Totara Release Notes

Totara TXP 17.2, 16.8, 15.14, 14.19, 13.27 and Totara Learn 12.49, 11.56, 10.58, 9.65, 2.9.64, 2.7.69, 2.6.86 are now available

 
David Curry (Core Developer)
Totara TXP 17.2, 16.8, 15.14, 14.19, 13.27 and Totara Learn 12.49, 11.56, 10.58, 9.65, 2.9.64, 2.7.69, 2.6.86 are now available
de David Curry (Core Developer) - Tuesday, 13 de December de 2022, 23:16
Grupo Totara

Hello everyone,

The following versions of Totara Learn have now been released:

Some of these versions do contain security fixes, and for this reason we strongly recommend taking a look.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 17.2 (14th December 2022):

Security issues:

    TL-35199       Fixed an issue allowing an external API client with limited capability to access hidden user profile fields

                   The `moodle/user:viewalldetails` capability is now required for an external API
                   service account to query or mutate any custom user profile fields with
                   visibility set to 'Not visible' or 'Restricted visibility'. This brings the API
                   service in line with behaviour of the web interface for updating user profiles.


Improvements:

    TL-34846       Extended create/update user services to offer more password-related options

                   Boolean fields have been added to the create and update user mutations for
                   'force_password_change' and 'generate_password'.

    TL-35898       API client can now delete an existing user custom profile field value

                   This improvement adds a 'delete' flag to the 'custom_fields' per-field input for
                   the 'core_user_update_user' mutation, allowing an external API client to remove
                   custom user profile field values when updating a target user's profile.

    TL-35942       Added ability to change external API debug level setting per API client

                   Each API client can now have its own debug level setting.
                   
                   This introduces a breaking change in the pre- and post-request hooks that were
                   released with Totara 17.0. Hook instantiation now requires the
                   \totara_webapi\server instance to be passed as a third parameter.


Bug fixes:

    TL-35203       Added the location details to seminar calendar export ical

                   The location was not included as a field in the external calendar, and it won't
                   show in the iCal after export. As a part of this patch, location detail has been
                   added to the export iCal.

    TL-35432       Fixed folder downloading for cloud storage

                   When downloading a folder the system will now attempt to retrieve the file from
                   cloud storage if the files / subdirectories are missing prior to downloading the
                   zip of the folder.

    TL-35497       Fixed unique notification_event_log entries to include the event_data

                   Previously, it could happen that for the same type of event only one event_log
                   entry got created even if the event data is different. This has now been fixed.

    TL-35852       Fixed a bug in LinkedIn Learning Classification sync scheduled task that caused unused classifications to remain in the database
    TL-35952       Fixed the report builder Tui display component for the 'Performance Activity response reporting: Subject users' embedded report
    TL-36040       Fixed an error in the delete_workspace_task adhoc task when permissions for the user have changed since it got scheduled
    TL-36053       Fixed notification queues breaking on Errors

                   Previously the notification queues caught thrown Exceptions and continued to
                   send the rest of the messages in the queue. However an Error or other Throwable
                   would still break the queue. These have been updated to catch all Throwables, to
                   allow as many valid notifications to be sent as possible while logging all
                   invalid ones.

    TL-36086       Fixed being able to set a blank password in create/update user GraphQL mutations

Release 16.8 (14th December 2022):

Bug fixes:

    TL-35203       Added the location details to seminar calendar export ical

                   The location was not included as a field in the external calendar, and it won't
                   show in the iCal after export. As a part of this patch, location detail has been
                   added to the export iCal.

    TL-35432       Fixed folder downloading for cloud storage

                   When downloading a folder the system will now attempt to retrieve the file from
                   cloud storage if the files / subdirectories are missing prior to downloading the
                   zip of the folder.

    TL-35852       Fixed a bug in LinkedIn Learning Classification sync scheduled task that caused unused classifications to remain in the database
    TL-35952       Fixed the report builder Tui display component for the 'Performance Activity response reporting: Subject users' embedded report
    TL-36040       Fixed an error in the delete_workspace_task adhoc task when permissions for the user have changed since it got scheduled
    TL-36053       Fixed notification queues breaking on Errors

                   Previously the notification queues caught thrown Exceptions and continued to
                   send the rest of the messages in the queue. However an Error or other Throwable
                   would still break the queue. These have been updated to catch all Throwables, to
                   allow as many valid notifications to be sent as possible while logging all
                   invalid ones.


