Hello everyone,
The following versions of Totara Learn have now been released:
- Release 17.3
- Release 16.9
- Release 15.15
- Release 14.20
- Release 13.28
- Release 12.50
- Release 11.57
- Release 10.59
- Release 9.66
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
A big thanks to the following people for their contributions to this release:
- Carlos Jurado - Kineo UK - TL-36374
- Wajdi Bshara - Xtractor - TL-36335
Kind regards Release Team
Release 17.3 (30th January 2023):
Security issues:
TL-36038 Fixed prototype pollution issue in tui/util
TL-36117 Prevent blind SSRF in external tool activity
While configuring an external tool activity, it was possible to initiate
server-side requests to user-defined URLs. The responses were not visible to the
user. The risk associated with this has been mitigated by only allowing these
requests to go to public IP addresses. If private or restricted IP addresses
need to be used while configuring this tool, addresses can be added to the
$CFG->link_parser_allowed_hosts config setting in the config.php file.
TL-36118 Sesskey no longer exposed in the request URL when editing a course announcement
TL-36119 Fixed permission check when requesting to join workspaces
Previously, privileged roles with specific configuration could request to join
private hidden workspaces by modifying API requests. Permission checks have now
been fixed to prevent this.
TL-36245 Restricted sending emails to admins from the default Moodle 404 error page.
Currently, any user, even a guest account, can submit the default Moodle 404
error page form, and there is no capability set up to restrict the behaviour.
This patch adds a capability wrapper so the admin can control the behaviour.
New features:
TL-28559 Added site administration tool to test outgoing email settings
Settings > Server > Email > Test outgoing email settings allows the admin to
send an email from Totara, with SMTP debugging information displayed.
TL-33784 Scheduled user actions
You can schedule actions to occur on users, using filters. This initial version
allows you to delete users who are suspended for a certain amount of time, and
optionally restrict by audience. In conjunction with configured purge types,
this is designed to assist organisations in automating the deletion of user data
in line with their own data retention policy and relevant GDPR requirements.
TL-34972 Added a new show and hide input for client secrets
Client secrets can now be viewed by clicking on the new 'Show/Hide' button on
the API clients and OAuth2 provider details pages
TL-35991 Created new core component InputGroup to handle multiple use cases for password input field
Performance improvements:
TL-36192 Updated user data query to convert username to lowercase prior to execution
The user data query was querying with the username in a case-insensitive way,
this change converts the username to lowercase prior to execution which should
improve the query's performance.
TL-36204 Removed a needless check for new notifications happening at the start of each page
TL-36206 Improved the performance of the Global Search API
This patch improves the performance of the Global Search API in how it finds
searchable areas.
TL-36236 Optimised the query which removes orphaned competency assignment user records
In some circumstances, this function was taking a long time to run and timing
out. The sql in the function was optimised.
Improvements:
TL-34302 Added a scheduled task for deleting expired oauth2 access tokens from the database
TL-34919 Disallowed api user to update locked fields without valid capability if fields are locked by auth plugin
TL-35168 Added new after_require_login and after_config hooks
There is a new hook at the end of the require_login() function
"after_require_login" that can be used to customise the function.
There is also a new hook at the end of setup.php "after_config" allowing
customisations to be run as soon as possible after the config has been loaded.
TL-35223 Added support for tenant isolation=on to user API
TL-35315 Added custom field type property to core_user.custom_fields object
TL-35483 Allow admin approve requests that require role approval
TL-35947 Added job assignments to core_user type for the external API
TL-36134 Added support for tenant isolation to job assignments external API
TL-36137 Added a description to the 'Enable comments' setting under 'Shared services settings'
TL-36154 Added HTTP HEAD request support for files
TL-36179 Improved error handling on tenant participant report page when opening the report without the required paramater
TL-36187 Added additional languages support to LinkedIn Learning
TL-36196 Cherry-picked MDL-64454 : Admin screen should show warning if cron does not run frequently
A new config option has been added to specify a maximum time elapsed since last
cron run before showing the warning about running the cron on the admin pages.
