Totara Release Notes

Totara TXP 17.4, 16.10, 15.16, 14.21, 13.29 and Totara Learn 12.51 are now available

 
David Curry (Core Developer)
Totara TXP 17.4, 16.10, 15.16, 14.21, 13.29 and Totara Learn 12.51 are now available
de David Curry (Core Developer) - Monday, 27 de February de 2023, 15:49
Grupo Totara

Hello everyone,

The following versions of Totara Learn have now been released:

Some of these versions do contain security fixes, and for this reason we strongly recommend upgrading. Each release also includes various bug fixes and improvements.

It is also recommended to read the TL-36400 changelog directly below, which introduces a config setting that will affect users installing and upgrading to versions 17.4 or higher

Kind regards
Release Team

Release 17.4 (28th February 2023):

Important:

    TL-36400       Fixed that unauthenticated users can view upgrade pages and trigger upgrade

                   This patch disables web upgrade on sites that do not have an upgrade key
                   configured.
                   
                   In order to upgrade to this and future versions of Totara, please use the CLI
                   upgrade script (php server/admin/cli/upgrade.php) or set a value for
                   `$CFG->upgradekey` in config.php. You will need to enter the same key in the web
                   upgrade form.
                   
                   Note: This upgrade key will also be required for new installs run via the web
                   interface.


Security issues:

    TL-35501       Limited the amount of results for message area user search external function

                   To mitigate the risk of denial of service, changes have been made to the
                   external function 'core_message_data_for_messagearea_search_users' regarding the
                   validation of the optional 'limitnum' parameter:
                   
                   - The maximum possible value for the parameter is set to a default of 20, but
                   can be overridden by setting a different value in config.php for
                   $CFG->message_area_search_max_limitnum. Please make use of this if you need to
                   call this external function with a 'limitnum' parameter greater than 20.
                   
                   - A value of integer zero (the default when the parameter was omitted) will not
                   return unlimited results anymore. It will return up to the configured maximum
                   amount.
                   
                   - Null value, negative values and values above the configured maximum amount
                   will lead to an error.

    TL-36120       Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue

Improvements:

    TL-36327       Improved the gap between course multi-select custom fields

Bug fixes:

    TL-35226       Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
    TL-35259       Fixed the 'Time to complete (since start date)' column in the 'Course Completion' report source not being calculated correctly
    TL-35521       Fixed being able to bypass sequential navigation in quizzes using web services
    TL-35706       Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees

                   Previously both capabilities were required to book or waitlist other users on
                   seminars.

    TL-35728       Prevented notification event processing task from blocking other tasks

                   Previously, the 'Queue event scheduled task'
                   (\totara_notification\task\process_event_queue_task) was marked as a blocking
                   task. This meant that it would need to complete before other scheduled or adhoc
                   tasks could run.
                   
                   It is safe to run other tasks while processing notifiable events, so we have
                   removed the blocking flag from this task.

    TL-35859       Fixed SCORM activity allowing more than the maximum number of attempts in some cases

                   The way that the number of attempts is counted when a learner opens a SCORM
                   activity is determined by the 'Force new attempt' setting.
                   
                   If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
                   'No' and the user tries a new attempt, the number of attempts that have been
                   made is simply the learner's total number of attempts to date.
                   
                   However, if 'Force new attempt' is set to 'When previous attempt completed,
                   passed or failed', then only completed attempts should count as attempts that
                   have been made. Previously, all attempts were counted in this case.
                   
                   Also, the displayed number of attempts remaining in the table of contents was
                   computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
                   because only completed attempts were counted. All attempts are counted now.
                   
                   Finally, the method of determining completed attempts has been refactored to
                   work correctly for SCORM 2004. Previously, failed attempts did not count as
                   completed.

    TL-36168       Fixed the format not being applied to Weka content on bold, hashtags, mentions, or placeholders
    TL-36169       Fixed tenant users with job assignment capabilities being able to see members of other tenants
    TL-36246       Decreased the memory usage by send_messages_task script to avoid out-of-memory errors

                   If the send_messages_task script was failing due to out-of-memory before, it
                   will send all previously-queued notifications at once after this fix.

