolments will now be processed exclusively by cron.

    TL-34157       Fixed custom seminar notifications not being sent for subsequent sessions
    TL-34161       Updated event reservations notifications phpunit test to avoid intermittent failures
    TL-34187       Fixed program and certification notifications sending for each assignment

                   Previously, users would receive an "assigned" notification for each assignment
                   method that they were included in the program or certification. Now, they only
                   get the notification when they are first added to the program or certification,
                   and only receive the "unassigned" notification when their last assignment method
                   is removed.

    TL-34202       Fixed persistence of Assignment completion criteria

                   Fixed the issue with completion criteria of an assignment activity not being
                   saved and retained when the activity is either created or viewed.

    TL-34207       Removed suspended users from 'Transfer ownership' search list in workspaces
    TL-34226       Fixed the prevention of adding email attachments when the allowattachments setting is disabled
    TL-34227       Fixed percentage grade calculation when viewing the grader report before importing course completion
    TL-34231       Adding missing CSS for advanced checkbox supplimentary labels
    TL-34234       Ensured '0' value textinput profile fields are displayed on the user profile page
    TL-34236       Ensured that workspaces do not appear in Recent Learning block
    TL-34247       Fixed JavaScript console error when requesting to join/cancel a private workspace
    TL-34306       Fixed JavaScript error when a user tour step was dismissed too quickly
    TL-34330       Fixed due date not being updated when time enrolled was edited
    TL-34332       Fixed sql error when upgrading with existing records in message_metadata
    TL-34353       Added in the additional EU, Canada and Australia endpoints for the Badgr service

Technical changes:

    TL-34133       The generate_uuid() function has been deprecated

                   Please use \core\uuid::generate() instead. If the PECL UUID extension is not
                   installed, this new function will use random_bytes() instead of mt_rand() which
                   is more secure.


Tui front end framework:

    TL-32798       Changed Delete bootstrap icon from Trash fill to Trash outline
    TL-34032       Updated layout of adders to work better on mobile devices
    TL-34151       Fixed keyboard navigation in nested Tui modals

Contributions:

    * Kineo UK - TL-34115

Release 15.7 (27th May 2022):

Important:

    TL-34120       Added disable cron when using maintenance mode

Security issues:

    TL-28575       Removed sesskey from audience dialogue request URLs
    TL-28739       Removed sesskey parameter from jump value on the course view page
    TL-28741       Removed sesskey from the 'Turn editing on' button URL
    TL-28742       Removed sesskey from the course completion report AJAX
    TL-28743       Removed sesskey from URLs in seminar room, asset and facilitator actions
    TL-28744       Removed sesskey from URLs in 'Switch role to' links
    TL-29099       Removed sesskey from URLs in the navigation menu
    TL-33884       Fixed log code to prevent XSS in log descriptions

                   Logs generated by some events in Totara could allow XSS in certain situations,
                   when viewing either Server > Logs or Server > Live Logs. The fix ensures these
                   XSS payloads will not be executed.. This covers both newly generated and already
                   existing log entries.

    TL-33890       Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
    TL-33926       Converted AJAX request when assigning a company goal to a POST request

                   Previously this Ajax request was a GET request, which allowed the sesskey to be
                   logged on the server and in browser history.

    TL-33952       Fixed audience-based visibility issue on course-related reports

                   The course-based reports ignored the "Audience-based visibility" setting. For
                   example, when the course "Audience-based visibility" setting is set to "Enrolled
                   users only", it doesn't allow non-enrolled users to see the course details. But
                   in course-based reports, such as "Course Membership Report" and "Course
                   completion Report", users could see all other course-related entries regardless
                   of whether they are enrolled.
                   
                   The new changes apply an additional filter to the course based report query to
                   check the current user visibility. 

    TL-34336       Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)

                   An issue in the logic used to count failed login attempts could result in the
                   account lockout threshold being bypassed by using simultaneous requests.