Previously it would show after 24 hours, this allows for more regular checks.
Default setting is 200 seconds.
TL-36208 Added CLI script that allows plugins to be programatically uninstalled
A new CLI script has been added at server/admin/cli/uninstall_plugins.php
It can be used to programmatically run the uninstall routines for plugins.
It also can list plugins, including missing plugins which have been previously
installed, but which are no longer have code in place.
TL-36210 Redis cache store can now compress data before storage
The Redis cache store now has a compression setting that allows a site to
configure a Redis cache store to compress data before it is sent for storage.
The options available are no compression, gzip compression, and zstandard
compression (providing zstandard is available).
TL-36217 Added a new event that is triggered when an admin uses the database search and replace tool
Port of MDL-68193 / MDL-68276 to provide audit trail when values are replaced in
the database.
Bug fixes:
TL-33781 Fixed single quotation marks in notifications subject line
TL-35175 Fixed PHP warnings for Moodle forms
TL-35213 Fixed missing validation of custom field unique values in user upload
TL-35306 Modifed the order for Seminar attendance tracking in sessions dropdown
TL-35342 Fixed gender specific language in lang strings
Replaced various instances of the word "his" with "their" when referring to the
user
TL-35343 HTML emails will use the plain text content if no dedicated HTML content was provided
TL-35382 Fixed the Content-Disposition header for file download
TL-35401 Fixed 'Trainer sessions details changed' seminar notification not being sent
TL-35415 Sanitised sort order parameter in search_users() and get_users_listing()
These two functions are not used in core, however they may be used by third
party plugins or customisations.
The functions have been deprecated at the same time.
TL-35498 Prevented sending booking start and end date notifications when legacy notifications enabled
The booking start date and booking end date centralised notifications were not
observing the seminar legacy notification setting, causing these notifications
to be sent even if the seminar was configured to use legacy notifications. Now,
these notifications will only be sent if either the individual seminar or the
seminar site setting is set to use centralised notifications.
TL-35761 Fixed alias PDF file forece download when using filesystem repository
TL-35780 Removed adhoc task to close subject instances when activity has been deleted
TL-35802 Fixed tenant theme favicons prior to login
TL-35817 Fixed an undefined "forceview" variable in the external tool activity type
TL-35851 Fixed memory issue on embedded evidence type report
TL-35860 Changed icon in popup notifications related to forum module
TL-35894 Removed user-to-user message settings dependency from the notification
The core_message::mark_notification_read function is no longer interrupted by
user-to-user messaging settings to allow it to work for the notifications sent
via the 'site notification' delivery method.
TL-35913 Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
TL-35944 Fixed issue with program message paragraph formatting not maintained during the upgrade
When the message contains line-breaks, it must be considered a separate
paragraph. Otherwise, the line-break won't work with the weka editor after the
migration.
TL-35956 Fixed a crash when exporting reports in excel format.
Previous fields in reports that are numbers ending in a new line character would
export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
this fix the behaviour is the same, and these reports can be exported as xlsx
files.
TL-35988 Fixed undefined variable in Record of Learning: Previous Certifications report
TL-36054 Fixed incorrect capability checks occuring when a user resets their own course completion
Prior to this fix, if a course contained an assignment and the user who held the
totara/core:archivemycompletion capability, then when they reset their course
completion they would get an error about missing mod/assign:grade capability.
This has been fixed. The mod/assign:grade capability is not required when a user
who has the totara/core:archivemycompletion capability is resetting their course
completion.
