Totara Release Notes

Totara TXP 17.3, 16.9, 15.15, 14.20, 13.28 and Totara Learn 12.50, 11.57, 10.59, 9.66 are now available

 
Riana Rossouw
Totara TXP 17.3, 16.9, 15.15, 14.20, 13.28 and Totara Learn 12.50, 11.57, 10.59, 9.66 are now available
di Riana Rossouw - Sunday, 29 January 2023, 14:17
Gruppo Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

  • Carlos Jurado - Kineo UK - TL-36374 
  • Wajdi Bshara - Xtractor - TL-36335

Kind regards Release Team

Release 17.3 (30th January 2023):

Security issues:

    TL-36038       Fixed prototype pollution issue in tui/util
    TL-36117       Prevent blind SSRF in external tool activity

                   While configuring an external tool activity, it was possible to initiate
                   server-side requests to user-defined URLs. The responses were not visible to the
                   user. The risk associated with this has been mitigated by only allowing these
                   requests to go to public IP addresses. If private or restricted IP addresses
                   need to be used while configuring this tool, addresses can be added to the
                   $CFG->link_parser_allowed_hosts config setting in the config.php file.

    TL-36118       Sesskey no longer exposed in the request URL when editing a course announcement
    TL-36119       Fixed permission check when requesting to join workspaces

                   Previously, privileged roles with specific configuration could request to join
                   private hidden workspaces by modifying API requests. Permission checks have now
                   been fixed to prevent this.

    TL-36245       Restricted sending emails to admins from the default Moodle 404 error page.

                   Currently, any user, even a guest account, can submit the default Moodle 404
                   error page form, and there is no capability set up to restrict the behaviour. 
                   This patch adds a capability wrapper so the admin can control the behaviour.


New features:

    TL-28559       Added site administration tool to test outgoing email settings

                   Settings > Server > Email > Test outgoing email settings allows the admin to
                   send an email from Totara, with SMTP debugging information displayed.

    TL-33784       Scheduled user actions

                   You can schedule actions to occur on users, using filters. This initial version
                   allows you to delete users who are suspended for a certain amount of time, and
                   optionally restrict by audience. In conjunction with configured purge types,
                   this is designed to assist organisations in automating the deletion of user data
                   in line with their own data retention policy and relevant GDPR requirements.

    TL-34972       Added a new show and hide input for client secrets

                   Client secrets can now be viewed by clicking on the new 'Show/Hide' button on
                   the API clients and OAuth2 provider details pages

    TL-35991       Created new core component InputGroup to handle multiple use cases for password input field

Performance improvements:

    TL-36192       Updated user data query to convert username to lowercase prior to execution

                   The user data query was querying with the username in a case-insensitive way,
                   this change converts the username to lowercase prior to execution which should
                   improve the query's performance.

    TL-36204       Removed a needless check for new notifications happening at the start of each page
    TL-36206       Improved the performance of the Global Search API

                   This patch improves the performance of the Global Search API in how it finds
                   searchable areas.

    TL-36236       Optimised the query which removes orphaned competency assignment user records

                   In some circumstances, this function was taking a long time to run and timing
                   out. The sql in the function was optimised.


Improvements:

    TL-34302       Added a scheduled task for deleting expired oauth2 access tokens from the database
    TL-34919       Disallowed api user to update locked fields without valid capability if fields are locked by auth plugin
    TL-35168       Added new after_require_login and after_config hooks

                   There is a new hook at the end of the require_login() function
                   "after_require_login" that can be used to customise the function.
                   
                   There is also a new hook at the end of setup.php "after_config" allowing
                   customisations to be run as soon as possible after the config has been loaded.

    TL-35223       Added support for tenant isolation=on to user API
    TL-35315       Added custom field type property to core_user.custom_fields object
    TL-35483       Allow admin approve requests that require role approval
    TL-35947       Added job assignments to core_user type for the external API
    TL-36134       Added support for tenant isolation to job assignments external API
    TL-36137       Added a description to the 'Enable comments'  setting under 'Shared services settings'
    TL-36154       Added HTTP HEAD request support for files
    TL-36179       Improved error handling on tenant participant report page when opening the report without the required paramater
    TL-36187       Added additional languages support to LinkedIn Learning
    TL-36196       Cherry-picked MDL-64454 : Admin screen should show warning if cron does not run frequently

                   A new config option has been added to specify a maximum time elapsed since last
                   cron run before showing the warning about running the cron on the admin pages.
                   Previously it would show after 24 hours, this allows for more regular checks.
                   Default setting is 200 seconds.