    TL-34339       Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)

Performance improvements:

    TL-33362       Improved the loading time of the course enrolled users page

Improvements:

    TL-20269       Added a setting and scheduled task to delete old records from the course completion log

                   The course completion log table stores transaction history for the completion
                   editor, and can grow very large on sites with a lot of activity. A new 'Delete
                   course completion logs after' setting allows admins to automatically cull the
                   oldest records from the log. Once those records are deleted, they will no longer
                   appear in the completion editor as history.

    TL-25521       Implemented visibility options for site policies

                   Site policy visibility can now be set to all users (the default), authenticated
                   users only, or guest users only.

    TL-31660       Improved the help text for Seminar third-party email setting
    TL-33365       Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text

                   When the Totara Mobile app is enabled, courses that are marked as
                   'Mobile-friendly' will open in the app; those that are not will be opened in the
                   mobile web browser instead. The behaviour of this setting has not changed, only
                   the label and help text explaining it.

    TL-33439       Improved the help text regarding the use of event roles in seminar activities
    TL-33498       Fixed missing legacy Session date/time changed message when removing the last session of a seminar

                   When the last session of a seminar event is removed, all appropriate users will
                   now receive a 'Session date/time changed' message with an ical attachment to
                   allow the removal of the calendar entry from their calendars.

    TL-33549       Fixed the cursor styles for disabled inputs
    TL-34145       Improved the select/deselect all functionality when looking at the question bank
    TL-34300       Removed broken sorting functionality from the Progress column on the Course completion report

Bug fixes:

    TL-30188       Added a warning when editing a role where the role has been assigned in a specific context level
    TL-31206       Fixed deprecation notice on cache admin page
    TL-32604       Added accessible names to report builder learning component links
    TL-33073       Fixed session not being checked when checking sent seminar notifications
    TL-33364       Removed the synchronous audience sync action when saving a course

                   Previously, if an audience enrolment was changed when editing a course the
                   enrolment of the users in the audiences happened synchronously when saving the
                   form. This has been changed so that the sync only happens via the already
                   scheduled adhoc task.

    TL-33402       Implemented missing performance activity report response classes
    TL-33510       Made the playlist and engage interactors properly respect the share capability
    TL-33539       Fixed error accessing courses containing activities with invalid availability settings on PHP 7.4+
    TL-33540       Override get_data() to prevent data loss for completion rule
    TL-33560       Prevented sending of performance activity reminder notifications for closed and completed participant instances

                   Prior to this patch, reminder notifications could be sent under certain
                   circumstances even to participants that had completed their part of a
                   performance activity. This patch fixes the bug.

    TL-33602       Added upgrade step to fix dangling temp manager references in job assignment table

                   TL-31561 introduced a regression in which temp manager job assignment references
                   were not properly nulled in the job assignment table. This patch cleans up those
                   references as part of the upgrade process.

    TL-33694       Fixed the issue that learner can request approval for seminar event when signup window is closed
    TL-33717       Prevented test course generation for system categories

                   This fixes a bug in the test data generator for development sites in
                   totara/generator/cli/maketestsite.php. Prior to this patch it could create test
                   courses for reserved system categories, leading to error messages in activity
                   management and workspace areas.

    TL-33792       Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
    TL-33855       Engage content is no longer lost if there is an error.

                   When adding a comment to a workspace or resource, and editing a resource, the
                   content would be lost if there was a connection or server error after
                   submission. This change ensures content is preserved so that the user can either
                   re-submit or preserve the content elsewhere

    TL-33883       Updated the managersubject to not be null during the program/certification notification upgrade 
    TL-33934       Fixed videoJS button display issues in IE11
    TL-34029       The Tui modal component now correctly displays button drop shadows

                   Within modals button drop shadows were being cropped and the tab order
                   incorrectly included some elements

