Hello everyone,
The following versions of Totara Learn have now been released:
- Release 16.2
- Release 15.8
- Release 14.13
- Release 13.21
- Release 12.44
- Release 11.53
- Release 10.56
- Release 9.63
- Release 2.9.63
- Release 2.7.68
- Release 2.6.85
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Michael Geering at Kineo UK - TL-34297
- Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Riana Rossouw
Release 16.2 (28th June 2022):
Important:
TL-33943 Fixed the "no indirect reports" rule
Previously, the "no indirect reports" rule for dynamic audiences was incorrect -
it targeted those users that had no immediate reports. When combined with a
direct report of at least 1 rule, it resulted in an empty audience.
This patch corrects the indirect report rule. However, it also means membership
in existing audiences that make use of this rule could unexpectedly change,
affecting course/program/certification enrolments or perform activity
participants for example.
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
Performance improvements:
TL-33272 Improved how regrading of courses is handled
When a course has more than 100 enrolments or 100 grade items, any regrading
necessary (such as adding a new activity or changing grade settings) will be
done on the next cron run rather than blocking page load. When this happens, a
message is displayed to the user to let them know that grades are being
recalculated.
For smaller courses, the re-grade is done in real time.
This is a follow up to an earlier patch (TL-31570) which introduced background
regrading, but only when adding a new activity.
TL-33363 Deleting an enrolment instance has been shifted to a background task
Previously when deleting an enrolment instance from a course, users would be
unenrolled immediately and then the instance would be deleted. If the number of
enrolled users was large, the page may take a long time to respond.
With this patch, the deletion is shifted into a background task run on the next
cron run.
TL-34382 Improved performance for the user search when selecting performance activity participants
TL-34400 Fixed GraphQL performance regression from latest graphql-php library update
The latest version of the webonyx/graphql-php library added schema validation
that is unnecessarily repeated for each call by default. This patch switches the
unnecessary validation off, improving performance of all GraphQL operations.
Improvements:
TL-29549 Added displaying manual rating comments in the competency activity log
Comments that were added when manually rating a user's competency will now be
displayed in the user's activity log of that competency.
TL-32119 Added the missing event trigger for suspended users
TL-33052 Added a seminar 'Attendance status' report builder column and filter
TL-33491 Started recording any changed HR Import settings within the config log database table
TL-33986 Added an asterisk to required fields in installation/upgrade
TL-34228 Removed the separation of evidence shown in Record of Learning and the Evidence bank
There is no longer any separation of evidence items based on the type of the
evidence item. The same evidence type can now be used when uploading evidence
from csv files or when adding evidence items in the Evidence bank and all items
can now be shown in both the Record of Learning and Evidence bank reports.
By default the Record of Learning report will be filtered to only show evidence
that was uploaded (i.e. their source is 'Completion history import'). Similarly
the Evidence bank reports will by default be filtered to only show evidence
items that were 'Manually created'. As this is a normal report filter, users can
change / clear the filter to show both uploaded and/or manually created items in
any one of these reports
TL-34647 Improved warnings around making changes to facetoface_displaysessiontimezones
Bug fixes:
TL-28799 Updated Weka to include a 'fake' cursor when between blocks
This is to provide consistency between the block nodes and regular text editing
in Weka.
TL-32891 Allowed report builder toolbar searches to be saved with no standard filters present
Previously, the 'Save this search' button only appeared in the standard filter
area, meaning that at least one standard filter needed to be enabled in order to
save a search.
The save button is now displayed in the toolbar area when there are no standard
filters enabled for a report.
TL-33429 Fixed featured links tile visibility settings when cloning a dashboard
Prior to this patch, when cloning a dashboard, featured links blocks lost any
additional visibility restrictions which had been added to a tile. This means
that if a tile had been limited to a specific audience on the original
dashboard, the tile on the cloned dashboard would be visible to everybody.
With this fix, the audience visibility rules for the clone are now consistent
with the original dashboard.
TL-34129 Restored evidence imported before migration to their previously used types
The original migration of imported evidence items resulted in them belonging to
a single 'Legacy course/certification completion import' system type with the
original type name stored as a custom field value.
