Totara Release Notes

Totara TXP 16.2, 15.8, 14.13, 13.21; Totara learn 12.44, 11.53, 10.56, 9.63, 2.9.63, 2.7.68 and 2.6.85 are now available

 
Riana Rossouw
Totara TXP 16.2, 15.8, 14.13, 13.21; Totara learn 12.44, 11.53, 10.56, 9.63, 2.9.63, 2.7.68 and 2.6.85 are now available
על ידי Riana Rossouw בתאריך 28/06/2022, 15:04
קבוצה Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

  • Michael Geering at Kineo UK - TL-34297
  • Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst) - TL-34739
Kind regards

Riana Rossouw

Release 16.2 (28th June 2022):

Important:

    TL-33943       Fixed the "no indirect reports" rule

                   Previously, the "no indirect reports" rule for dynamic audiences was incorrect -
                   it targeted those users that had no immediate reports. When combined with a
                   direct report of at least 1 rule, it resulted in an empty audience. 
                   
                   This patch corrects the indirect report rule. However, it also means membership
                   in existing audiences that make use of this rule could unexpectedly change,
                   affecting course/program/certification enrolments  or perform activity
                   participants for example.


Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.


Performance improvements:

    TL-33272       Improved how regrading of courses is handled

                   When a course has more than 100 enrolments or 100 grade items, any regrading
                   necessary (such as adding a new activity or changing grade settings) will be
                   done on the next cron run rather than blocking page load. When this happens, a
                   message is displayed to the user to let them know that grades are being
                   recalculated.
                   
                   For smaller courses, the re-grade is done in real time. 
                   
                   This is a follow up to an earlier patch (TL-31570) which introduced background
                   regrading, but only when adding a new activity.

    TL-33363       Deleting an enrolment instance has been shifted to a background task

                   Previously when deleting an enrolment instance from a course, users would be
                   unenrolled immediately and then the instance would be deleted. If the number of
                   enrolled users was large, the page may take a long time to respond. 
                   
                   With this patch, the deletion is shifted into a background task run on the next
                   cron run.

    TL-34382       Improved performance for the user search when selecting performance activity participants
    TL-34400       Fixed GraphQL performance regression from latest graphql-php library update

                   The latest version of the webonyx/graphql-php library added schema validation
                   that is unnecessarily repeated for each call by default. This patch switches the
                   unnecessary validation off, improving performance of all GraphQL operations.


Improvements:

    TL-29549       Added displaying manual rating comments in the competency activity log

                   Comments that were added when manually rating a user's competency will now be
                   displayed in the user's activity log of that competency.

    TL-32119       Added the missing event trigger for suspended users
    TL-33052       Added a seminar 'Attendance status' report builder column and filter
    TL-33491       Started recording any changed HR Import settings within the config log database table
    TL-33986       Added an asterisk to required fields in installation/upgrade
    TL-34228       Removed the separation of evidence shown in Record of Learning and the Evidence bank

                   There is no longer any separation of evidence items based on the type of the
                   evidence item. The same evidence type can now be used when uploading evidence
                   from csv files or when adding evidence items in the Evidence bank and all items
                   can now be shown in both the Record of Learning and Evidence bank reports.
                   
                   By default the Record of Learning report will be filtered to only show evidence
                   that was uploaded (i.e. their source is 'Completion history import'). Similarly
                   the Evidence bank reports will by default be filtered to only show evidence
                   items that were 'Manually created'. As this is a normal report filter, users can
                   change / clear the filter to show both uploaded and/or manually created items in
                   any one of these reports

    TL-34647       Improved warnings around making changes to facetoface_displaysessiontimezones

Bug fixes:

    TL-28799       Updated Weka to include a 'fake' cursor when between blocks

                   This is to provide consistency between the block nodes and regular text editing
                   in Weka. 

    TL-32891       Allowed report builder toolbar searches to be saved with no standard filters present

                   Previously, the 'Save this search' button only appeared in the standard filter
                   area, meaning that at least one standard filter needed to be enabled in order to
                   save a search.
                   