    TL-36208       Added CLI script that allows plugins to be programatically uninstalled

                   A new CLI script has been added at server/admin/cli/uninstall_plugins.php
                   It can be used to programmatically run the uninstall routines for plugins. 
                   It also can list plugins, including missing plugins which have been previously
                   installed, but which are no longer have code in place.

    TL-36210       Redis cache store can now compress data before storage

                   The Redis cache store now has a compression setting that allows a site to
                   configure a Redis cache store to compress data before it is sent for storage.
                   The options available are no compression, gzip compression, and zstandard
                   compression (providing zstandard is available).

    TL-36217       Added a new event that is triggered when an admin uses the database search and replace tool

                   Port of MDL-68193 / MDL-68276 to provide audit trail when values are replaced in
                   the database.


Bug fixes:

    TL-33781       Fixed single quotation marks in notifications subject line
    TL-35175       Fixed PHP warnings for Moodle forms
    TL-35213       Fixed missing validation of custom field unique values in user upload
    TL-35306       Modifed the order for Seminar attendance tracking in sessions dropdown
    TL-35342       Fixed gender specific language in lang strings

                   Replaced various instances of the word "his" with "their" when referring to the
                   user

    TL-35343       HTML emails will use the plain text content if no dedicated HTML content was provided
    TL-35382       Fixed the Content-Disposition header for file download
    TL-35401       Fixed 'Trainer sessions details changed' seminar notification not being sent
    TL-35415       Sanitised sort order parameter in search_users() and get_users_listing()

                   These two functions are not used in core, however they may be used by third
                   party plugins or customisations.
                   The functions have been deprecated at the same time.

    TL-35498       Prevented sending booking start and end date notifications when legacy notifications enabled

                   The booking start date and booking end date centralised notifications were not
                   observing the seminar legacy notification setting, causing these notifications
                   to be sent even if the seminar was configured to use legacy notifications. Now,
                   these notifications will only be sent if either the individual seminar or the
                   seminar site setting is set to use centralised notifications.

    TL-35761       Fixed alias PDF file forece download when using filesystem repository
    TL-35780       Removed adhoc task to close subject instances when activity has been deleted
    TL-35802       Fixed tenant theme favicons prior to login
    TL-35817       Fixed an undefined "forceview" variable in the external tool activity type
    TL-35851       Fixed memory issue on embedded evidence type report
    TL-35860       Changed icon in popup notifications related to forum module
    TL-35894       Removed user-to-user message settings dependency from the notification

                   The core_message::mark_notification_read function is no longer interrupted by
                   user-to-user messaging settings to allow it to work for the notifications sent
                   via the 'site notification' delivery method.

    TL-35913       Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
    TL-35944       Fixed issue with program message paragraph formatting not maintained during the upgrade

                   When the message contains line-breaks, it must be considered a separate
                   paragraph. Otherwise, the line-break won't work with the weka editor after the
                   migration.

    TL-35956       Fixed a crash when exporting reports in excel format.

                   Previous fields in reports that are numbers ending in a new line character would
                   export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
                   this fix the behaviour is the same, and these reports can be exported as xlsx
                   files.

    TL-35988       Fixed undefined variable in Record of Learning: Previous Certifications report
    TL-36054       Fixed incorrect capability checks occuring when a user resets their own course completion

                   Prior to this fix, if a course contained an assignment and the user who held the
                   totara/core:archivemycompletion capability, then when they reset their course
                   completion they would get an error about missing mod/assign:grade capability.
                   This has been fixed. The mod/assign:grade capability is not required when a user
                   who has the totara/core:archivemycompletion capability is resetting their course
                   completion.

    TL-36098       Fixed display of the your workspaces interface when the user has lost access to the last workspace they entered
    TL-36099       Added clarification to the help text on the 'upload course records' page around evidence records
    TL-36116       Fixed missing captions in report builder tables to improve screen reader compatibility
    TL-36121       Fixed by when displaying users enrolled in a course without any roles
    TL-36126       Fixed add attendees capability when seminar event is over

                   When seminar event is over and a user does not have the "Ability to signup
                   people on past events" capability then "Add users", "Add users via file upload"
                   and "Add users via list of IDs" options will be removed from "Add attendees"
                   actions.