Previously migrated imported evidence is now restored to belong to their
original evidence type.
First time migration will automatically link imported evidence to the correct
type.
TL-34144 Fixed Room Name (linked to room details page) column in Seminar reports
The link did not include information about the session, so when it was followed
the Custom virtual room link did not display correctly. This has been fixed.
TL-34167 Fixed Organisation Framework filters using MySQL reserved word
TL-34235 Set course enrolment date when user is enrolled through Programs or Learning plans
TL-34241 Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification
When attempting to push notifications to a mobile device, all the mobile devices
associated with the recipient are fetched and looped through. Previously if one
of the FCM tokens for a device was not valid, it would be invalidated and the
loop would be broken, leading to other devices potentially not receiving that
notification. Now the token is marked as invalid and the loop continues so that
all devices with a valid FCM token will receive the push notification.
TL-34244 Fixed videoJS controls in RTL languages
Fixed videoJS controls in RTL languages so that the play scroller now moves in
the expected direction.
TL-34248 Fixed double quote character encoding for Program name report builder column when exporting the data into Excel
TL-34297 Ensured report builder report created event is triggered when creating from template
TL-34298 Fixed perform activity static content editing error
Previously, when a static element was added as a sub element for a linked review
question, there would be an error when you tried to edit after first creating
it.
This patch fixes the error.
TL-34321 Fixed the context of audience role assignments when the audience is moved
Previously if a category level audience had roles assigned, and was moved to a
different category, existing role assignments stayed in the original category
context. Now the roles will update to the new category context when the audience
is moved.
TL-34329 Fixed the position due date link when using the legacy program assignment interface
TL-34354 Included deletion icals in notifications when seminar sessions are cancelled
TL-34364 Trigger on-event certification window open notifications at the correct time
Previously, on-event window open notifications were being triggered when a
recertification window opened, rather than when the window was supposed to open.
This led to unexpected behaviour when the opening of a recertification window
was delayed due to the user being unassigned or suspended. Also, the
notification was not sent if the certification window was open, which meant that
the notification would never be sent if it was scheduled to be sent after the
window open date. The expected behaviour is to always send the notification at a
date relative to the window open date, regardless of certification status. Note
that if a user is unassigned or suspended at the time this notification is due
to be sent, then the notification will not be sent retroactively.
TL-34403 Prevented the import of evidence for the deleted users
Prior to this patch, evidence could be uploaded for deleted users when the
legacy delete option "Keep username, email and ID number (legacy)" is used. This
is no longer allowed.
TL-34415 Fixed activity complete notifications created in activity context not being sent
Activity completion notifications created in an ascendant context of an
activity, such as the course or system context, were being successfully sent.
With this fix, activity completion notifications created in the context of a
specific activity will now also be sent.
TL-34536 Fixed wrong capability checked for course and activity notification management
Notification administrators need the 'moodle/course:managecoursenotifications'
capability to manage course and activity notifications. Previously, the link to
manage notifications was mistakenly only shown to users who had the
'moodle/course:update' capability, but the management page would be empty if
they didn't also have the correct capability.
TL-34541 Fixed manager's link to program in notifications
TL-34552 Disable caching in reports that do visibility checks
Report sources that have been identified as doing visibility checks have been
updated to remove the option to be cached. Cached data based on those reports
sources will be removed upon upgrade.
Any custom report sources which use the post_config_visibility_where function in
their post_config should also be updated to prevent caching.
TL-34564 Ensured links on user profile display with correct formatting
TL-34704 Fixed incorrect language string key for an unavailable course in the mobile app
Technical changes:
TL-32931 Updated behat to support PHP 8.0
TL-33278 Avoid using required column to allow visibility checks in report builder
Previously, in order to perform visibility checks in reports, we obtained the
data needed by defining required columns which were columns that, although not
visible, were present in the report. However it was noted they were interfering
with aggregation, giving unexpected results.
Now, "required joins" have been added in order to perform this task. The
information to do the visibility check is still present, but should not
interfere with aggregation.
All applicable report sources have been updated to use the new
define_requiredjoins function.