                   The save button is now displayed in the toolbar area when there are no standard
                   filters enabled for a report.

    TL-33429       Fixed featured links tile visibility settings when cloning a dashboard

                   Prior to this patch, when cloning a dashboard, featured links blocks lost any
                   additional visibility restrictions which had been added to a tile. This means
                   that if a tile had been limited to a specific audience on the original
                   dashboard, the tile on the cloned dashboard would be visible to everybody.
                   
                   With this fix, the audience visibility rules for the clone are now consistent
                   with the original dashboard.

    TL-34129       Restored evidence imported before migration to their previously used types

                   The original migration of imported evidence items resulted in them belonging to
                   a single 'Legacy course/certification completion import' system type with the
                   original type name stored as a custom field value.
                   
                   Previously migrated imported evidence is now restored to belong to their
                   original evidence type.
                   
                   First time migration will automatically link imported evidence to the correct
                   type.

    TL-34144       Fixed Room Name (linked to room details page) column in Seminar reports

                   The link did not include information about the session, so when it was followed
                   the Custom virtual room link did not display correctly. This has been fixed.

    TL-34167       Fixed Organisation Framework filters using MySQL reserved word
    TL-34235       Set course enrolment date when user is enrolled through Programs or Learning plans
    TL-34241       Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification

                   When attempting to push notifications to a mobile device, all the mobile devices
                   associated with the recipient are fetched and looped through. Previously if one
                   of the FCM tokens for a device was not valid, it would be invalidated and the
                   loop would be broken, leading to other devices potentially not receiving that
                   notification. Now the token is marked as invalid and the loop continues so that
                   all devices with a valid FCM token will receive the push notification.

    TL-34244       Fixed videoJS controls in RTL languages

                   Fixed videoJS controls in RTL languages so that the play scroller now moves in
                   the expected direction.

    TL-34248       Fixed double quote character encoding for Program name report builder column when exporting the data into Excel
    TL-34297       Ensured report builder report created event is triggered when creating from template
    TL-34298       Fixed perform activity static content editing error

                   Previously, when a static element was added as a sub element for a linked review
                   question, there would be an error when you tried to edit after first creating
                   it.
                   
                   This patch fixes the error.

    TL-34321       Fixed the context of audience role assignments when the audience is moved

                   Previously if a category level audience had roles assigned, and was moved to a
                   different category, existing role assignments stayed in the original category
                   context. Now the roles will update to the new category context when the audience
                   is moved.

    TL-34329       Fixed the position due date link when using the legacy program assignment interface
    TL-34354       Included deletion icals in notifications when seminar sessions are cancelled
    TL-34364       Trigger on-event certification window open notifications at the correct time

                   Previously, on-event window open notifications were being triggered when a
                   recertification window opened, rather than when the window was supposed to open.
                   This led to unexpected behaviour when the opening of a recertification window
                   was delayed due to the user being unassigned or suspended. Also, the
                   notification was not sent if the certification window was open, which meant that
                   the notification would never be sent if it was scheduled to be sent after the
                   window open date. The expected behaviour is to always send the notification at a
                   date relative to the window open date, regardless of certification status. Note
                   that if a user is unassigned or suspended at the time this notification is due
                   to be sent, then the notification will not be sent retroactively.

    TL-34403       Prevented the import of evidence for the deleted users

                   Prior to this patch, evidence could be uploaded for deleted users when the
                   legacy delete option "Keep username, email and ID number (legacy)" is used. This
                   is no longer allowed.

    TL-34415       Fixed activity complete notifications created in activity context not being sent

                   Activity completion notifications created in an ascendant context of an
                   activity, such as the course or system context, were being successfully sent.
                   With this fix, activity completion notifications created in the context of a
                   specific activity will now also be sent.

    TL-34536       Fixed wrong capability checked for course and activity notification management

                   Notification administrators need the 'moodle/course:managecoursenotifications'
                   capability to manage course and activity notifications. Previously, the link to
                   manage notifications was mistakenly only shown to users who had the
                   'moodle/course:update' capability, but the management page would be empty if
                   they didn't also have the correct capability.