    TL-36402       Fixed formatting (including multi lang compatibility) for notification placeholders

                   The formatting (including multi lang compatibility) of the following
                   placeholders have been fixed:
                   
                   * Workspace full_name
                   * Course name
                   * Activity name (including Seminar) 
                   * Seminar event details
                   * Performance activity name
                   * User description

    TL-36431       Fixed inline seminar editing updating calendar entries for all seminar events
    TL-36476       Fixed incorrect formatting of the [all_sessions] placeholder in seminar notifications
    TL-36528       Made sure new job relationship upgrade steps are applied if missed previously

                   A previous ticket, TL-33602, increased the version number for the totara_job
                   plugin incorrectly to the same version on all affected branches (11 and higher).
                   This can result in some upgrade steps (adding new perform relationships) being
                   skipped during upgrade to Totara 13 or 16.
                   
                   This patch ensures the missing upgrade steps are run and the missing
                   relationships are added in all cases.

    TL-36554       Fixed redis caching issue when using Redis with read-only replication and no compression

                   A bug was introduced in 17.3 with the addition of the compression option which
                   affects sites making use of Redis read-only replicas. Sites configured in this
                   way will receive fatal errors due to a lack of serialization on the replicas.

    TL-36631       Fixed issue with program message paragraph formatting not being maintained during the upgrade

                   When the message contains line breaks, it must be considered a separate
                   paragraph. Otherwise, the line break won't work with the weka editor after the
                   migration.


Technical changes:

    TL-36430       Added a new hook 'auth_enable' to allow watchers to interrupt the enabling of a specific auth plugin

                   Adds a new core hook which can be used by third party plugins to prevent
                   specific auth plugins from being enabled, and optionally provide a reason which
                   will be displayed to the user if they try to enable one.


Library updates:

    TL-35875       Upgraded library Video.js to 7.21.1

Release 16.10 (28th February 2023):

Security issues:

    TL-35501       Limited the amount of results for message area user search external function

                   To mitigate the risk of denial of service, changes have been made to the
                   external function 'core_message_data_for_messagearea_search_users' regarding the
                   validation of the optional 'limitnum' parameter:
                   
                   - The maximum possible value for the parameter is set to a default of 20, but
                   can be overridden by setting a different value in config.php for
                   $CFG->message_area_search_max_limitnum. Please make use of this if you need to
                   call this external function with a 'limitnum' parameter greater than 20.
                   
                   - A value of integer zero (the default when the parameter was omitted) will not
                   return unlimited results anymore. It will return up to the configured maximum
                   amount.
                   
                   - Null value, negative values and values above the configured maximum amount
                   will lead to an error.

    TL-36120       Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue

Improvements:

    TL-36327       Improved the gap between course multi-select custom fields

Bug fixes:

    TL-35226       Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
    TL-35259       Fixed the 'Time to complete (since start date)' column in the 'Course Completion' report source not being calculated correctly
    TL-35521       Fixed being able to bypass sequential navigation in quizzes using web services
    TL-35706       Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees

                   Previously both capabilities were required to book or waitlist other users on
                   seminars.

    TL-35728       Prevented notification event processing task from blocking other tasks

                   Previously, the 'Queue event scheduled task'
                   (\totara_notification\task\process_event_queue_task) was marked as a blocking
                   task. This meant that it would need to complete before other scheduled or adhoc
                   tasks could run.
                   
                   It is safe to run other tasks while processing notifiable events, so we have
                   removed the blocking flag from this task.

    TL-35859       Fixed SCORM activity allowing more than the maximum number of attempts in some cases

                   The way that the number of attempts is counted when a learner opens a SCORM
                   activity is determined by the 'Force new attempt' setting.
                   
                   If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
                   'No' and the user tries a new attempt, the number of attempts that have been
                   made is simply the learner's total number of attempts to date.
                   
                   However, if 'Force new attempt' is set to 'When previous attempt completed,
                   passed or failed', then only completed attempts should count as attempts that
                   have been made. Previously, all attempts were counted in this case.
                   
                   Also, the displayed number of attempts remaining in the table of contents was
                   computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
                   because only completed attempts were counted. All attempts are counted now.
                   
                   Finally, the method of determining completed attempts has been refactored to
                   work correctly for SCORM 2004. Previously, failed attempts did not count as
                   completed.

    TL-36168       Fixed the format not being applied to Weka content on bold, hashtags, mentions, or placeholders
    TL-36246       Decreased the memory usage by send_messages_task script to avoid out-of-memory errors

                   If the send_messages_task script was failing due to out-of-memory before, it
                   will send all previously-queued notifications at once after this fix.