TL-36098 Fixed display of the your workspaces interface when the user has lost access to the last workspace they entered
TL-36099 Added clarification to the help text on the 'upload course records' page around evidence records
TL-36116 Fixed missing captions in report builder tables to improve screen reader compatibility
TL-36121 Fixed by when displaying users enrolled in a course without any roles
TL-36126 Fixed add attendees capability when seminar event is over
When seminar event is over and a user does not have the "Ability to signup
people on past events" capability then "Add users", "Add users via file upload"
and "Add users via list of IDs" options will be removed from "Add attendees"
actions.
TL-36128 Resolved response_debug parameter resetting if no value is provided
TL-36136 Prevent tenant user with system capability from editing users in a different tenant
Tenant users should not be able to edit users from a different tenancy, but
prior to this patch a tenant user with 'moodle/user:update' capability in the
system context could do so in some situations. This has been fixed.
TL-36138 Fixed that adding text area custom course field in notification adds html tags to notification
TL-36155 Added a check for existing record in recommender interactions table before inserting a new one
TL-36185 Removed usages of get_magic_quotes_gpc() function
The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
version 5.4 and the get_magic_quotes_gpc() function always returns false.
To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
this function has been removed.
TL-36335 Fixed incorrectly formatted SQL ORDER BY in job assignments API
TL-36336 Fixed crash with invalid timezones on PHP 8.1.14
In previous versions of PHP it was possible to set user timezones to
non-standard values such as Etc/GMT+2 via HR Import. These timezones did work,
but PHP has warned they are unreliable. In PHP 8.1.14 these timezones stopped
working, and any user with that style timezone set will crash upon logging in.
With this patch if you are running PHP 8.1.14 these invalid timezones will be
substituted for the equivalent location timezone to allow users to log in. In
all cases you can check if users have invalid timezones set by accessing the
Site administration > Localisation > User timezone check page and updating them
in bulk there.
TL-36348 Fixed bug resulting in full site cache being purged when a course is deleted
TL-36374 Fixed slow query that counts the number of unread conversations
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
TL-36422 Fixed the issue where an external respondent viewed a page for a performance activity, and the subject user profileimagealt field had a null value
TL-36428 Updated 'display_string_params' field type from 'notification_event_log' table to 'text'
The field type of 'display_string_params' in table 'notification_event_log' was
causing failures when the value was too long. The 'display_string_params' field
type has been updated to 'text'.
TL-36123 Improved the styling of the 'your progress' element on the course page to prevent it being hidden behind topic headers
TL-36337 Fixed accessibility of Show/Hide button in OAuth 2 provider details
Database upgrades:
TL-36237 Introduced index for suspended column on user table
Tui front end framework:
TL-36239 Fixed audience adder being cut off in Safari 13.1
TL-36251 Fixed issue where buttons in dropdowns would not get separators applied
Contributions:
* Carlos Jurado - Kineo UK - TL-36374
* Wajdi Bshara - Xtractor - TL-36335
Release 16.9 (30th January 2023):
Security issues:
TL-36038 Fixed prototype pollution issue in tui/util
TL-36117 Prevent blind SSRF in external tool activity
While configuring an external tool activity, it was possible to initiate
server-side requests to user-defined URLs. The responses were not visible to the
user. The risk associated with this has been mitigated by only allowing these
requests to go to public IP addresses. If private or restricted IP addresses
need to be used while configuring this tool, addresses can be added to the
$CFG->link_parser_allowed_hosts config setting in the config.php file.
TL-36118 Sesskey no longer exposed in the request URL when editing a course announcement
TL-36119 Fixed permission check when requesting to join workspaces
Previously, privileged roles with specific configuration could request to join
private hidden workspaces by modifying API requests. Permission checks have now
been fixed to prevent this.
TL-36245 Restricted sending emails to admins from the default Moodle 404 error page.
Currently, any user, even a guest account, can submit the default Moodle 404
error page form, and there is no capability set up to restrict the behaviour.
This patch adds a capability wrapper so the admin can control the behaviour.
Performance improvements:
TL-36236 Optimised the query which removes orphaned competency assignment user records
In some circumstances, this function was taking a long time to run and timing
out. The sql in the function was optimised.