    TL-34035       Fixed discussions appearing multiple times in Workspace discussions when there are many
    TL-34046       Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
    TL-34048       Fixed seminar attendees link placeholder inline help text
    TL-34049       Ensured sheet titles are unique for Excel and ODS when using box/spout library
    TL-34098       Updated the modal message when deleting a subject instance 
    TL-34103       Removed the legacy email footer from the Totara central notifications
    TL-34106       Removed print button from API documentation page
    TL-34115       Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
    TL-34116       Fixed booking event resolver to stop sending notifications to users no longer exist
    TL-34124       Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
    TL-34141       Fixed that guest should not appear as joined in a workspace
    TL-34142       Fixed incorrect use of bin icon in 'Your playlist'
    TL-34154       Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
    TL-34155       Moved enrolment processing for audience's enrolled learning to an adhoc task in the background

                   Prior to this change course enrolments that were required when a course was
                   added to, or removed from, an audience's enrolled learning were processed
                   immediately. This could lead to exceptionally long times wait for the user who
                   initiated the process. The fix for this issue was to shift this processing to a
                   background task, these enrolments will now be processed exclusively by cron.

    TL-34157       Fixed custom seminar notifications not being sent for subsequent sessions
    TL-34187       Fixed program and certification notifications sending for each assignment

                   Previously, users would receive an "assigned" notification for each assignment
                   method that they were included in the program or certification. Now, they only
                   get the notification when they are first added to the program or certification,
                   and only receive the "unassigned" notification when their last assignment method
                   is removed.

    TL-34202       Fixed persistence of Assignment completion criteria

                   Fixed the issue with completion criteria of an assignment activity not being
                   saved and retained when the activity is either created or viewed.

    TL-34207       Removed suspended users from 'Transfer ownership' search list in workspaces
    TL-34227       Fixed percentage grade calculation when viewing the grader report before importing course completion
    TL-34231       Adding missing CSS for advanced checkbox supplimentary labels
    TL-34234       Ensured '0' value textinput profile fields are displayed on the user profile page
    TL-34236       Ensured that workspaces do not appear in Recent Learning block
    TL-34306       Fixed JavaScript error when a user tour step was dismissed too quickly
    TL-34332       Fixed sql error when upgrading with existing records in message_metadata
    TL-34353       Added in the additional EU, Canada and Australia endpoints for the Badgr service

Technical changes:

    TL-34133       The generate_uuid() function has been deprecated

                   Please use \core\uuid::generate() instead. If the PECL UUID extension is not
                   installed, this new function will use random_bytes() instead of mt_rand() which
                   is more secure.


Tui front end framework:

    TL-34151       Fixed keyboard navigation in nested Tui modals

Contributions:

    * Kineo UK - TL-34115

Release 14.12 (27th May 2022):

Important:

    TL-34120       Added disable cron when using maintenance mode

Security issues:

    TL-28575       Removed sesskey from audience dialogue request URLs
    TL-28739       Removed sesskey parameter from jump value on the course view page
    TL-28741       Removed sesskey from the 'Turn editing on' button URL
    TL-28742       Removed sesskey from the course completion report AJAX
    TL-28743       Removed sesskey from URLs in seminar room, asset and facilitator actions
    TL-28744       Removed sesskey from URLs in 'Switch role to' links
    TL-29099       Removed sesskey from URLs in the navigation menu
    TL-33884       Fixed log code to prevent XSS in log descriptions

                   Logs generated by some events in Totara could allow XSS in certain situations,
                   when viewing either Server > Logs or Server > Live Logs. The fix ensures these
                   XSS payloads will not be executed.. This covers both newly generated and already
                   existing log entries.

    TL-33890       Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
    TL-33926       Converted AJAX request when assigning a company goal to a POST request

                   Previously this Ajax request was a GET request, which allowed the sesskey to be
                   logged on the server and in browser history.