    TL-34541       Fixed manager's link to program in notifications
    TL-34552       Disable caching in reports that do visibility checks

                   Report sources that have been identified as doing visibility checks have been
                   updated to remove the option to be cached. Cached data based on those reports
                   sources will be removed upon upgrade.
                   
                   Any custom report sources which use the post_config_visibility_where function in
                   their post_config should also be updated to prevent caching.

    TL-34564       Ensured links on user profile display with correct formatting
    TL-34704       Fixed incorrect language string key for an unavailable course in the mobile app

Technical changes:

    TL-32931       Updated behat to support PHP 8.0
    TL-33278       Avoid using required column to allow visibility checks in report builder

                   Previously, in order to perform visibility checks in reports, we obtained the
                   data needed by defining required columns which were columns that, although not
                   visible, were present in the report. However it was noted they were interfering
                   with aggregation, giving unexpected results.
                   
                   Now, "required joins" have been added in order to perform this task. The
                   information to do the visibility check is still present, but should not
                   interfere with aggregation.
                   
                   All applicable report sources have been updated to use the new
                   define_requiredjoins function.
                   
                   Please note that custom report sources that use the old way of requiring columns
                   shouldn't be affected by this change, but we recommend that they are updated to
                   use define_requiredjoins to get the correct result when using aggregation.


Tui front end framework:

    TL-26667       An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
    TL-34385       Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
    TL-34481       Fixed keyboard accessibility of the Dropdown vue component

Library updates:

    TL-34352       Upgraded Video.js to 7.18.1

                   Please check any plugins you have installed or written on older versions of the
                   video.js plugin


Contributions:

    * Michael Geering at Kineo UK - TL-34297
    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 15.8 (28th June 2022):

Important:

    TL-33943       Fixed the "no indirect reports" rule

                   Previously, the "no indirect reports" rule for dynamic audiences was incorrect -
                   it targeted those users that had no immediate reports. When combined with a
                   direct report of at least 1 rule, it resulted in an empty audience. 
                   
                   This patch corrects the indirect report rule. However, it also means membership
                   in existing audiences that make use of this rule could unexpectedly change,
                   affecting course/program/certification enrolments  or perform activity
                   participants for example.


Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.


Performance improvements:

    TL-33272       Improved how regrading of courses is handled

                   When a course has more than 100 enrolments or 100 grade items, any regrading
                   necessary (such as adding a new activity or changing grade settings) will be
                   done on the next cron run rather than blocking page load. When this happens, a
                   message is displayed to the user to let them know that grades are being
                   recalculated.
                   
                   For smaller courses, the re-grade is done in real time. 
                   
                   This is a follow up to an earlier patch (TL-31570) which introduced background
                   regrading, but only when adding a new activity.

    TL-33363       Deleting an enrolment instance has been shifted to a background task

                   Previously when deleting an enrolment instance from a course, users would be
                   unenrolled immediately and then the instance would be deleted. If the number of
                   enrolled users was large, the page may take a long time to respond. 
                   
                   With this patch, the deletion is shifted into a background task run on the next
                   cron run.

    TL-34382       Improved performance for the user search when selecting performance activity participants

Improvements:

    TL-29549       Added displaying manual rating comments in the competency activity log

                   Comments that were added when manually rating a user's competency will now be
                   displayed in the user's activity log of that competency.

    TL-33491       Started recording any changed HR Import settings within the config log database table
    TL-33873       Page style improvements made on the 'your workspaces' page

                   Made several minor cosmetic improvements to the 'your workspaces' page such as
                   white spacing and content alignment

    TL-34228       Removed the separation of evidence shown in Record of Learning and the Evidence bank

                   There is no longer any separation of evidence items based on the type of the
                   evidence item. The same evidence type can now be used when uploading evidence
                   from csv files or when adding evidence items in the Evidence bank and all items
                   can now be shown in both the Record of Learning and Evidence bank reports.
                   