Improvements:
TL-34302 Added a scheduled task for deleting expired oauth2 access tokens from the database
TL-35483 Allow admin approve requests that require role approval
TL-36179 Improved error handling on tenant participant report page when opening the report without the required paramater
TL-36187 Added additional languages support to LinkedIn Learning
Bug fixes:
TL-33781 Fixed single quotation marks in notifications subject line
TL-35175 Fixed PHP warnings for Moodle forms
TL-35213 Fixed missing validation of custom field unique values in user upload
TL-35306 Modifed the order for Seminar attendance tracking in sessions dropdown
TL-35342 Fixed gender specific language in lang strings
Replaced various instances of the word "his" with "their" when referring to the
user
TL-35343 HTML emails will use the plain text content if no dedicated HTML content was provided
TL-35382 Fixed the Content-Disposition header for file download
Also upgraded library box/spout to a 3.3.0 forked version, backport of TL-34417.
No code changes should be necessary.
TL-35401 Fixed 'Trainer sessions details changed' seminar notification not being sent
TL-35415 Sanitised sort order parameter in search_users() and get_users_listing()
These two functions are not used in core, however they may be used by third
party plugins or customisations.
The functions have been deprecated at the same time.
TL-35498 Prevented sending booking start and end date notifications when legacy notifications enabled
The booking start date and booking end date centralised notifications were not
observing the seminar legacy notification setting, causing these notifications
to be sent even if the seminar was configured to use legacy notifications. Now,
these notifications will only be sent if either the individual seminar or the
seminar site setting is set to use centralised notifications.
TL-35761 Fixed alias PDF file forece download when using filesystem repository
TL-35780 Removed adhoc task to close subject instances when activity has been deleted
TL-35802 Fixed tenant theme favicons prior to login
TL-35817 Fixed an undefined "forceview" variable in the external tool activity type
TL-35851 Fixed memory issue on embedded evidence type report
TL-35860 Changed icon in popup notifications related to forum module
TL-35894 Removed user-to-user message settings dependency from the notification
The core_message::mark_notification_read function is no longer interrupted by
user-to-user messaging settings to allow it to work for the notifications sent
via the 'site notification' delivery method.
TL-35913 Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
TL-35944 Fixed issue with program message paragraph formatting not maintained during the upgrade
When the message contains line-breaks, it must be considered a separate
paragraph. Otherwise, the line-break won't work with the weka editor after the
migration.
TL-35956 Fixed a crash when exporting reports in excel format.
Previous fields in reports that are numbers ending in a new line character would
export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
this fix the behaviour is the same, and these reports can be exported as xlsx
files.
TL-35988 Fixed undefined variable in Record of Learning: Previous Certifications report
TL-36054 Fixed incorrect capability checks occuring when a user resets their own course completion
Prior to this fix, if a course contained an assignment and the user who held the
totara/core:archivemycompletion capability, then when they reset their course
completion they would get an error about missing mod/assign:grade capability.
This has been fixed. The mod/assign:grade capability is not required when a user
who has the totara/core:archivemycompletion capability is resetting their course
completion.
TL-36099 Added clarification to the help text on the 'upload course records' page around evidence records
TL-36116 Fixed missing captions in report builder tables to improve screen reader compatibility
TL-36121 Fixed by when displaying users enrolled in a course without any roles
TL-36126 Fixed add attendees capability when seminar event is over
When seminar event is over and a user does not have the "Ability to signup
people on past events" capability then "Add users", "Add users via file upload"
and "Add users via list of IDs" options will be removed from "Add attendees"
actions.
TL-36138 Fixed that adding text area custom course field in notification adds html tags to notification
TL-36155 Added a check for existing record in recommender interactions table before inserting a new one
TL-36185 Removed usages of get_magic_quotes_gpc() function
The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
version 5.4 and the get_magic_quotes_gpc() function always returns false.
To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
this function has been removed.