    TL-33952       Fixed audience-based visibility issue on course-related reports

                   The course-based reports ignored the "Audience-based visibility" setting. For
                   example, when the course "Audience-based visibility" setting is set to "Enrolled
                   users only", it doesn't allow non-enrolled users to see the course details. But
                   in course-based reports, such as "Course Membership Report" and "Course
                   completion Report", users could see all other course-related entries regardless
                   of whether they are enrolled.
                   
                   The new changes apply an additional filter to the course based report query to
                   check the current user visibility. 

    TL-34336       Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)

                   An issue in the logic used to count failed login attempts could result in the
                   account lockout threshold being bypassed by using simultaneous requests.

    TL-34339       Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)

Performance improvements:

    TL-33362       Improved the loading time of the course enrolled users page

Improvements:

    TL-25521       Implemented visibility options for site policies

                   Site policy visibility can now be set to all users (the default), authenticated
                   users only, or guest users only.

    TL-31660       Improved the help text for Seminar third-party email setting
    TL-33365       Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text

                   When the Totara Mobile app is enabled, courses that are marked as
                   'Mobile-friendly' will open in the app; those that are not will be opened in the
                   mobile web browser instead. The behaviour of this setting has not changed, only
                   the label and help text explaining it.

    TL-33439       Improved the help text regarding the use of event roles in seminar activities
    TL-33498       Fixed missing legacy Session date/time changed message when removing the last session of a seminar

                   When the last session of a seminar event is removed, all appropriate users will
                   now receive a 'Session date/time changed' message with an ical attachment to
                   allow the removal of the calendar entry from their calendars.

    TL-33549       Fixed the cursor styles for disabled inputs
    TL-34145       Improved the select/deselect all functionality when looking at the question bank
    TL-34300       Removed broken sorting functionality from the Progress column on the Course completion report

Bug fixes:

    TL-30188       Added a warning when editing a role where the role has been assigned in a specific context level
    TL-31206       Fixed deprecation notice on cache admin page
    TL-32604       Added accessible names to report builder learning component links
    TL-33073       Fixed session not being checked when checking sent seminar notifications
    TL-33402       Implemented missing performance activity report response classes
    TL-33510       Made the playlist and engage interactors properly respect the share capability
    TL-33539       Fixed error accessing courses containing activities with invalid availability settings on PHP 7.4+
    TL-33540       Override get_data() to prevent data loss for completion rule
    TL-33560       Prevented sending of performance activity reminder notifications for closed and completed participant instances

                   Prior to this patch, reminder notifications could be sent under certain
                   circumstances even to participants that had completed their part of a
                   performance activity. This patch fixes the bug.

    TL-33602       Added upgrade step to fix dangling temp manager references in job assignment table

                   TL-31561 introduced a regression in which temp manager job assignment references
                   were not properly nulled in the job assignment table. This patch cleans up those
                   references as part of the upgrade process.

    TL-33694       Fixed the issue that learner can request approval for seminar event when signup window is closed
    TL-33717       Prevented test course generation for system categories

                   This fixes a bug in the test data generator for development sites in
                   totara/generator/cli/maketestsite.php. Prior to this patch it could create test
                   courses for reserved system categories, leading to error messages in activity
                   management and workspace areas.

    TL-33792       Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
    TL-33844       Added support for multilang filter on hierarchy names in 'Self Registration with Approval' form
    TL-33855       Engage content is no longer lost if there is an error.

                   When adding a comment to a workspace or resource, and editing a resource, the
                   content would be lost if there was a connection or server error after
                   submission. This change ensures content is preserved so that the user can either
                   re-submit or preserve the content elsewhere

    TL-33883       Updated the managersubject to not be null during the program/certification notification upgrade 
    TL-33934       Fixed videoJS button display issues in IE11
    TL-34029       The Tui modal component now correctly displays button drop shadows

                   Within modals button drop shadows were being cropped and the tab order
                   incorrectly included some elements