                   By default the Record of Learning report will be filtered to only show evidence
                   that was uploaded (i.e. their source is 'Completion history import'). Similarly
                   the Evidence bank reports will by default be filtered to only show evidence
                   items that were 'Manually created'. As this is a normal report filter, users can
                   change / clear the filter to show both uploaded and/or manually created items in
                   any one of these reports

    TL-34647       Improved warnings around making changes to facetoface_displaysessiontimezones

Bug fixes:

    TL-28799       Updated Weka to include a 'fake' cursor when between blocks

                   This is to provide consistency between the block nodes and regular text editing
                   in Weka. 

    TL-32891       Allowed report builder toolbar searches to be saved with no standard filters present

                   Previously, the 'Save this search' button only appeared in the standard filter
                   area, meaning that at least one standard filter needed to be enabled in order to
                   save a search.
                   
                   The save button is now displayed in the toolbar area when there are no standard
                   filters enabled for a report.

    TL-33429       Fixed featured links tile visibility settings when cloning a dashboard

                   Prior to this patch, when cloning a dashboard, featured links blocks lost any
                   additional visibility restrictions which had been added to a tile. This means
                   that if a tile had been limited to a specific audience on the original
                   dashboard, the tile on the cloned dashboard would be visible to everybody.
                   
                   With this fix, the audience visibility rules for the clone are now consistent
                   with the original dashboard.

    TL-34129       Restored evidence imported before migration to their previously used types

                   The original migration of imported evidence items resulted in them belonging to
                   a single 'Legacy course/certification completion import' system type with the
                   original type name stored as a custom field value.
                   
                   Previously migrated imported evidence is now restored to belong to their
                   original evidence type.
                   
                   First time migration will automatically link imported evidence to the correct
                   type.

    TL-34144       Fixed Room Name (linked to room details page) column in Seminar reports

                   The link did not include information about the session, so when it was followed
                   the Custom virtual room link did not display correctly. This has been fixed.

    TL-34167       Fixed Organisation Framework filters using MySQL reserved word
    TL-34235       Set course enrolment date when user is enrolled through Programs or Learning plans
    TL-34241       Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification

                   When attempting to push notifications to a mobile device, all the mobile devices
                   associated with the recipient are fetched and looped through. Previously if one
                   of the FCM tokens for a device was not valid, it would be invalidated and the
                   loop would be broken, leading to other devices potentially not receiving that
                   notification. Now the token is marked as invalid and the loop continues so that
                   all devices with a valid FCM token will receive the push notification.

    TL-34244       Fixed videoJS controls in RTL languages

                   Fixed videoJS controls in RTL languages so that the play scroller now moves in
                   the expected direction.

    TL-34248       Fixed double quote character encoding for Program name report builder column when exporting the data into Excel
    TL-34297       Ensured report builder report created event is triggered when creating from template
    TL-34298       Fixed perform activity static content editing error

                   Previously, when a static element was added as a sub element for a linked review
                   question, there would be an error when you tried to edit after first creating
                   it.
                   
                   This patch fixes the error.

    TL-34321       Fixed the context of audience role assignments when the audience is moved

                   Previously if a category level audience had roles assigned, and was moved to a
                   different category, existing role assignments stayed in the original category
                   context. Now the roles will update to the new category context when the audience
                   is moved.

    TL-34329       Fixed the position due date link when using the legacy program assignment interface
    TL-34364       Trigger on-event certification window open notifications at the correct time

                   Previously, on-event window open notifications were being triggered when a
                   recertification window opened, rather than when the window was supposed to open.
                   This led to unexpected behaviour when the opening of a recertification window
                   was delayed due to the user being unassigned or suspended. Also, the
                   notification was not sent if the certification window was open, which meant that
                   the notification would never be sent if it was scheduled to be sent after the
                   window open date. The expected behaviour is to always send the notification at a
                   date relative to the window open date, regardless of certification status. Note
                   that if a user is unassigned or suspended at the time this notification is due
                   to be sent, then the notification will not be sent retroactively.

    TL-34403       Prevented the import of evidence for the deleted users

                   Prior to this patch, evidence could be uploaded for deleted users when the
                   legacy delete option "Keep username, email and ID number (legacy)" is used. This
                   is no longer allowed.