TL-36335 Fixed incorrectly formatted SQL ORDER BY in job assignments API
TL-36348 Fixed bug resulting in full site cache being purged when a course is deleted
TL-36374 Fixed slow query that counts the number of unread conversations
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
TL-36123 Improved the styling of the 'your progress' element on the course page to prevent it being hidden behind topic headers
Tui front end framework:
TL-36239 Fixed audience adder being cut off in Safari 13.1
Contributions:
* Carlos Jurado - Kineo UK - TL-36374
* Wajdi Bshara - Xtractor - TL-36335
Release 15.15 (30th January 2023):
Security issues:
TL-36038 Fixed prototype pollution issue in tui/util
TL-36117 Prevent blind SSRF in external tool activity
While configuring an external tool activity, it was possible to initiate
server-side requests to user-defined URLs. The responses were not visible to the
user. The risk associated with this has been mitigated by only allowing these
requests to go to public IP addresses. If private or restricted IP addresses
need to be used while configuring this tool, addresses can be added to the
$CFG->link_parser_allowed_hosts config setting in the config.php file.
TL-36118 Sesskey no longer exposed in the request URL when editing a course announcement
TL-36245 Restricted sending emails to admins from the default Moodle 404 error page.
Currently, any user, even a guest account, can submit the default Moodle 404
error page form, and there is no capability set up to restrict the behaviour.
This patch adds a capability wrapper so the admin can control the behaviour.
Improvements:
TL-34302 Added a scheduled task for deleting expired oauth2 access tokens from the database
TL-35483 Allow admin approve requests that require role approval
TL-36179 Improved error handling on tenant participant report page when opening the report without the required paramater
TL-36187 Added additional languages support to LinkedIn Learning
Bug fixes:
TL-33781 Fixed single quotation marks in notifications subject line
TL-35306 Modifed the order for Seminar attendance tracking in sessions dropdown
TL-35342 Fixed gender specific language in lang strings
Replaced various instances of the word "his" with "their" when referring to the
user
TL-35415 Sanitised sort order parameter in search_users() and get_users_listing()
These two functions are not used in core, however they may be used by third
party plugins or customisations.
The functions have been deprecated at the same time.
TL-35851 Fixed memory issue on embedded evidence type report
TL-35894 Removed user-to-user message settings dependency from the notification
The core_message::mark_notification_read function is no longer interrupted by
user-to-user messaging settings to allow it to work for the notifications sent
via the 'site notification' delivery method.
TL-35913 Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
TL-35944 Fixed issue with program message paragraph formatting not maintained during the upgrade
When the message contains line-breaks, it must be considered a separate
paragraph. Otherwise, the line-break won't work with the weka editor after the
migration.
TL-35956 Fixed a crash when exporting reports in excel format.
Previous fields in reports that are numbers ending in a new line character would
export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
this fix the behaviour is the same, and these reports can be exported as xlsx
files.
TL-35988 Fixed undefined variable in Record of Learning: Previous Certifications report
TL-36054 Fixed incorrect capability checks occuring when a user resets their own course completion
Prior to this fix, if a course contained an assignment and the user who held the
totara/core:archivemycompletion capability, then when they reset their course
completion they would get an error about missing mod/assign:grade capability.
This has been fixed. The mod/assign:grade capability is not required when a user
who has the totara/core:archivemycompletion capability is resetting their course
completion.
TL-36101 Custom titles for the user profile blocks are correctly displayed when overridden
TL-36116 Fixed missing captions in report builder tables to improve screen reader compatibility
TL-36121 Fixed by when displaying users enrolled in a course without any roles
TL-36126 Fixed add attendees capability when seminar event is over
When seminar event is over and a user does not have the "Ability to signup
people on past events" capability then "Add users", "Add users via file upload"
and "Add users via list of IDs" options will be removed from "Add attendees"
actions.