    TL-36128       Resolved response_debug parameter resetting if no value is provided
    TL-36136       Prevent tenant user with system capability from editing users in a different tenant

                   Tenant users should not be able to edit users from a different tenancy, but
                   prior to this patch a tenant user with 'moodle/user:update' capability in the
                   system context could do so in some situations. This has been fixed.

    TL-36138       Fixed that adding text area custom course field in notification adds html tags to notification
    TL-36155       Added a check for existing record in recommender interactions table before inserting a new one
    TL-36185       Removed usages of get_magic_quotes_gpc() function

                   The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
                   removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
                   version 5.4 and the get_magic_quotes_gpc() function always returns false.
                   
                   To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
                   this function has been removed.

    TL-36335       Fixed incorrectly formatted SQL ORDER BY in job assignments API
    TL-36336       Fixed crash with invalid timezones on PHP 8.1.14

                   In previous versions of PHP it was possible to set user timezones to
                   non-standard values such as Etc/GMT+2 via HR Import. These timezones did work,
                   but PHP has warned they are unreliable. In PHP 8.1.14 these timezones stopped
                   working, and any user with that style timezone set will crash upon logging in.
                   
                   With this patch if you are running PHP 8.1.14 these invalid timezones will be
                   substituted for the equivalent location timezone to allow users to log in. In
                   all cases you can check if users have invalid timezones set by accessing the
                   Site administration > Localisation > User timezone check page and updating them
                   in bulk there.

    TL-36348       Fixed bug resulting in full site cache being purged when a course is deleted
    TL-36374       Fixed slow query that counts the number of unread conversations
    TL-36418       Fixed reporting of Throwable errors in scheduled tasks
    TL-36422       Fixed the issue where an external respondent viewed a page for a performance activity, and the subject user profileimagealt field had a null value
    TL-36428       Updated 'display_string_params' field type from 'notification_event_log' table to 'text'

                   The field type of 'display_string_params' in table 'notification_event_log' was
                   causing failures when the value was too long. The 'display_string_params' field
                   type has been updated to 'text'.

    TL-36123       Improved the styling of the 'your progress' element on the course page to prevent it being hidden behind topic headers
    TL-36337       Fixed accessibility of Show/Hide button in OAuth 2 provider details

Database upgrades:

    TL-36237       Introduced index for suspended column on user table

Tui front end framework:

    TL-36239       Fixed audience adder being cut off in Safari 13.1
    TL-36251       Fixed issue where buttons in dropdowns would not get separators applied

Contributions:

    * Carlos Jurado - Kineo UK - TL-36374
    * Wajdi Bshara - Xtractor - TL-36335

Release 16.9 (30th January 2023):

Security issues:

    TL-36038       Fixed prototype pollution issue in tui/util
    TL-36117       Prevent blind SSRF in external tool activity

                   While configuring an external tool activity, it was possible to initiate
                   server-side requests to user-defined URLs. The responses were not visible to the
                   user. The risk associated with this has been mitigated by only allowing these
                   requests to go to public IP addresses. If private or restricted IP addresses
                   need to be used while configuring this tool, addresses can be added to the
                   $CFG->link_parser_allowed_hosts config setting in the config.php file.

    TL-36118       Sesskey no longer exposed in the request URL when editing a course announcement
    TL-36119       Fixed permission check when requesting to join workspaces

                   Previously, privileged roles with specific configuration could request to join
                   private hidden workspaces by modifying API requests. Permission checks have now
                   been fixed to prevent this.

    TL-36245       Restricted sending emails to admins from the default Moodle 404 error page.

                   Currently, any user, even a guest account, can submit the default Moodle 404
                   error page form, and there is no capability set up to restrict the behaviour. 
                   This patch adds a capability wrapper so the admin can control the behaviour.


Performance improvements:

    TL-36236       Optimised the query which removes orphaned competency assignment user records

                   In some circumstances, this function was taking a long time to run and timing
                   out. The sql in the function was optimised.