Please note that custom report sources that use the old way of requiring columns
shouldn't be affected by this change, but we recommend that they are updated to
use define_requiredjoins to get the correct result when using aggregation.
Tui front end framework:
TL-26667 An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
TL-34385 Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
TL-34481 Fixed keyboard accessibility of the Dropdown vue component
Library updates:
TL-34352 Upgraded Video.js to 7.18.1
Please check any plugins you have installed or written on older versions of the
video.js plugin
Contributions:
* Michael Geering at Kineo UK - TL-34297
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 15.8 (28th June 2022):
Important:
TL-33943 Fixed the "no indirect reports" rule
Previously, the "no indirect reports" rule for dynamic audiences was incorrect -
it targeted those users that had no immediate reports. When combined with a
direct report of at least 1 rule, it resulted in an empty audience.
This patch corrects the indirect report rule. However, it also means membership
in existing audiences that make use of this rule could unexpectedly change,
affecting course/program/certification enrolments or perform activity
participants for example.
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
Performance improvements:
TL-33272 Improved how regrading of courses is handled
When a course has more than 100 enrolments or 100 grade items, any regrading
necessary (such as adding a new activity or changing grade settings) will be
done on the next cron run rather than blocking page load. When this happens, a
message is displayed to the user to let them know that grades are being
recalculated.
For smaller courses, the re-grade is done in real time.
This is a follow up to an earlier patch (TL-31570) which introduced background
regrading, but only when adding a new activity.
TL-33363 Deleting an enrolment instance has been shifted to a background task
Previously when deleting an enrolment instance from a course, users would be
unenrolled immediately and then the instance would be deleted. If the number of
enrolled users was large, the page may take a long time to respond.
With this patch, the deletion is shifted into a background task run on the next
cron run.
TL-34382 Improved performance for the user search when selecting performance activity participants
Improvements:
TL-29549 Added displaying manual rating comments in the competency activity log
Comments that were added when manually rating a user's competency will now be
displayed in the user's activity log of that competency.
TL-33491 Started recording any changed HR Import settings within the config log database table
TL-33873 Page style improvements made on the 'your workspaces' page
Made several minor cosmetic improvements to the 'your workspaces' page such as
white spacing and content alignment
TL-34228 Removed the separation of evidence shown in Record of Learning and the Evidence bank
There is no longer any separation of evidence items based on the type of the
evidence item. The same evidence type can now be used when uploading evidence
from csv files or when adding evidence items in the Evidence bank and all items
can now be shown in both the Record of Learning and Evidence bank reports.
By default the Record of Learning report will be filtered to only show evidence
that was uploaded (i.e. their source is 'Completion history import'). Similarly
the Evidence bank reports will by default be filtered to only show evidence
items that were 'Manually created'. As this is a normal report filter, users can
change / clear the filter to show both uploaded and/or manually created items in
any one of these reports
TL-34647 Improved warnings around making changes to facetoface_displaysessiontimezones
Bug fixes:
TL-28799 Updated Weka to include a 'fake' cursor when between blocks
This is to provide consistency between the block nodes and regular text editing
in Weka.
TL-32891 Allowed report builder toolbar searches to be saved with no standard filters present
Previously, the 'Save this search' button only appeared in the standard filter
area, meaning that at least one standard filter needed to be enabled in order to
save a search.
The save button is now displayed in the toolbar area when there are no standard
filters enabled for a report.
TL-33429 Fixed featured links tile visibility settings when cloning a dashboard
Prior to this patch, when cloning a dashboard, featured links blocks lost any
additional visibility restrictions which had been added to a tile. This means
that if a tile had been limited to a specific audience on the original
dashboard, the tile on the cloned dashboard would be visible to everybody.
With this fix, the audience visibility rules for the clone are now consistent
with the original dashboard.
TL-34129 Restored evidence imported before migration to their previously used types
The original migration of imported evidence items resulted in them belonging to
a single 'Legacy course/certification completion import' system type with the
original type name stored as a custom field value.
Previously migrated imported evidence is now restored to belong to their
original evidence type.
First time migration will automatically link imported evidence to the correct
type.