Release 15.14 (14th December 2022):

Bug fixes:

    TL-35203       Added the location details to seminar calendar export ical

                   The location was not included as a field in the external calendar, and it won't
                   show in the iCal after export. As a part of this patch, location detail has been
                   added to the export iCal.

    TL-35852       Fixed a bug in LinkedIn Learning Classification sync scheduled task that caused unused classifications to remain in the database
    TL-36053       Fixed notification queues breaking on Errors

                   Previously the notification queues caught thrown Exceptions and continued to
                   send the rest of the messages in the queue. However an Error or other Throwable
                   would still break the queue. These have been updated to catch all Throwables, to
                   allow as many valid notifications to be sent as possible while logging all
                   invalid ones.


Release 14.19 (14th December 2022):

Bug fixes:

    TL-35203       Added the location details to seminar calendar export ical

                   The location was not included as a field in the external calendar, and it won't
                   show in the iCal after export. As a part of this patch, location detail has been
                   added to the export iCal.

    TL-36053       Fixed notification queues breaking on Errors

                   Previously the notification queues caught thrown Exceptions and continued to
                   send the rest of the messages in the queue. However an Error or other Throwable
                   would still break the queue. These have been updated to catch all Throwables, to
                   allow as many valid notifications to be sent as possible while logging all
                   invalid ones.


Release 13.27 (14th December 2022):

Bug fixes:

    TL-35203       Added the location details to seminar calendar export ical

                   The location was not included as a field in the external calendar, and it won't
                   show in the iCal after export. As a part of this patch, location detail has been
                   added to the export iCal.


Release 12.49 (14th December 2022):

Bug fixes:

    TL-35203       Added the location details to seminar calendar export ical

                   The location was not included as a field in the external calendar, and it won't
                   show in the iCal after export. As a part of this patch, location detail has been
                   added to the export iCal.


Release 11.56 (14th December 2022):

Technical changes:

    TL-35374       \page_requirements_manager::js_call_amd() can now be called without specifying the 'function' parameter

Release 10.58 (14th December 2022):

Security issues:

    TL-35452       Hardened security around unserialize() calls in Totara 10 and earlier

                   This patch introduces a third party library which provides a polyfill to the
                   unserialize function. The polyfill provides the second argument introduced in
                   PHP 7 to limit the class names which should be accepted.
                   
                   All unserialize calls prone to this issue which have been fixed in later
                   versions of Totara have now been hardened by using the polyfill.


Release 9.65 (14th December 2022):

Security issues:

    TL-35452       Hardened security around unserialize() calls in Totara 10 and earlier

                   This patch introduces a third party library which provides a polyfill to the
                   unserialize function. The polyfill provides the second argument introduced in
                   PHP 7 to limit the class names which should be accepted.
                   
                   All unserialize calls prone to this issue which have been fixed in later
                   versions of Totara have now been hardened by using the polyfill.


Release 2.9.64 (14th December 2022):

Security issues:

    TL-35452       Hardened security around unserialize() calls in Totara 10 and earlier

                   This patch introduces a third party library which provides a polyfill to the
                   unserialize function. The polyfill provides the second argument introduced in
                   PHP 7 to limit the class names which should be accepted.
                   
                   All unserialize calls prone to this issue which have been fixed in later
                   versions of Totara have now been hardened by using the polyfill.


Release 2.7.69 (14th December 2022):

Security issues:

    TL-35452       Hardened security around unserialize() calls in Totara 10 and earlier

                   This patch introduces a third party library which provides a polyfill to the
                   unserialize function. The polyfill provides the second argument introduced in
                   PHP 7 to limit the class names which should be accepted.
                   
                   All unserialize calls prone to this issue which have been fixed in later
                   versions of Totara have now been hardened by using the polyfill.


Release 2.6.86 (14th December 2022):

Security issues:

    TL-35452       Hardened security around unserialize() calls in Totara 10 and earlier

                   This patch introduces a third party library which provides a polyfill to the
                   unserialize function. The polyfill provides the second argument introduced in
                   PHP 7 to limit the class names which should be accepted.
                   
                   All unserialize calls prone to this issue which have been fixed in later
                   versions of Totara have now been hardened by using the polyfill.