    TL-34035       Fixed discussions appearing multiple times in Workspace discussions when there are many
    TL-34046       Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
    TL-34049       Ensured sheet titles are unique for Excel and ODS when using box/spout library
    TL-34098       Updated the modal message when deleting a subject instance 
    TL-34103       Removed the legacy email footer from the Totara central notifications
    TL-34106       Removed print button from API documentation page
    TL-34115       Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
    TL-34116       Fixed booking event resolver to stop sending notifications to users no longer exist
    TL-34124       Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
    TL-34141       Fixed that guest should not appear as joined in a workspace
    TL-34142       Fixed incorrect use of bin icon in 'Your playlist'
    TL-34154       Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
    TL-34155       Moved enrolment processing for audience's enrolled learning to an adhoc task in the background

                   Prior to this change course enrolments that were required when a course was
                   added to, or removed from, an audience's enrolled learning were processed
                   immediately. This could lead to exceptionally long times wait for the user who
                   initiated the process. The fix for this issue was to shift this processing to a
                   background task, these enrolments will now be processed exclusively by cron.

    TL-34157       Fixed custom seminar notifications not being sent for subsequent sessions
    TL-34187       Fixed program and certification notifications sending for each assignment

                   Previously, users would receive an "assigned" notification for each assignment
                   method that they were included in the program or certification. Now, they only
                   get the notification when they are first added to the program or certification,
                   and only receive the "unassigned" notification when their last assignment method
                   is removed.

    TL-34202       Fixed persistence of Assignment completion criteria

                   Fixed the issue with completion criteria of an assignment activity not being
                   saved and retained when the activity is either created or viewed.

    TL-34207       Removed suspended users from 'Transfer ownership' search list in workspaces
    TL-34227       Fixed percentage grade calculation when viewing the grader report before importing course completion
    TL-34231       Adding missing CSS for advanced checkbox supplimentary labels
    TL-34234       Ensured '0' value textinput profile fields are displayed on the user profile page
    TL-34236       Ensured that workspaces do not appear in Recent Learning block
    TL-34332       Fixed sql error when upgrading with existing records in message_metadata
    TL-34353       Added in the additional EU, Canada and Australia endpoints for the Badgr service
    TL-34371       Fix bug in basetime calculation in programs

Technical changes:

    TL-34133       The generate_uuid() function has been deprecated

                   Please use \core\uuid::generate() instead. If the PECL UUID extension is not
                   installed, this new function will use random_bytes() instead of mt_rand() which
                   is more secure.


Tui front end framework:

    TL-34151       Fixed keyboard navigation in nested Tui modals

Contributions:

    * Kineo UK - TL-34115

Release 13.20 (27th May 2022):

Important:

    TL-34120       Added disable cron when using maintenance mode

Security issues:

    TL-28575       Removed sesskey from audience dialogue request URLs
    TL-28739       Removed sesskey parameter from jump value on the course view page
    TL-28741       Removed sesskey from the 'Turn editing on' button URL
    TL-28742       Removed sesskey from the course completion report AJAX
    TL-28743       Removed sesskey from URLs in seminar room, asset and facilitator actions
    TL-28744       Removed sesskey from URLs in 'Switch role to' links
    TL-29099       Removed sesskey from URLs in the navigation menu
    TL-33884       Fixed log code to prevent XSS in log descriptions

                   Logs generated by some events in Totara could allow XSS in certain situations,
                   when viewing either Server > Logs or Server > Live Logs. The fix ensures these
                   XSS payloads will not be executed.. This covers both newly generated and already
                   existing log entries.

    TL-33890       Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
    TL-33926       Converted AJAX request when assigning a company goal to a POST request

                   Previously this Ajax request was a GET request, which allowed the sesskey to be
                   logged on the server and in browser history.

    TL-33952       Fixed audience-based visibility issue on course-related reports

                   The course-based reports ignored the "Audience-based visibility" setting. For
                   example, when the course "Audience-based visibility" setting is set to "Enrolled
                   users only", it doesn't allow non-enrolled users to see the course details. But
                   in course-based reports, such as "Course Membership Report" and "Course
                   completion Report", users could see all other course-related entries regardless
                   of whether they are enrolled.
                   