Improvements:

    TL-34302       Added a scheduled task for deleting expired oauth2 access tokens from the database
    TL-35483       Allow admin approve requests that require role approval
    TL-36179       Improved error handling on tenant participant report page when opening the report without the required paramater
    TL-36187       Added additional languages support to LinkedIn Learning

Bug fixes:

    TL-33781       Fixed single quotation marks in notifications subject line
    TL-35175       Fixed PHP warnings for Moodle forms
    TL-35213       Fixed missing validation of custom field unique values in user upload
    TL-35306       Modifed the order for Seminar attendance tracking in sessions dropdown
    TL-35342       Fixed gender specific language in lang strings

                   Replaced various instances of the word "his" with "their" when referring to the
                   user

    TL-35343       HTML emails will use the plain text content if no dedicated HTML content was provided
    TL-35382       Fixed the Content-Disposition header for file download

                   Also upgraded library box/spout to a 3.3.0 forked version, backport of TL-34417.
                   No code changes should be necessary.

    TL-35401       Fixed 'Trainer sessions details changed' seminar notification not being sent
    TL-35415       Sanitised sort order parameter in search_users() and get_users_listing()

                   These two functions are not used in core, however they may be used by third
                   party plugins or customisations.
                   The functions have been deprecated at the same time.

    TL-35498       Prevented sending booking start and end date notifications when legacy notifications enabled

                   The booking start date and booking end date centralised notifications were not
                   observing the seminar legacy notification setting, causing these notifications
                   to be sent even if the seminar was configured to use legacy notifications. Now,
                   these notifications will only be sent if either the individual seminar or the
                   seminar site setting is set to use centralised notifications.

    TL-35761       Fixed alias PDF file forece download when using filesystem repository
    TL-35780       Removed adhoc task to close subject instances when activity has been deleted
    TL-35802       Fixed tenant theme favicons prior to login
    TL-35817       Fixed an undefined "forceview" variable in the external tool activity type
    TL-35851       Fixed memory issue on embedded evidence type report
    TL-35860       Changed icon in popup notifications related to forum module
    TL-35894       Removed user-to-user message settings dependency from the notification

                   The core_message::mark_notification_read function is no longer interrupted by
                   user-to-user messaging settings to allow it to work for the notifications sent
                   via the 'site notification' delivery method.

    TL-35913       Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
    TL-35944       Fixed issue with program message paragraph formatting not maintained during the upgrade

                   When the message contains line-breaks, it must be considered a separate
                   paragraph. Otherwise, the line-break won't work with the weka editor after the
                   migration.

    TL-35956       Fixed a crash when exporting reports in excel format.

                   Previous fields in reports that are numbers ending in a new line character would
                   export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
                   this fix the behaviour is the same, and these reports can be exported as xlsx
                   files.

    TL-35988       Fixed undefined variable in Record of Learning: Previous Certifications report
    TL-36054       Fixed incorrect capability checks occuring when a user resets their own course completion

                   Prior to this fix, if a course contained an assignment and the user who held the
                   totara/core:archivemycompletion capability, then when they reset their course
                   completion they would get an error about missing mod/assign:grade capability.
                   This has been fixed. The mod/assign:grade capability is not required when a user
                   who has the totara/core:archivemycompletion capability is resetting their course
                   completion.

    TL-36099       Added clarification to the help text on the 'upload course records' page around evidence records
    TL-36116       Fixed missing captions in report builder tables to improve screen reader compatibility
    TL-36121       Fixed by when displaying users enrolled in a course without any roles
    TL-36126       Fixed add attendees capability when seminar event is over

                   When seminar event is over and a user does not have the "Ability to signup
                   people on past events" capability then "Add users", "Add users via file upload"
                   and "Add users via list of IDs" options will be removed from "Add attendees"
                   actions.

    TL-36138       Fixed that adding text area custom course field in notification adds html tags to notification
    TL-36155       Added a check for existing record in recommender interactions table before inserting a new one
    TL-36185       Removed usages of get_magic_quotes_gpc() function

                   The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
                   removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
                   version 5.4 and the get_magic_quotes_gpc() function always returns false.
                   
                   To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
                   this function has been removed.