TL-34144 Fixed Room Name (linked to room details page) column in Seminar reports
The link did not include information about the session, so when it was followed
the Custom virtual room link did not display correctly. This has been fixed.
TL-34167 Fixed Organisation Framework filters using MySQL reserved word
TL-34235 Set course enrolment date when user is enrolled through Programs or Learning plans
TL-34241 Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification
When attempting to push notifications to a mobile device, all the mobile devices
associated with the recipient are fetched and looped through. Previously if one
of the FCM tokens for a device was not valid, it would be invalidated and the
loop would be broken, leading to other devices potentially not receiving that
notification. Now the token is marked as invalid and the loop continues so that
all devices with a valid FCM token will receive the push notification.
TL-34244 Fixed videoJS controls in RTL languages
Fixed videoJS controls in RTL languages so that the play scroller now moves in
the expected direction.
TL-34248 Fixed double quote character encoding for Program name report builder column when exporting the data into Excel
TL-34297 Ensured report builder report created event is triggered when creating from template
TL-34298 Fixed perform activity static content editing error
Previously, when a static element was added as a sub element for a linked review
question, there would be an error when you tried to edit after first creating
it.
This patch fixes the error.
TL-34321 Fixed the context of audience role assignments when the audience is moved
Previously if a category level audience had roles assigned, and was moved to a
different category, existing role assignments stayed in the original category
context. Now the roles will update to the new category context when the audience
is moved.
TL-34329 Fixed the position due date link when using the legacy program assignment interface
TL-34364 Trigger on-event certification window open notifications at the correct time
Previously, on-event window open notifications were being triggered when a
recertification window opened, rather than when the window was supposed to open.
This led to unexpected behaviour when the opening of a recertification window
was delayed due to the user being unassigned or suspended. Also, the
notification was not sent if the certification window was open, which meant that
the notification would never be sent if it was scheduled to be sent after the
window open date. The expected behaviour is to always send the notification at a
date relative to the window open date, regardless of certification status. Note
that if a user is unassigned or suspended at the time this notification is due
to be sent, then the notification will not be sent retroactively.
TL-34403 Prevented the import of evidence for the deleted users
Prior to this patch, evidence could be uploaded for deleted users when the
legacy delete option "Keep username, email and ID number (legacy)" is used. This
is no longer allowed.
TL-34541 Fixed manager's link to program in notifications
TL-34552 Disable caching in reports that do visibility checks
Report sources that have been identified as doing visibility checks have been
updated to remove the option to be cached. Cached data based on those reports
sources will be removed upon upgrade.
Any custom report sources which use the post_config_visibility_where function in
their post_config should also be updated to prevent caching.
TL-34564 Ensured links on user profile display with correct formatting
TL-34704 Fixed incorrect language string key for an unavailable course in the mobile app
Technical changes:
TL-32931 Updated behat to support PHP 8.0
TL-33278 Avoid using required column to allow visibility checks in report builder
Previously, in order to perform visibility checks in reports, we obtained the
data needed by defining required columns which were columns that, although not
visible, were present in the report. However it was noted they were interfering
with aggregation, giving unexpected results.
Now, "required joins" have been added in order to perform this task. The
information to do the visibility check is still present, but should not
interfere with aggregation.
All applicable report sources have been updated to use the new
define_requiredjoins function.
Please note that custom report sources that use the old way of requiring columns
shouldn't be affected by this change, but we recommend that they are updated to
use define_requiredjoins to get the correct result when using aggregation.
Tui front end framework:
TL-26667 An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
TL-34385 Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
TL-34481 Fixed keyboard accessibility of the Dropdown vue component
Library updates:
TL-34352 Upgraded Video.js to 7.18.1
Please check any plugins you have installed or written on older versions of the
video.js plugin
Contributions:
* Michael Geering at Kineo UK - TL-34297
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 14.13 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
Performance improvements:
TL-33272 Improved how regrading of courses is handled
When a course has more than 100 enrolments or 100 grade items, any regrading
necessary (such as adding a new activity or changing grade settings) will be
done on the next cron run rather than blocking page load. When this happens, a
message is displayed to the user to let them know that grades are being
recalculated.
For smaller courses, the re-grade is done in real time.