                   The new changes apply an additional filter to the course based report query to
                   check the current user visibility. 

    TL-34336       Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)

                   An issue in the logic used to count failed login attempts could result in the
                   account lockout threshold being bypassed by using simultaneous requests.

    TL-34339       Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)

Performance improvements:

    TL-33362       Improved the loading time of the course enrolled users page

Improvements:

    TL-25521       Implemented visibility options for site policies

                   Site policy visibility can now be set to all users (the default), authenticated
                   users only, or guest users only.

    TL-31660       Improved the help text for Seminar third-party email setting
    TL-33365       Changed 'Course compatible in-app' setting to 'Mobile-friendly course' and updated the help text

                   When the Totara Mobile app is enabled, courses that are marked as
                   'Mobile-friendly' will open in the app; those that are not will be opened in the
                   mobile web browser instead. The behaviour of this setting has not changed, only
                   the label and help text explaining it.

    TL-33439       Improved the help text regarding the use of event roles in seminar activities
    TL-33498       Fixed missing legacy Session date/time changed message when removing the last session of a seminar

                   When the last session of a seminar event is removed, all appropriate users will
                   now receive a 'Session date/time changed' message with an ical attachment to
                   allow the removal of the calendar entry from their calendars.

    TL-33549       Fixed the cursor styles for disabled inputs
    TL-34125       Provided a script to restore Pre-migrated evidence types for imported evidence
    TL-34145       Improved the select/deselect all functionality when looking at the question bank
    TL-34300       Removed broken sorting functionality from the Progress column on the Course completion report

Bug fixes:

    TL-30188       Added a warning when editing a role where the role has been assigned in a specific context level
    TL-31206       Fixed deprecation notice on cache admin page
    TL-33560       Prevented sending of performance activity reminder notifications for closed and completed participant instances

                   Prior to this patch, reminder notifications could be sent under certain
                   circumstances even to participants that had completed their part of a
                   performance activity. This patch fixes the bug.

    TL-33602       Added upgrade step to fix dangling temp manager references in job assignment table

                   TL-31561 introduced a regression in which temp manager job assignment references
                   were not properly nulled in the job assignment table. This patch cleans up those
                   references as part of the upgrade process.

    TL-33694       Fixed the issue that learner can request approval for seminar event when signup window is closed
    TL-33717       Prevented test course generation for system categories

                   This fixes a bug in the test data generator for development sites in
                   totara/generator/cli/maketestsite.php. Prior to this patch it could create test
                   courses for reserved system categories, leading to error messages in activity
                   management and workspace areas.

    TL-33792       Updated the 'Minimum bookings' seminar event setting help text to differentiate it from the 'Notify about minimum bookings' help text
    TL-33934       Fixed videoJS button display issues in IE11
    TL-34029       The Tui modal component now correctly displays button drop shadows

                   Within modals button drop shadows were being cropped and the tab order
                   incorrectly included some elements

    TL-34035       Fixed discussions appearing multiple times in Workspace discussions when there are many
    TL-34038       Prevented program re-enrolment message sometimes not being sent
    TL-34046       Prevented guest user access to the GraphQL mutation 'container_workspace_create_member_request' and fixed some minor issues
    TL-34049       Ensured sheet titles are unique for Excel and ODS when using box/spout library
    TL-34098       Updated the modal message when deleting a subject instance 
    TL-34115       Regression with user fullname property fixed in user entity class; solution and test provided by Kineo UK
    TL-34124       Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
    TL-34141       Fixed that guest should not appear as joined in a workspace
    TL-34142       Fixed incorrect use of bin icon in 'Your playlist'
    TL-34154       Added clearfix class to totara-bar div in table_toolbars.mustache to fix layout issues
    TL-34155       Moved enrolment processing for audience's enrolled learning to an adhoc task in the background

                   Prior to this change course enrolments that were required when a course was
                   added to, or removed from, an audience's enrolled learning were processed
                   immediately. This could lead to exceptionally long times wait for the user who
                   initiated the process. The fix for this issue was to shift this processing to a
                   background task, these enrolments will now be processed exclusively by cron.