    TL-34541       Fixed manager's link to program in notifications
    TL-34552       Disable caching in reports that do visibility checks

                   Report sources that have been identified as doing visibility checks have been
                   updated to remove the option to be cached. Cached data based on those reports
                   sources will be removed upon upgrade.
                   
                   Any custom report sources which use the post_config_visibility_where function in
                   their post_config should also be updated to prevent caching.

    TL-34564       Ensured links on user profile display with correct formatting
    TL-34704       Fixed incorrect language string key for an unavailable course in the mobile app

Technical changes:

    TL-32931       Updated behat to support PHP 8.0
    TL-33278       Avoid using required column to allow visibility checks in report builder

                   Previously, in order to perform visibility checks in reports, we obtained the
                   data needed by defining required columns which were columns that, although not
                   visible, were present in the report. However it was noted they were interfering
                   with aggregation, giving unexpected results.
                   
                   Now, "required joins" have been added in order to perform this task. The
                   information to do the visibility check is still present, but should not
                   interfere with aggregation.
                   
                   All applicable report sources have been updated to use the new
                   define_requiredjoins function.
                   
                   Please note that custom report sources that use the old way of requiring columns
                   shouldn't be affected by this change, but we recommend that they are updated to
                   use define_requiredjoins to get the correct result when using aggregation.


Tui front end framework:

    TL-26667       An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
    TL-34385       Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
    TL-34481       Fixed keyboard accessibility of the Dropdown vue component

Library updates:

    TL-34352       Upgraded Video.js to 7.18.1

                   Please check any plugins you have installed or written on older versions of the
                   video.js plugin


Contributions:

    * Michael Geering at Kineo UK - TL-34297
    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 14.13 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.


Performance improvements:

    TL-33272       Improved how regrading of courses is handled

                   When a course has more than 100 enrolments or 100 grade items, any regrading
                   necessary (such as adding a new activity or changing grade settings) will be
                   done on the next cron run rather than blocking page load. When this happens, a
                   message is displayed to the user to let them know that grades are being
                   recalculated.
                   
                   For smaller courses, the re-grade is done in real time. 
                   
                   This is a follow up to an earlier patch (TL-31570) which introduced background
                   regrading, but only when adding a new activity.

    TL-33363       Deleting an enrolment instance has been shifted to a background task

                   Previously when deleting an enrolment instance from a course, users would be
                   unenrolled immediately and then the instance would be deleted. If the number of
                   enrolled users was large, the page may take a long time to respond. 
                   
                   With this patch, the deletion is shifted into a background task run on the next
                   cron run.

    TL-34382       Improved performance for the user search when selecting performance activity participants

Improvements:

    TL-29549       Added displaying manual rating comments in the competency activity log

                   Comments that were added when manually rating a user's competency will now be
                   displayed in the user's activity log of that competency.

    TL-33491       Started recording any changed HR Import settings within the config log database table
    TL-34228       Removed the separation of evidence shown in Record of Learning and the Evidence bank

                   There is no longer any separation of evidence items based on the type of the
                   evidence item. The same evidence type can now be used when uploading evidence
                   from csv files or when adding evidence items in the Evidence bank and all items
                   can now be shown in both the Record of Learning and Evidence bank reports.
                   
                   By default the Record of Learning report will be filtered to only show evidence
                   that was uploaded (i.e. their source is 'Completion history import'). Similarly
                   the Evidence bank reports will by default be filtered to only show evidence
                   items that were 'Manually created'. As this is a normal report filter, users can
                   change / clear the filter to show both uploaded and/or manually created items in
                   any one of these reports

    TL-34647       Improved warnings around making changes to facetoface_displaysessiontimezones

Bug fixes:

    TL-28799       Updated Weka to include a 'fake' cursor when between blocks

                   This is to provide consistency between the block nodes and regular text editing
                   in Weka. 

    TL-32891       Allowed report builder toolbar searches to be saved with no standard filters present

                   Previously, the 'Save this search' button only appeared in the standard filter
                   area, meaning that at least one standard filter needed to be enabled in order to
                   save a search.
                   