This is a follow up to an earlier patch (TL-31570) which introduced background
regrading, but only when adding a new activity.
TL-33363 Deleting an enrolment instance has been shifted to a background task
Previously when deleting an enrolment instance from a course, users would be
unenrolled immediately and then the instance would be deleted. If the number of
enrolled users was large, the page may take a long time to respond.
With this patch, the deletion is shifted into a background task run on the next
cron run.
TL-34382 Improved performance for the user search when selecting performance activity participants
Improvements:
TL-29549 Added displaying manual rating comments in the competency activity log
Comments that were added when manually rating a user's competency will now be
displayed in the user's activity log of that competency.
TL-33491 Started recording any changed HR Import settings within the config log database table
TL-34228 Removed the separation of evidence shown in Record of Learning and the Evidence bank
There is no longer any separation of evidence items based on the type of the
evidence item. The same evidence type can now be used when uploading evidence
from csv files or when adding evidence items in the Evidence bank and all items
can now be shown in both the Record of Learning and Evidence bank reports.
By default the Record of Learning report will be filtered to only show evidence
that was uploaded (i.e. their source is 'Completion history import'). Similarly
the Evidence bank reports will by default be filtered to only show evidence
items that were 'Manually created'. As this is a normal report filter, users can
change / clear the filter to show both uploaded and/or manually created items in
any one of these reports
TL-34647 Improved warnings around making changes to facetoface_displaysessiontimezones
Bug fixes:
TL-28799 Updated Weka to include a 'fake' cursor when between blocks
This is to provide consistency between the block nodes and regular text editing
in Weka.
TL-32891 Allowed report builder toolbar searches to be saved with no standard filters present
Previously, the 'Save this search' button only appeared in the standard filter
area, meaning that at least one standard filter needed to be enabled in order to
save a search.
The save button is now displayed in the toolbar area when there are no standard
filters enabled for a report.
TL-33429 Fixed featured links tile visibility settings when cloning a dashboard
Prior to this patch, when cloning a dashboard, featured links blocks lost any
additional visibility restrictions which had been added to a tile. This means
that if a tile had been limited to a specific audience on the original
dashboard, the tile on the cloned dashboard would be visible to everybody.
With this fix, the audience visibility rules for the clone are now consistent
with the original dashboard.
TL-34129 Restored evidence imported before migration to their previously used types
The original migration of imported evidence items resulted in them belonging to
a single 'Legacy course/certification completion import' system type with the
original type name stored as a custom field value.
Previously migrated imported evidence is now restored to belong to their
original evidence type.
First time migration will automatically link imported evidence to the correct
type.
TL-34144 Fixed Room Name (linked to room details page) column in Seminar reports
The link did not include information about the session, so when it was followed
the Custom virtual room link did not display correctly. This has been fixed.
TL-34167 Fixed Organisation Framework filters using MySQL reserved word
TL-34235 Set course enrolment date when user is enrolled through Programs or Learning plans
TL-34241 Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification
When attempting to push notifications to a mobile device, all the mobile devices
associated with the recipient are fetched and looped through. Previously if one
of the FCM tokens for a device was not valid, it would be invalidated and the
loop would be broken, leading to other devices potentially not receiving that
notification. Now the token is marked as invalid and the loop continues so that
all devices with a valid FCM token will receive the push notification.
TL-34244 Fixed videoJS controls in RTL languages
Fixed videoJS controls in RTL languages so that the play scroller now moves in
the expected direction.
TL-34248 Fixed double quote character encoding for Program name report builder column when exporting the data into Excel
TL-34297 Ensured report builder report created event is triggered when creating from template
TL-34298 Fixed perform activity static content editing error
Previously, when a static element was added as a sub element for a linked review
question, there would be an error when you tried to edit after first creating
it.
This patch fixes the error.
TL-34321 Fixed the context of audience role assignments when the audience is moved
Previously if a category level audience had roles assigned, and was moved to a
different category, existing role assignments stayed in the original category
context. Now the roles will update to the new category context when the audience
is moved.
