Hello everyone,
The following versions of Totara Learn have now been released:
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards
Release Team
Release 17.7 (25th May 2023):
Important:
TL-37398 Fixed incorrect removal of queued Seminar notifications and overridden Seminar notifications
Previously in extremely rare conditions, when a seminar is deleted, queued
unsent notifications and customised notifications belonging to one or more other
Seminar activities in the same course would be incorrectly deleted.
This occurred only when a seminar gets deleted, and the context id of the
seminar being deleted was the same as the start of another seminar context id in
the same course.
The confluence of seminar context id's matching can occur naturally, but will be
exceptionally rare. The larger a site is the less likely this is to occur. It
also requires a Seminar activity to be deleted, and for any matching seminars in
the course to have customised notifications and/or notifications that have been
queued to sent, but not yet sent.
The issue has now been fixed and will no longer occur.
Security issues:
TL-36538 Ensure return URLs that were previously validated with PARAM_URL are validated with PARAM_LOCALURL instead to prevent reflected XSS attack
TL-36718 Fixed activities that should have been hidden due to access restrictions
Activities can have access restrictions which prevent the activity from being
seen by learners until they meet the criteria. On mobile, and the grapql query
which provides the data for mobile, these activities were not being hidden. This
has been fixed. Activities viewed through the web application were not affected.
TL-36869 Fixed an XSS risk when misconfigured Algebra filter displayed an error message
TL-37228 Cherry-picked MDL-77187 Validate external method sort parameters
Improvements:
TL-33639 Added the 'new tab' icon to the warning links in the confirm activity delete modal
TL-36475 Improved description of Seminar "one email per day" setting
The description of the setting has been improved to indicate that it only
relates to legacy seminar notifications, and describes how attachments are sent
when using centralised notifications. The setting is now hidden when legacy
seminar notifications are disabled.
Bug fixes:
TL-36042 Fixed inaccurate Seminar notification name
The name 'Facilitator sessions details changed' inaccurately described the
behaviour of this notification. The name has been changed to 'Facilitator
sessions date/time changed' to more accurately indicate what event will trigger
sending the notification.
TL-36226 Fixed a bug where closed activity instances were still showing on the priority cards on the users activity page
TL-36276 Fixed the display order of custom fields for the personal goals
Correctly aligned the order of goal custom fields to be the same on both the
edit view and the goal details page.
TL-36397 Fixed a formatting issue for the 'noreplyname' string when sending emails
TL-36660 Fixed error when configuring audience restrictions on the course section settings form
Before the patch users with the correct capabilities could not add access
restrictions by the audience for a section.
Now adding an access restriction for a section is consistent with adding a
restriction for an activity in the same course which is currently possible.
TL-36826 Changed usages of array_key_exists to property_exists
array_key_exists() will also return {{true}} if {{key}} is a property
defined within an object given as {{{}array{}}}. This behaviour is deprecated
as of PHP 7.4.0, and removed as of PHP 8.0.0.
For such a case, we changed array_key_exists() to property_exists().
TL-36847 Added spacing above the 'Back to audiences' button when editing audience members
TL-36895 Notification preferences and queued notifications belonging to a course are deleted when the course is deleted
Previously when deleting a course all related records in notification_preference
and notifiable_event_queue have not been deleted. This could lead to errors
during cron run as the context for the notification event queue records does not
exist anymore.
This patch cleans up orphaned records during the upgrade and makes sure those
records get deleted during course deletion.
TL-36975 Fixed an error with the Course Catalog when displaying a role which has a shortname longer than 30 characters
Previously a character limit for placeholder names in database queries existed.
This was only due for compatibility reasons with Oracle which Totara does not
support. The limit has been removed.
TL-37139 Fixed 'Grade at time of completion' column showing empty for historic records when maxgrade for the course was zero
TL-37153 Fixed notifications being sent twice if they were overridden in more than one context
If a notification was created in the higher context (such as at site-level), was
customised in more than one intermediate context (such as both course and
activity contexts) and the related notification event occurred in a lower
context (e.g. extended context from an activity) then the notification system
would send a notification for each of the customisations at the intermediate
levels (e.g. the notifications as they appear in both course and activity). This
has been fixed - now only one notification will be sent, which will use the
properties defined at the lowest context (e.g. activity context in this
example).
TL-37208 Fixed error messages triggered during centralised notification tasks not showing debugging details
When debugging is enabled on the site any error triggered during the run of the
centralised notification scheduled tasks do not contain additional debugging
information.
This has been changed to help identifying problems during the task runs.