                   The save button is now displayed in the toolbar area when there are no standard
                   filters enabled for a report.

    TL-33429       Fixed featured links tile visibility settings when cloning a dashboard

                   Prior to this patch, when cloning a dashboard, featured links blocks lost any
                   additional visibility restrictions which had been added to a tile. This means
                   that if a tile had been limited to a specific audience on the original
                   dashboard, the tile on the cloned dashboard would be visible to everybody.
                   
                   With this fix, the audience visibility rules for the clone are now consistent
                   with the original dashboard.

    TL-34129       Restored evidence imported before migration to their previously used types

                   The original migration of imported evidence items resulted in them belonging to
                   a single 'Legacy course/certification completion import' system type with the
                   original type name stored as a custom field value.
                   
                   Previously migrated imported evidence is now restored to belong to their
                   original evidence type.
                   
                   First time migration will automatically link imported evidence to the correct
                   type.

    TL-34144       Fixed Room Name (linked to room details page) column in Seminar reports

                   The link did not include information about the session, so when it was followed
                   the Custom virtual room link did not display correctly. This has been fixed.

    TL-34167       Fixed Organisation Framework filters using MySQL reserved word
    TL-34235       Set course enrolment date when user is enrolled through Programs or Learning plans
    TL-34241       Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification

                   When attempting to push notifications to a mobile device, all the mobile devices
                   associated with the recipient are fetched and looped through. Previously if one
                   of the FCM tokens for a device was not valid, it would be invalidated and the
                   loop would be broken, leading to other devices potentially not receiving that
                   notification. Now the token is marked as invalid and the loop continues so that
                   all devices with a valid FCM token will receive the push notification.

    TL-34244       Fixed videoJS controls in RTL languages

                   Fixed videoJS controls in RTL languages so that the play scroller now moves in
                   the expected direction.

    TL-34248       Fixed double quote character encoding for Program name report builder column when exporting the data into Excel
    TL-34297       Ensured report builder report created event is triggered when creating from template
    TL-34298       Fixed perform activity static content editing error

                   Previously, when a static element was added as a sub element for a linked review
                   question, there would be an error when you tried to edit after first creating
                   it.
                   
                   This patch fixes the error.

    TL-34321       Fixed the context of audience role assignments when the audience is moved

                   Previously if a category level audience had roles assigned, and was moved to a
                   different category, existing role assignments stayed in the original category
                   context. Now the roles will update to the new category context when the audience
                   is moved.

    TL-34329       Fixed the position due date link when using the legacy program assignment interface
    TL-34364       Trigger on-event certification window open notifications at the correct time

                   Previously, on-event window open notifications were being triggered when a
                   recertification window opened, rather than when the window was supposed to open.
                   This led to unexpected behaviour when the opening of a recertification window
                   was delayed due to the user being unassigned or suspended. Also, the
                   notification was not sent if the certification window was open, which meant that
                   the notification would never be sent if it was scheduled to be sent after the
                   window open date. The expected behaviour is to always send the notification at a
                   date relative to the window open date, regardless of certification status. Note
                   that if a user is unassigned or suspended at the time this notification is due
                   to be sent, then the notification will not be sent retroactively.

    TL-34403       Prevented the import of evidence for the deleted users

                   Prior to this patch, evidence could be uploaded for deleted users when the
                   legacy delete option "Keep username, email and ID number (legacy)" is used. This
                   is no longer allowed.

    TL-34541       Fixed manager's link to program in notifications
    TL-34552       Disable caching in reports that do visibility checks

                   Report sources that have been identified as doing visibility checks have been
                   updated to remove the option to be cached. Cached data based on those reports
                   sources will be removed upon upgrade.
                   
                   Any custom report sources which use the post_config_visibility_where function in
                   their post_config should also be updated to prevent caching.

    TL-34564       Ensured links on user profile display with correct formatting
    TL-34704       Fixed incorrect language string key for an unavailable course in the mobile app

Technical changes:

    TL-33278       Avoid using required column to allow visibility checks in report builder

                   Previously, in order to perform visibility checks in reports, we obtained the
                   data needed by defining required columns which were columns that, although not
                   visible, were present in the report. However it was noted they were interfering
                   with aggregation, giving unexpected results.
                   