TL-34329 Fixed the position due date link when using the legacy program assignment interface
TL-34364 Trigger on-event certification window open notifications at the correct time
Previously, on-event window open notifications were being triggered when a
recertification window opened, rather than when the window was supposed to open.
This led to unexpected behaviour when the opening of a recertification window
was delayed due to the user being unassigned or suspended. Also, the
notification was not sent if the certification window was open, which meant that
the notification would never be sent if it was scheduled to be sent after the
window open date. The expected behaviour is to always send the notification at a
date relative to the window open date, regardless of certification status. Note
that if a user is unassigned or suspended at the time this notification is due
to be sent, then the notification will not be sent retroactively.
TL-34403 Prevented the import of evidence for the deleted users
Prior to this patch, evidence could be uploaded for deleted users when the
legacy delete option "Keep username, email and ID number (legacy)" is used. This
is no longer allowed.
TL-34541 Fixed manager's link to program in notifications
TL-34552 Disable caching in reports that do visibility checks
Report sources that have been identified as doing visibility checks have been
updated to remove the option to be cached. Cached data based on those reports
sources will be removed upon upgrade.
Any custom report sources which use the post_config_visibility_where function in
their post_config should also be updated to prevent caching.
TL-34564 Ensured links on user profile display with correct formatting
TL-34704 Fixed incorrect language string key for an unavailable course in the mobile app
Technical changes:
TL-33278 Avoid using required column to allow visibility checks in report builder
Previously, in order to perform visibility checks in reports, we obtained the
data needed by defining required columns which were columns that, although not
visible, were present in the report. However it was noted they were interfering
with aggregation, giving unexpected results.
Now, "required joins" have been added in order to perform this task. The
information to do the visibility check is still present, but should not
interfere with aggregation.
All applicable report sources have been updated to use the new
define_requiredjoins function.
Please note that custom report sources that use the old way of requiring columns
shouldn't be affected by this change, but we recommend that they are updated to
use define_requiredjoins to get the correct result when using aggregation.
Tui front end framework:
TL-26667 An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
TL-34385 Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
TL-34481 Fixed keyboard accessibility of the Dropdown vue component
Library updates:
TL-34352 Upgraded Video.js to 7.18.1
Please check any plugins you have installed or written on older versions of the
video.js plugin
Contributions:
* Michael Geering at Kineo UK - TL-34297
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 13.21 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
Performance improvements:
TL-33272 Improved how regrading of courses is handled
When a course has more than 100 enrolments or 100 grade items, any regrading
necessary (such as adding a new activity or changing grade settings) will be
done on the next cron run rather than blocking page load. When this happens, a
message is displayed to the user to let them know that grades are being
recalculated.
For smaller courses, the re-grade is done in real time.
This is a follow up to an earlier patch (TL-31570) which introduced background
regrading, but only when adding a new activity.
TL-33363 Deleting an enrolment instance has been shifted to a background task
Previously when deleting an enrolment instance from a course, users would be
unenrolled immediately and then the instance would be deleted. If the number of
enrolled users was large, the page may take a long time to respond.
With this patch, the deletion is shifted into a background task run on the next
cron run.
TL-34382 Improved performance for the user search when selecting performance activity participants
Improvements:
TL-29549 Added displaying manual rating comments in the competency activity log
Comments that were added when manually rating a user's competency will now be
displayed in the user's activity log of that competency.
TL-33491 Started recording any changed HR Import settings within the config log database table
TL-34228 Removed the separation of evidence shown in Record of Learning and the Evidence bank
There is no longer any separation of evidence items based on the type of the
evidence item. The same evidence type can now be used when uploading evidence
from csv files or when adding evidence items in the Evidence bank and all items
can now be shown in both the Record of Learning and Evidence bank reports.
By default the Record of Learning report will be filtered to only show evidence
that was uploaded (i.e. their source is 'Completion history import'). Similarly
the Evidence bank reports will by default be filtered to only show evidence
items that were 'Manually created'. As this is a normal report filter, users can
change / clear the filter to show both uploaded and/or manually created items in
any one of these reports
Bug fixes:
TL-32891 Allowed report builder toolbar searches to be saved with no standard filters present
Previously, the 'Save this search' button only appeared in the standard filter
area, meaning that at least one standard filter needed to be enabled in order to
save a search.