    TL-36335       Fixed incorrectly formatted SQL ORDER BY in job assignments API
    TL-36348       Fixed bug resulting in full site cache being purged when a course is deleted
    TL-36374       Fixed slow query that counts the number of unread conversations
    TL-36418       Fixed reporting of Throwable errors in scheduled tasks
    TL-36123       Improved the styling of the 'your progress' element on the course page to prevent it being hidden behind topic headers

Tui front end framework:

    TL-36239       Fixed audience adder being cut off in Safari 13.1

Contributions:

    * Carlos Jurado - Kineo UK - TL-36374
    * Wajdi Bshara - Xtractor - TL-36335

Release 15.15 (30th January 2023):

Security issues:

    TL-36038       Fixed prototype pollution issue in tui/util
    TL-36117       Prevent blind SSRF in external tool activity

                   While configuring an external tool activity, it was possible to initiate
                   server-side requests to user-defined URLs. The responses were not visible to the
                   user. The risk associated with this has been mitigated by only allowing these
                   requests to go to public IP addresses. If private or restricted IP addresses
                   need to be used while configuring this tool, addresses can be added to the
                   $CFG->link_parser_allowed_hosts config setting in the config.php file.

    TL-36118       Sesskey no longer exposed in the request URL when editing a course announcement
    TL-36245       Restricted sending emails to admins from the default Moodle 404 error page.

                   Currently, any user, even a guest account, can submit the default Moodle 404
                   error page form, and there is no capability set up to restrict the behaviour. 
                   This patch adds a capability wrapper so the admin can control the behaviour.


Improvements:

    TL-34302       Added a scheduled task for deleting expired oauth2 access tokens from the database
    TL-35483       Allow admin approve requests that require role approval
    TL-36179       Improved error handling on tenant participant report page when opening the report without the required paramater
    TL-36187       Added additional languages support to LinkedIn Learning

Bug fixes:

    TL-33781       Fixed single quotation marks in notifications subject line
    TL-35306       Modifed the order for Seminar attendance tracking in sessions dropdown
    TL-35342       Fixed gender specific language in lang strings

                   Replaced various instances of the word "his" with "their" when referring to the
                   user

    TL-35415       Sanitised sort order parameter in search_users() and get_users_listing()

                   These two functions are not used in core, however they may be used by third
                   party plugins or customisations.
                   The functions have been deprecated at the same time.

    TL-35851       Fixed memory issue on embedded evidence type report
    TL-35894       Removed user-to-user message settings dependency from the notification

                   The core_message::mark_notification_read function is no longer interrupted by
                   user-to-user messaging settings to allow it to work for the notifications sent
                   via the 'site notification' delivery method.

    TL-35913       Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
    TL-35944       Fixed issue with program message paragraph formatting not maintained during the upgrade

                   When the message contains line-breaks, it must be considered a separate
                   paragraph. Otherwise, the line-break won't work with the weka editor after the
                   migration.

    TL-35956       Fixed a crash when exporting reports in excel format.

                   Previous fields in reports that are numbers ending in a new line character would
                   export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
                   this fix the behaviour is the same, and these reports can be exported as xlsx
                   files.

    TL-35988       Fixed undefined variable in Record of Learning: Previous Certifications report
    TL-36054       Fixed incorrect capability checks occuring when a user resets their own course completion

                   Prior to this fix, if a course contained an assignment and the user who held the
                   totara/core:archivemycompletion capability, then when they reset their course
                   completion they would get an error about missing mod/assign:grade capability.
                   This has been fixed. The mod/assign:grade capability is not required when a user
                   who has the totara/core:archivemycompletion capability is resetting their course
                   completion.

    TL-36101       Custom titles for the user profile blocks are correctly displayed when overridden
    TL-36116       Fixed missing captions in report builder tables to improve screen reader compatibility
    TL-36121       Fixed by when displaying users enrolled in a course without any roles
    TL-36126       Fixed add attendees capability when seminar event is over

                   When seminar event is over and a user does not have the "Ability to signup
                   people on past events" capability then "Add users", "Add users via file upload"
                   and "Add users via list of IDs" options will be removed from "Add attendees"
                   actions.

    TL-36155       Added a check for existing record in recommender interactions table before inserting a new one
    TL-36185       Removed usages of get_magic_quotes_gpc() function

                   The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
                   removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
                   version 5.4 and the get_magic_quotes_gpc() function always returns false.
                   
                   To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
                   this function has been removed.

    TL-36325       Fixed the current_coursets field in the mobile GraphQL program resolver

                   Previously when the current courseset for a program fetched via the mobile
                   graphql calls contained 2 sets joined by an "and" condition, if the second set
                   was completed before the first set then subsequent fetches would return the
                   current courseset as empty. Subsequent queries will now return the first set
                   allowing further progress in the program.
                   