                   Now, "required joins" have been added in order to perform this task. The
                   information to do the visibility check is still present, but should not
                   interfere with aggregation.
                   
                   All applicable report sources have been updated to use the new
                   define_requiredjoins function.
                   
                   Please note that custom report sources that use the old way of requiring columns
                   shouldn't be affected by this change, but we recommend that they are updated to
                   use define_requiredjoins to get the correct result when using aggregation.


Tui front end framework:

    TL-26667       An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
    TL-34385       Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
    TL-34481       Fixed keyboard accessibility of the Dropdown vue component

Library updates:

    TL-34352       Upgraded Video.js to 7.18.1

                   Please check any plugins you have installed or written on older versions of the
                   video.js plugin


Contributions:

    * Michael Geering at Kineo UK - TL-34297
    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 13.21 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.


Performance improvements:

    TL-33272       Improved how regrading of courses is handled

                   When a course has more than 100 enrolments or 100 grade items, any regrading
                   necessary (such as adding a new activity or changing grade settings) will be
                   done on the next cron run rather than blocking page load. When this happens, a
                   message is displayed to the user to let them know that grades are being
                   recalculated.
                   
                   For smaller courses, the re-grade is done in real time. 
                   
                   This is a follow up to an earlier patch (TL-31570) which introduced background
                   regrading, but only when adding a new activity.

    TL-33363       Deleting an enrolment instance has been shifted to a background task

                   Previously when deleting an enrolment instance from a course, users would be
                   unenrolled immediately and then the instance would be deleted. If the number of
                   enrolled users was large, the page may take a long time to respond. 
                   
                   With this patch, the deletion is shifted into a background task run on the next
                   cron run.

    TL-34382       Improved performance for the user search when selecting performance activity participants

Improvements:

    TL-29549       Added displaying manual rating comments in the competency activity log

                   Comments that were added when manually rating a user's competency will now be
                   displayed in the user's activity log of that competency.

    TL-33491       Started recording any changed HR Import settings within the config log database table
    TL-34228       Removed the separation of evidence shown in Record of Learning and the Evidence bank

                   There is no longer any separation of evidence items based on the type of the
                   evidence item. The same evidence type can now be used when uploading evidence
                   from csv files or when adding evidence items in the Evidence bank and all items
                   can now be shown in both the Record of Learning and Evidence bank reports.
                   
                   By default the Record of Learning report will be filtered to only show evidence
                   that was uploaded (i.e. their source is 'Completion history import'). Similarly
                   the Evidence bank reports will by default be filtered to only show evidence
                   items that were 'Manually created'. As this is a normal report filter, users can
                   change / clear the filter to show both uploaded and/or manually created items in
                   any one of these reports


Bug fixes:

    TL-32891       Allowed report builder toolbar searches to be saved with no standard filters present

                   Previously, the 'Save this search' button only appeared in the standard filter
                   area, meaning that at least one standard filter needed to be enabled in order to
                   save a search.
                   
                   The save button is now displayed in the toolbar area when there are no standard
                   filters enabled for a report.

    TL-34144       Fixed Room Name (linked to room details page) column in Seminar reports

                   The link did not include information about the session, so when it was followed
                   the Custom virtual room link did not display correctly. This has been fixed.

    TL-34167       Fixed Organisation Framework filters using MySQL reserved word
    TL-34241       Fixed the validation of multiple expired Firebase Cloud Messaging tokens while sending a push notification

                   When attempting to push notifications to a mobile device, all the mobile devices
                   associated with the recipient are fetched and looped through. Previously if one
                   of the FCM tokens for a device was not valid, it would be invalidated and the
                   loop would be broken, leading to other devices potentially not receiving that
                   notification. Now the token is marked as invalid and the loop continues so that
                   all devices with a valid FCM token will receive the push notification.

    TL-34244       Fixed videoJS controls in RTL languages

                   Fixed videoJS controls in RTL languages so that the play scroller now moves in
                   the expected direction.