The save button is now displayed in the toolbar area when there are no standard
filters enabled for a report.
TL-34144 Fixed Room Name (linked to room details page) column in Seminar reports
The link did not include information about the session, so when it was followed
the Custom virtual room link did not display correctly. This has been fixed.
TL-34167 Fixed Organisation Framework filters using MySQL reserved word
TL-34241 Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification
When attempting to push notifications to a mobile device, all the mobile devices
associated with the recipient are fetched and looped through. Previously if one
of the FCM tokens for a device was not valid, it would be invalidated and the
loop would be broken, leading to other devices potentially not receiving that
notification. Now the token is marked as invalid and the loop continues so that
all devices with a valid FCM token will receive the push notification.
TL-34244 Fixed videoJS controls in RTL languages
Fixed videoJS controls in RTL languages so that the play scroller now moves in
the expected direction.
TL-34297 Ensured report builder report created event is triggered when creating from template
TL-34321 Fixed the context of audience role assignments when the audience is moved
Previously if a category level audience had roles assigned, and was moved to a
different category, existing role assignments stayed in the original category
context. Now the roles will update to the new category context when the audience
is moved.
TL-34342 Fixed custom seminar notifications not being sent.
TL-34394 Fixed hero image for resources not being displayed for YouTube short-links
TL-34403 Prevented the import of evidence for the deleted users
Prior to this patch, evidence could be uploaded for deleted users when the
legacy delete option "Keep username, email and ID number (legacy)" is used. This
is no longer allowed.
TL-34541 Fixed manager's link to program in notifications
TL-34552 Disable caching in reports that do visibility checks
Report sources that have been identified as doing visibility checks have been
updated to remove the option to be cached. Cached data based on those reports
sources will be removed upon upgrade.
Any custom report sources which use the post_config_visibility_where function in
their post_config should also be updated to prevent caching.
TL-34564 Ensured links on user profile display with correct formatting
TL-34704 Fixed incorrect language string key for an unavailable course in the mobile app
Technical changes:
TL-33278 Avoid using required column to allow visibility checks in report builder
Previously, in order to perform visibility checks in reports, we obtained the
data needed by defining required columns which were columns that, although not
visible, were present in the report. However it was noted they were interfering
with aggregation, giving unexpected results.
Now, "required joins" have been added in order to perform this task. The
information to do the visibility check is still present, but should not
interfere with aggregation.
All applicable report sources have been updated to use the new
define_requiredjoins function.
Please note that custom report sources that use the old way of requiring columns
shouldn't be affected by this change, but we recommend that they are updated to
use define_requiredjoins to get the correct result when using aggregation.
Tui front end framework:
TL-26667 An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
TL-34385 Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
TL-34481 Fixed keyboard accessibility of the Dropdown vue component
Contributions:
* Michael Geering at Kineo UK - TL-34297
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 12.44 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Performance improvements:
TL-33272 Improved how regrading of courses is handled
When a course has more than 100 enrolments or 100 grade items, any regrading
necessary (such as adding a new activity or changing grade settings) will be
done on the next cron run rather than blocking page load. When this happens, a
message is displayed to the user to let them know that grades are being
recalculated.
For smaller courses, the re-grade is done in real time.
This is a follow up to an earlier patch (TL-31570) which introduced background
regrading, but only when adding a new activity.
Bug fixes:
TL-34541 Fixed manager's link to program in notifications
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 11.53 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Bug fixes:
TL-34541 Fixed manager's link to program in notifications
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 10.56 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 9.63 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 2.9.63 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 2.7.68 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Release 2.6.85 (28th June 2022):
Security issues:
TL-34739 Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin
A learner exploiting this vulnerability could upload a carefully-crafted file as
an assignment submission and run arbitrary shell commands on the server.
This only affects Totara instances with 'Annotate PDF' selected as the
assignment feedback plugin in system settings and ghostscript < 9.50 installed
on the server.
TL-34742 Fixed XSS vulnerability on userpix index page (CVE-2019-3810)
It was possible for users to exploit an XSS vulnerability on the
userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.
Contributions:
* Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739