                   This is a backport of TL-34478.

    TL-36335       Fixed incorrectly formatted SQL ORDER BY in job assignments API
    TL-36348       Fixed bug resulting in full site cache being purged when a course is deleted
    TL-36374       Fixed slow query that counts the number of unread conversations
    TL-36418       Fixed reporting of Throwable errors in scheduled tasks

Contributions:

    * Carlos Jurado - Kineo UK - TL-36374
    * Wajdi Bshara - Xtractor - TL-36335

Release 14.20 (30th January 2023):

Security issues:

    TL-36038       Fixed prototype pollution issue in tui/util
    TL-36117       Prevent blind SSRF in external tool activity

                   While configuring an external tool activity, it was possible to initiate
                   server-side requests to user-defined URLs. The responses were not visible to the
                   user. The risk associated with this has been mitigated by only allowing these
                   requests to go to public IP addresses. If private or restricted IP addresses
                   need to be used while configuring this tool, addresses can be added to the
                   $CFG->link_parser_allowed_hosts config setting in the config.php file.

    TL-36118       Sesskey no longer exposed in the request URL when editing a course announcement
    TL-36245       Restricted sending emails to admins from the default Moodle 404 error page.

                   Currently, any user, even a guest account, can submit the default Moodle 404
                   error page form, and there is no capability set up to restrict the behaviour. 
                   This patch adds a capability wrapper so the admin can control the behaviour.


Improvements:

    TL-35483       Allow admin approve requests that require role approval
    TL-36179       Improved error handling on tenant participant report page when opening the report without the required paramater

Bug fixes:

    TL-35306       Modifed the order for Seminar attendance tracking in sessions dropdown
    TL-35342       Fixed gender specific language in lang strings

                   Replaced various instances of the word "his" with "their" when referring to the
                   user

    TL-35851       Fixed memory issue on embedded evidence type report
    TL-35894       Removed user-to-user message settings dependency from the notification

                   The core_message::mark_notification_read function is no longer interrupted by
                   user-to-user messaging settings to allow it to work for the notifications sent
                   via the 'site notification' delivery method.

    TL-35913       Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
    TL-35944       Fixed issue with program message paragraph formatting not maintained during the upgrade

                   When the message contains line-breaks, it must be considered a separate
                   paragraph. Otherwise, the line-break won't work with the weka editor after the
                   migration.

    TL-35956       Fixed a crash when exporting reports in excel format.

                   Previous fields in reports that are numbers ending in a new line character would
                   export in PHP 8 and in non-xlsx formats, but crash with the xlsx format. With
                   this fix the behaviour is the same, and these reports can be exported as xlsx
                   files.

    TL-35988       Fixed undefined variable in Record of Learning: Previous Certifications report
    TL-36101       Custom titles for the user profile blocks are correctly displayed when overridden
    TL-36116       Fixed missing captions in report builder tables to improve screen reader compatibility
    TL-36121       Fixed by when displaying users enrolled in a course without any roles
    TL-36185       Removed usages of get_magic_quotes_gpc() function

                   The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
                   removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
                   version 5.4 and the get_magic_quotes_gpc() function always returns false.
                   
                   To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
                   this function has been removed.

    TL-36325       Fixed the current_coursets field in the mobile GraphQL program resolver

                   Previously when the current courseset for a program fetched via the mobile
                   graphql calls contained 2 sets joined by an "and" condition, if the second set
                   was completed before the first set then subsequent fetches would return the
                   current courseset as empty. Subsequent queries will now return the first set
                   allowing further progress in the program.
                   
                   This is a backport of TL-34478.

    TL-36335       Fixed incorrectly formatted SQL ORDER BY in job assignments API
    TL-36348       Fixed bug resulting in full site cache being purged when a course is deleted
    TL-36374       Fixed slow query that counts the number of unread conversations
    TL-36418       Fixed reporting of Throwable errors in scheduled tasks

Contributions:

    * Carlos Jurado - Kineo UK - TL-36374
    * Wajdi Bshara - Xtractor - TL-36335

Release 13.28 (30th January 2023):

Security issues:

    TL-36038       Fixed prototype pollution issue in tui/util
    TL-36117       Prevent blind SSRF in external tool activity

                   While configuring an external tool activity, it was possible to initiate
                   server-side requests to user-defined URLs. The responses were not visible to the
                   user. The risk associated with this has been mitigated by only allowing these
                   requests to go to public IP addresses. If private or restricted IP addresses
                   need to be used while configuring this tool, addresses can be added to the
                   $CFG->link_parser_allowed_hosts config setting in the config.php file.