    TL-34297       Ensured report builder report created event is triggered when creating from template
    TL-34321       Fixed the context of audience role assignments when the audience is moved

                   Previously if a category level audience had roles assigned, and was moved to a
                   different category, existing role assignments stayed in the original category
                   context. Now the roles will update to the new category context when the audience
                   is moved.

    TL-34342       Fixed custom seminar notifications not being sent.
    TL-34394       Fixed hero image for resources not being displayed for YouTube short-links
    TL-34403       Prevented the import of evidence for the deleted users

                   Prior to this patch, evidence could be uploaded for deleted users when the
                   legacy delete option "Keep username, email and ID number (legacy)" is used. This
                   is no longer allowed.

    TL-34541       Fixed manager's link to program in notifications
    TL-34552       Disable caching in reports that do visibility checks

                   Report sources that have been identified as doing visibility checks have been
                   updated to remove the option to be cached. Cached data based on those reports
                   sources will be removed upon upgrade.
                   
                   Any custom report sources which use the post_config_visibility_where function in
                   their post_config should also be updated to prevent caching.

    TL-34564       Ensured links on user profile display with correct formatting
    TL-34704       Fixed incorrect language string key for an unavailable course in the mobile app

Technical changes:

    TL-33278       Avoid using required column to allow visibility checks in report builder

                   Previously, in order to perform visibility checks in reports, we obtained the
                   data needed by defining required columns which were columns that, although not
                   visible, were present in the report. However it was noted they were interfering
                   with aggregation, giving unexpected results.
                   
                   Now, "required joins" have been added in order to perform this task. The
                   information to do the visibility check is still present, but should not
                   interfere with aggregation.
                   
                   All applicable report sources have been updated to use the new
                   define_requiredjoins function.
                   
                   Please note that custom report sources that use the old way of requiring columns
                   shouldn't be affected by this change, but we recommend that they are updated to
                   use define_requiredjoins to get the correct result when using aggregation.


Tui front end framework:

    TL-26667       An error is now thrown for invalid Tui CSS imports, eliminating the confusing in-browser error messages
    TL-34385       Updated the computeError method in FormField.vue to only return the error as a string to prevent an "Invalid Prop" Vue warning.
    TL-34481       Fixed keyboard accessibility of the Dropdown vue component

Contributions:

    * Michael Geering at Kineo UK - TL-34297
    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 12.44 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Performance improvements:

    TL-33272       Improved how regrading of courses is handled

                   When a course has more than 100 enrolments or 100 grade items, any regrading
                   necessary (such as adding a new activity or changing grade settings) will be
                   done on the next cron run rather than blocking page load. When this happens, a
                   message is displayed to the user to let them know that grades are being
                   recalculated.
                   
                   For smaller courses, the re-grade is done in real time. 
                   
                   This is a follow up to an earlier patch (TL-31570) which introduced background
                   regrading, but only when adding a new activity.


Bug fixes:

    TL-34541       Fixed manager's link to program in notifications

Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 11.53 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Bug fixes:

    TL-34541       Fixed manager's link to program in notifications

Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 10.56 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 9.63 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 2.9.63 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 2.7.68 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739

Release 2.6.85 (28th June 2022):

Security issues:

    TL-34739       Fixed remote code execution vulnerability in the 'Annotate PDF' assignment feedback plugin

                   A learner exploiting this vulnerability could upload a carefully-crafted file as
                   an assignment submission and run arbitrary shell commands on the server. 
                   
                   This only affects Totara instances with 'Annotate PDF' selected as the
                   assignment feedback plugin in system settings and ghostscript < 9.50 installed
                   on the server.

    TL-34742       Fixed XSS vulnerability on userpix index page (CVE-2019-3810)

                   It was possible for users to exploit an XSS vulnerability on the
                   userpix/index.php page. Note that Totara versions 13 and up were not vulnerable.


Contributions:

    * Reported by Nick Wojciechowski, CyberCX Fix and fix contributed by Alex Morris (Catalyst)  - TL-34739