    TL-34207       Removed suspended users from 'Transfer ownership' search list in workspaces
    TL-34227       Fixed percentage grade calculation when viewing the grader report before importing course completion
    TL-34234       Ensured '0' value textinput profile fields are displayed on the user profile page
    TL-34236       Ensured that workspaces do not appear in Recent Learning block
    TL-34353       Added in the additional EU, Canada and Australia endpoints for the Badgr service

Technical changes:

    TL-34133       The generate_uuid() function has been deprecated

                   Please use \core\uuid::generate() instead. If the PECL UUID extension is not
                   installed, this new function will use random_bytes() instead of mt_rand() which
                   is more secure.


Contributions:

    * Kineo UK - TL-34115

Release 12.43 (27th May 2022):

Security issues:

    TL-28575       Removed sesskey from audience dialogue request URLs
    TL-28739       Removed sesskey parameter from jump value on the course view page
    TL-28741       Removed sesskey from the 'Turn editing on' button URL
    TL-28742       Removed sesskey from the course completion report AJAX
    TL-28743       Removed sesskey from URLs in seminar room, asset and facilitator actions
    TL-28744       Removed sesskey from URLs in 'Switch role to' links
    TL-29099       Removed sesskey from URLs in the navigation menu
    TL-33890       Prevented accessing profile field badge criteria on a course page by checking accepted criteria types for the current badge (MSA-22-0007 / CVE-2022-0984)
    TL-33926       Converted AJAX request when assigning a company goal to a POST request

                   Previously this Ajax request was a GET request, which allowed the sesskey to be
                   logged on the server and in browser history.

    TL-34336       Prevented cached and/or simultaneous access to the failed login counter (MSA-22-0014 / CVE-2022-30600)

                   An issue in the logic used to count failed login attempts could result in the
                   account lockout threshold being bypassed by using simultaneous requests.

    TL-34339       Fixed hiddenusefield functionality for user description (MSA-22-0011 / CVE-2022-30597)
    TL-34340       Ensured user identity fields are consistently sanitised (MSA-22-0010 / CVE-2022-30596)

Improvements:

    TL-34300       Removed broken sorting functionality from the Progress column on the Course completion report

Bug fixes:

    TL-33602       Added upgrade step to fix dangling temp manager references in job assignment table

                   TL-31561 introduced a regression in which temp manager job assignment references
                   were not properly nulled in the job assignment table. This patch cleans up those
                   references as part of the upgrade process.

    TL-34124       Updated report builder display class 'log_serialized_preformated' to ensure data exports correctly
    TL-34155       Moved enrolment processing for audience's enrolled learning to an adhoc task in the background

                   Prior to this change course enrolments that were required when a course was
                   added to, or removed from, an audience's enrolled learning were processed
                   immediately. This could lead to exceptionally long times wait for the user who
                   initiated the process. The fix for this issue was to shift this processing to a
                   background task, these enrolments will now be processed exclusively by cron.


Technical changes:

    TL-34133       The generate_uuid() function has been deprecated

                   Please use \core\uuid::generate() instead. If the PECL UUID extension is not
                   installed, this new function will use random_bytes() instead of mt_rand() which
                   is more secure.


Release 11.52 (27th May 2022):

Bug fixes:

    TL-33602       Added upgrade step to fix dangling temp manager references in job assignment table

                   TL-31561 introduced a regression in which temp manager job assignment references
                   were not properly nulled in the job assignment table. This patch cleans up those
                   references as part of the upgrade process.