    TL-36118       Sesskey no longer exposed in the request URL when editing a course announcement
    TL-36245       Restricted sending emails to admins from the default Moodle 404 error page.

                   Currently, any user, even a guest account, can submit the default Moodle 404
                   error page form, and there is no capability set up to restrict the behaviour. 
                   This patch adds a capability wrapper so the admin can control the behaviour.


Improvements:

    TL-36179       Improved error handling on tenant participant report page when opening the report without the required paramater

Bug fixes:

    TL-31761       Fixed broken tooltips on the competency graph
    TL-35306       Modifed the order for Seminar attendance tracking in sessions dropdown
    TL-35342       Fixed gender specific language in lang strings

                   Replaced various instances of the word "his" with "their" when referring to the
                   user

    TL-35851       Fixed memory issue on embedded evidence type report
    TL-35913       Cherry-picked MDL-67695: Use correct return structure for get_tool_proxies
    TL-35988       Fixed undefined variable in Record of Learning: Previous Certifications report
    TL-36101       Custom titles for the user profile blocks are correctly displayed when overridden
    TL-36116       Fixed missing captions in report builder tables to improve screen reader compatibility
    TL-36121       Fixed by when displaying users enrolled in a course without any roles
    TL-36185       Removed usages of get_magic_quotes_gpc() function

                   The PHP function get_magic_quotes_gpc() is deprecated since PHP 7.4 and got
                   removed in PHP 8.0. The related setting magic_quotes_gpc got removed with PHP
                   version 5.4 and the get_magic_quotes_gpc() function always returns false.
                   
                   To avoid debugging messages in PHP 7.4 or fatal errors in PHP 8 the usages of
                   this function has been removed.

    TL-36325       Fixed the current_coursets field in the mobile GraphQL program resolver

                   Previously when the current courseset for a program fetched via the mobile
                   graphql calls contained 2 sets joined by an "and" condition, if the second set
                   was completed before the first set then subsequent fetches would return the
                   current courseset as empty. Subsequent queries will now return the first set
                   allowing further progress in the program.
                   
                   This is a backport of TL-34478.

    TL-36335       Fixed incorrectly formatted SQL ORDER BY in job assignments API
    TL-36348       Fixed bug resulting in full site cache being purged when a course is deleted
    TL-36418       Fixed reporting of Throwable errors in scheduled tasks

Contributions:

    * Wajdi Bshara - Xtractor - TL-36335

Release 12.50 (30th January 2023):

Security issues:

    TL-36117       Prevent blind SSRF in external tool activity

                   While configuring an external tool activity, it was possible to initiate
                   server-side requests to user-defined URLs. The responses were not visible to the
                   user. The risk associated with this has been mitigated by only allowing these
                   requests to go to public IP addresses. If private or restricted IP addresses
                   need to be used while configuring this tool, addresses can be added to the
                   $CFG->link_parser_allowed_hosts config setting in the config.php file.

    TL-36245       Restricted sending emails to admins from the default Moodle 404 error page.

                   Currently, any user, even a guest account, can submit the default Moodle 404
                   error page form, and there is no capability set up to restrict the behaviour. 
                   This patch adds a capability wrapper so the admin can control the behaviour.


Bug fixes:

    TL-35988       Fixed undefined variable in Record of Learning: Previous Certifications report
    TL-36335       Fixed incorrectly formatted SQL ORDER BY in job assignments API
    TL-36418       Fixed reporting of Throwable errors in scheduled tasks

Contributions:

    * Wajdi Bshara - Xtractor - TL-36335

Release 11.57 (30th January 2023):

Bug fixes:

    TL-36418       Fixed reporting of Throwable errors in scheduled tasks

Release 10.59 (30th January 2023):

Bug fixes:

    TL-36418       Fixed reporting of Throwable errors in scheduled tasks

Release 9.66 (30th January 2023):

Bug fixes:

    TL-36418       Fixed reporting of Throwable errors in scheduled tasks