TL-36155 Added a check for existing record in recommender interactions table before inserting a new one
TL-36185 Removed usages of get_magic_quotes_gpc() function
The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
version 5.4 and the get_magic_quotes_gpc() function always returns false.
To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
this function has been removed.
TL-36325 Fixed the current_coursets field in the mobile GraphQL program resolver
Previously when the current courseset for a program fetched via the mobile
graphql calls contained 2 sets joined by an "and" condition, if the second set
was completed before the first set then subsequent fetches would return the
current courseset as empty. Subsequent queries will now return the first set
allowing further progress in the program.
This is a backport of TL-34478.
TL-36335 Fixed incorrectly formatted SQL ORDER BY in job assignments API
TL-36348 Fixed bug resulting in full site cache being purged when a course is deleted
TL-36374 Fixed slow query that counts the number of unread conversations
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
Contributions:
* Carlos Jurado - Kineo UK - TL-36374
* Wajdi Bshara - Xtractor - TL-36335
Release 14.20 (30th January 2023):
Security issues:
TL-36038 Fixed prototype pollution issue in tui/util
TL-36117 Prevent blind SSRF in external tool activity
While configuring an external tool activity, it was possible to initiate
server-side requests to user-defined URLs. The responses were not visible to the
user. The risk associated with this has been mitigated by only allowing these
requests to go to public IP addresses. If private or restricted IP addresses
need to be used while configuring this tool, addresses can be added to the
$CFG->link_parser_allowed_hosts config setting in the config.php file.
TL-36118 Sesskey no longer exposed in the request URL when editing a course announcement
TL-36245 Restricted sending emails to admins from the default Moodle 404 error page.
Currently, any user, even a guest account, can submit the default Moodle 404
error page form, and there is no capability set up to restrict the behaviour.
This patch adds a capability wrapper so the admin can control the behaviour.
Improvements:
TL-35483 Allow admin approve requests that require role approval
TL-36179 Improved error handling on tenant participant report page when opening the report without the required paramater
Bug fixes:
TL-35306 Modifed the order for Seminar attendance tracking in sessions dropdown
TL-35342 Fixed gender specific language in lang strings
Replaced various instances of the word "his" with "their" when referring to the
user
TL-35851 Fixed memory issue on embedded evidence type report
TL-35894 Removed user-to-user message settings dependency from the notification
The core_message::mark_notification_read function is no longer interrupted by
user-to-user messaging settings to allow it to work for the notifications sent
via the 'site notification' delivery method.
TL-35913 Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
TL-35944 Fixed issue with program message paragraph formatting not maintained during the upgrade
When the message contains line-breaks, it must be considered a separate
paragraph. Otherwise, the line-break won't work with the weka editor after the
migration.
TL-35956 Fixed a crash when exporting reports in excel format.
Previous fields in reports that are numbers ending in a new line character would
export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
this fix the behaviour is the same, and these reports can be exported as xlsx
files.
TL-35988 Fixed undefined variable in Record of Learning: Previous Certifications report
TL-36101 Custom titles for the user profile blocks are correctly displayed when overridden
TL-36116 Fixed missing captions in report builder tables to improve screen reader compatibility
TL-36121 Fixed by when displaying users enrolled in a course without any roles
TL-36185 Removed usages of get_magic_quotes_gpc() function
The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
version 5.4 and the get_magic_quotes_gpc() function always returns false.
To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
this function has been removed.
TL-36325 Fixed the current_coursets field in the mobile GraphQL program resolver
Previously when the current courseset for a program fetched via the mobile
graphql calls contained 2 sets joined by an "and" condition, if the second set
was completed before the first set then subsequent fetches would return the
current courseset as empty. Subsequent queries will now return the first set
allowing further progress in the program.
This is a backport of TL-34478.