    TL-36402       Fixed formatting (including multi lang compatibility) for notification placeholders

                   The formatting (including multi lang compatibility) of the following
                   placeholders have been fixed:
                   
                   * Workspace full_name
                   * Course name
                   * Activity name (including Seminar) 
                   * Seminar event details
                   * Performance activity name
                   * User description

    TL-36431       Fixed inline seminar editing updating calendar entries for all seminar events
    TL-36476       Fixed incorrect formatting of the [all_sessions] placeholder in seminar notifications
    TL-36528       Made sure new job relationship upgrade steps are applied if missed previously

                   A previous ticket, TL-33602, increased the version number for the totara_job
                   plugin incorrectly to the same version on all affected branches (11 and higher).
                   This can result in some upgrade steps (adding new perform relationships) being
                   skipped during upgrade to Totara 13 or 16.
                   
                   This patch ensures the missing upgrade steps are run and the missing
                   relationships are added in all cases.

    TL-36631       Fixed issue with program message paragraph formatting not being maintained during the upgrade

                   When the message contains line breaks, it must be considered a separate
                   paragraph. Otherwise, the line break won't work with the weka editor after the
                   migration.


Library updates:

    TL-35875       Upgraded library Video.js to 7.21.1

Release 15.16 (28th February 2023):

Security issues:

    TL-36120       Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue

Improvements:

    TL-36327       Improved the gap between course multi-select custom fields

Bug fixes:

    TL-35226       Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
    TL-35521       Fixed being able to bypass sequential navigation in quizzes using web services
    TL-35706       Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees

                   Previously both capabilities were required to book or waitlist other users on
                   seminars.

    TL-35728       Prevented notification event processing task from blocking other tasks

                   Previously, the 'Queue event scheduled task'
                   (\totara_notification\task\process_event_queue_task) was marked as a blocking
                   task. This meant that it would need to complete before other scheduled or adhoc
                   tasks could run.
                   
                   It is safe to run other tasks while processing notifiable events, so we have
                   removed the blocking flag from this task.

    TL-35859       Fixed SCORM activity allowing more than the maximum number of attempts in some cases

                   The way that the number of attempts is counted when a learner opens a SCORM
                   activity is determined by the 'Force new attempt' setting.
                   
                   If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
                   'No' and the user tries a new attempt, the number of attempts that have been
                   made is simply the learner's total number of attempts to date.
                   
                   However, if 'Force new attempt' is set to 'When previous attempt completed,
                   passed or failed', then only completed attempts should count as attempts that
                   have been made. Previously, all attempts were counted in this case.
                   
                   Also, the displayed number of attempts remaining in the table of contents was
                   computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
                   because only completed attempts were counted. All attempts are counted now.
                   
                   Finally, the method of determining completed attempts has been refactored to
                   work correctly for SCORM 2004. Previously, failed attempts did not count as
                   completed.

    TL-36246       Decreased the memory usage by send_messages_task script to avoid out-of-memory errors

                   If the send_messages_task script was failing due to out-of-memory before, it
                   will send all previously-queued notifications at once after this fix.

    TL-36402       Fixed formatting (including multi lang compatibility) for notification placeholders

                   The formatting (including multi lang compatibility) of the following
                   placeholders have been fixed:
                   
                   * Workspace full_name
                   * Course name
                   * Activity name (including Seminar) 
                   * Seminar event details
                   * Performance activity name
                   * User description

    TL-36528       Made sure new job relationship upgrade steps are applied if missed previously

                   A previous ticket, TL-33602, increased the version number for the totara_job
                   plugin incorrectly to the same version on all affected branches (11 and higher).
                   This can result in some upgrade steps (adding new perform relationships) being
                   skipped during upgrade to Totara 13 or 16.
                   
                   This patch ensures the missing upgrade steps are run and the missing
                   relationships are added in all cases.

    TL-36631       Fixed issue with program message paragraph formatting not being maintained during the upgrade

                   When the message contains line breaks, it must be considered a separate
                   paragraph. Otherwise, the line break won't work with the weka editor after the
                   migration.


Library updates:

    TL-35875       Upgraded library Video.js to 7.21.1

Release 14.21 (28th February 2023):

Security issues:

    TL-36120       Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue

Bug fixes:

    TL-35226       Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
    TL-35521       Fixed being able to bypass sequential navigation in quizzes using web services
    TL-35706       Allowed user with 'addattendees' capability, but not 'signup' capability, to add seminar attendees

                   Previously both capabilities were required to book or waitlist other users on
                   seminars.

    TL-35728       Prevented notification event processing task from blocking other tasks

                   Previously, the 'Queue event scheduled task'
                   (\totara_notification\task\process_event_queue_task) was marked as a blocking
                   task. This meant that it would need to complete before other scheduled or adhoc
                   tasks could run.
                   
                   It is safe to run other tasks while processing notifiable events, so we have
                   removed the blocking flag from this task.

    TL-35859       Fixed SCORM activity allowing more than the maximum number of attempts in some cases

                   The way that the number of attempts is counted when a learner opens a SCORM
                   activity is determined by the 'Force new attempt' setting.
                   
                   If 'Force new attempt' is set to 'Always', or if 'Force new attempt' is set to
                   'No' and the user tries a new attempt, the number of attempts that have been
                   made is simply the learner's total number of attempts to date.
                   
                   However, if 'Force new attempt' is set to 'When previous attempt completed,
                   passed or failed', then only completed attempts should count as attempts that
                   have been made. Previously, all attempts were counted in this case.
                   
                   Also, the displayed number of attempts remaining in the table of contents was
                   computed incorrectly when 'Force new attempt' was set to 'Always' or 'No',
                   because only completed attempts were counted. All attempts are counted now.
                   
                   Finally, the method of determining completed attempts has been refactored to
                   work correctly for SCORM 2004. Previously, failed attempts did not count as
                   completed.

    TL-36246       Decreased the memory usage by send_messages_task script to avoid out-of-memory errors

                   If the send_messages_task script was failing due to out-of-memory before, it
                   will send all previously-queued notifications at once after this fix.

    TL-36402       Fixed formatting (including multi lang compatibility) for notification placeholders

                   The formatting (including multi lang compatibility) of the following
                   placeholders have been fixed:
                   
                   * Workspace full_name
                   * Course name
                   * Activity name (including Seminar) 
                   * Seminar event details
                   * Performance activity name
                   * User description

    TL-36528       Made sure new job relationship upgrade steps are applied if missed previously

                   A previous ticket, TL-33602, increased the version number for the totara_job
                   plugin incorrectly to the same version on all affected branches (11 and higher).
                   This can result in some upgrade steps (adding new perform relationships) being
                   skipped during upgrade to Totara 13 or 16.
                   
                   This patch ensures the missing upgrade steps are run and the missing
                   relationships are added in all cases.

    TL-36631       Fixed issue with program message paragraph formatting not being maintained during the upgrade

                   When the message contains line breaks, it must be considered a separate
                   paragraph. Otherwise, the line break won't work with the weka editor after the
                   migration.


Library updates:

    TL-35875       Upgraded library Video.js to 7.21.1

Release 13.29 (28th February 2023):

Security issues:

    TL-36120       Fixed Self-XSS possibility when dragging and dropping files in the file upload dialogue

Bug fixes:

    TL-35226       Fixed an issue where changes to language strings in countries.php were not being saved if the key contained upper-case letters
    TL-35521       Fixed being able to bypass sequential navigation in quizzes using web services
    TL-36246       Decreased the memory usage by send_messages_task script to avoid out-of-memory errors

                   If the send_messages_task script was failing due to out-of-memory before, it
                   will send all previously-queued notifications at once after this fix.

    TL-36528       Made sure new job relationship upgrade steps are applied if missed previously

                   A previous ticket, TL-33602, increased the version number for the totara_job
                   plugin incorrectly to the same version on all affected branches (11 and higher).
                   This can result in some upgrade steps (adding new perform relationships) being
                   skipped during upgrade to Totara 13 or 16.
                   
                   This patch ensures the missing upgrade steps are run and the missing
                   relationships are added in all cases.


Release 12.51 (28th February 2023):

Bug fixes:

    TL-36246       Decreased the memory usage by send_messages_task script to avoid out-of-memory errors

                   If the send_messages_task script was failing due to out-of-memory before, it
                   will send all previously-queued notifications at once after this fix.

    TL-36528       Made sure new job relationship upgrade steps are applied if missed previously

                   A previous ticket, TL-33602, increased the version number for the totara_job
                   plugin incorrectly to the same version on all affected branches (11 and higher).
                   This can result in some upgrade steps (adding new perform relationships) being
                   skipped during upgrade to Totara 13 or 16.
                   
                   This patch ensures the missing upgrade steps are run and the missing
                   relationships are added in all cases.