TL-36335 Fixed incorrectly formatted SQL ORDER BY in job assignments API
TL-36348 Fixed bug resulting in full site cache being purged when a course is deleted
TL-36374 Fixed slow query that counts the number of unread conversations
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
Contributions:
* Carlos Jurado - Kineo UK - TL-36374
* Wajdi Bshara - Xtractor - TL-36335
Release 13.28 (30th January 2023):
Security issues:
TL-36038 Fixed prototype pollution issue in tui/util
TL-36117 Prevent blind SSRF in external tool activity
While configuring an external tool activity, it was possible to initiate
server-side requests to user-defined URLs. The responses were not visible to the
user. The risk associated with this has been mitigated by only allowing these
requests to go to public IP addresses. If private or restricted IP addresses
need to be used while configuring this tool, addresses can be added to the
$CFG->link_parser_allowed_hosts config setting in the config.php file.
TL-36118 Sesskey no longer exposed in the request URL when editing a course announcement
TL-36245 Restricted sending emails to admins from the default Moodle 404 error page.
Currently, any user, even a guest account, can submit the default Moodle 404
error page form, and there is no capability set up to restrict the behaviour.
This patch adds a capability wrapper so the admin can control the behaviour.
Improvements:
TL-36179 Improved error handling on tenant participant report page when opening the report without the required paramater
Bug fixes:
TL-31761 Fixed broken tooltips on the competency graph
TL-35306 Modifed the order for Seminar attendance tracking in sessions dropdown
TL-35342 Fixed gender specific language in lang strings
Replaced various instances of the word "his" with "their" when referring to the
user
TL-35851 Fixed memory issue on embedded evidence type report
TL-35913 Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
TL-35988 Fixed undefined variable in Record of Learning: Previous Certifications report
TL-36101 Custom titles for the user profile blocks are correctly displayed when overridden
TL-36116 Fixed missing captions in report builder tables to improve screen reader compatibility
TL-36121 Fixed by when displaying users enrolled in a course without any roles
TL-36185 Removed usages of get_magic_quotes_gpc() function
The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
version 5.4 and the get_magic_quotes_gpc() function always returns false.
To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
this function has been removed.
TL-36325 Fixed the current_coursets field in the mobile GraphQL program resolver
Previously when the current courseset for a program fetched via the mobile
graphql calls contained 2 sets joined by an "and" condition, if the second set
was completed before the first set then subsequent fetches would return the
current courseset as empty. Subsequent queries will now return the first set
allowing further progress in the program.
This is a backport of TL-34478.
TL-36335 Fixed incorrectly formatted SQL ORDER BY in job assignments API
TL-36348 Fixed bug resulting in full site cache being purged when a course is deleted
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
Contributions:
* Wajdi Bshara - Xtractor - TL-36335
Release 12.50 (30th January 2023):
Security issues:
TL-36117 Prevent blind SSRF in external tool activity
While configuring an external tool activity, it was possible to initiate
server-side requests to user-defined URLs. The responses were not visible to the
user. The risk associated with this has been mitigated by only allowing these
requests to go to public IP addresses. If private or restricted IP addresses
need to be used while configuring this tool, addresses can be added to the
$CFG->link_parser_allowed_hosts config setting in the config.php file.
TL-36245 Restricted sending emails to admins from the default Moodle 404 error page.
Currently, any user, even a guest account, can submit the default Moodle 404
error page form, and there is no capability set up to restrict the behaviour.
This patch adds a capability wrapper so the admin can control the behaviour.
Bug fixes:
TL-35988 Fixed undefined variable in Record of Learning: Previous Certifications report
TL-36335 Fixed incorrectly formatted SQL ORDER BY in job assignments API
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
Contributions:
* Wajdi Bshara - Xtractor - TL-36335
Release 11.57 (30th January 2023):
Bug fixes:
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
Release 10.59 (30th January 2023):
Bug fixes:
TL-36418 Fixed reporting of Throwable errors in scheduled tasks
Release 9.66 (30th January 2023):
Bug fixes:
TL-36418 Fixed reporting of Throwable errors in scheduled tasks