TL-37225 Fixed ical attachment not reset between notifications when SMTP session limit greater than 1
Under certain circumstances, it was possible for a seminar notification email to
contain the calendar invitation belonging to another user. This only occurred
when "SMTP session limit" was set to more than 1, two seminar notifications were
processed one after the other within one SMTP session (e.g. if the session limit
was set to 5 then both notifications would need to be processed in the same
batch of 5), the first notification related to a seminar event with only one
session, and the second notification related to an event with more than one
session.
TL-37302 Updated the readme file with the correct MariaDB supported versions
Database upgrades:
TL-36808 Allow memoization for Postgres 14.2 and above.
PostgreSQL 14 introduced memoization as a feature that can improve performance.
However with PostgreSQL versions 14.0 or 14.1 it would cause several Totara
queries to return incorrect results. Because of this a requirement was added for
PostgreSQL 14 that the enable_memoize flag be set to off.
This has been fixed from PostgreSQL 14.2. With this patch in place the
enable_memoize=off setting is only required if you're using PostgreSQL 14.0 or
14.1.
Technical changes:
TL-36403 Added 'mobile_coursecompat' property to the catalog_item GraphQL type, so it could be used in the mobile_findlearning_view_catalog GraphQL query
Library updates:
TL-37326 Updated nyholm/psr7 library to 1.6.1
Release 16.13 (25th May 2023):
Security issues:
TL-36538 Ensure return URLs that were previously validated with PARAM_URL are validated with PARAM_LOCALURL instead to prevent reflected XSS attack
TL-36869 Fixed an XSS risk when misconfigured Algebra filter displayed an error message
TL-37228 Cherry-picked MDL-77187 Validate external method sort parameters
Improvements:
TL-33639 Added the 'new tab' icon to the warning links in the confirm activity delete modal
TL-36475 Improved description of Seminar "one email per day" setting
The description of the setting has been improved to indicate that it only
relates to legacy seminar notifications, and describes how attachments are sent
when using centralised notifications. The setting is now hidden when legacy
seminar notifications are disabled.
Bug fixes:
TL-36042 Fixed inaccurate Seminar notification name
The name 'Facilitator sessions details changed' inaccurately described the
behaviour of this notification. The name has been changed to 'Facilitator
sessions date/time changed' to more accurately indicate what event will trigger
sending the notification.
TL-36226 Fixed a bug where closed activity instances were still showing on the priority cards on the users activity page
TL-36276 Fixed the display order of custom fields for the personal goals
Correctly aligned the order of goal custom fields to be the same on both the
edit view and the goal details page.
TL-36397 Fixed a formatting issue for the 'noreplyname' string when sending emails
TL-36660 Fixed error when configuring audience restrictions on the course section settings form
Before the patch users with the correct capabilities could not add access
restrictions by the audience for a section.
Now adding an access restriction for a section is consistent with adding a
restriction for an activity in the same course which is currently possible.
TL-36826 Changed usages of array_key_exists to property_exists
array_key_exists() will also return {{true}} if {{key}} is a property
defined within an object given as {{{}array{}}}. This behaviour is deprecated
as of PHP 7.4.0, and removed as of PHP 8.0.0.
For such a case, we changed array_key_exists() to property_exists().
TL-36847 Added spacing above the 'Back to audiences' button when editing audience members
TL-36895 Notification preferences and queued notifications belonging to a course are deleted when the course is deleted
Previously when deleting a course all related records in notification_preference
and notifiable_event_queue have not been deleted. This could lead to errors
during cron run as the context for the notification event queue records does not
exist anymore.
This patch cleans up orphaned records during the upgrade and makes sure those
records get deleted during course deletion.
TL-36975 Fixed an error with the Course Catalog when displaying a role which has a shortname longer than 30 characters
Previously a character limit for placeholder names in database queries existed.
This was only due for compatibility reasons with Oracle which Totara does not
support. The limit has been removed.
TL-37139 Fixed 'Grade at time of completion' column showing empty for historic records when maxgrade for the course was zero
TL-37153 Fixed notifications being sent twice if they were overridden in more than one context
If a notification was created in the higher context (such as at site-level), was
customised in more than one intermediate context (such as both course and
activity contexts) and the related notification event occurred in a lower
context (e.g. extended context from an activity) then the notification system
would send a notification for each of the customisations at the intermediate
levels (e.g. the notifications as they appear in both course and activity). This
has been fixed - now only one notification will be sent, which will use the
properties defined at the lowest context (e.g. activity context in this
example).
TL-37208 Fixed error messages triggered during centralised notification tasks not showing debugging details
When debugging is enabled on the site any error triggered during the run of the
centralised notification scheduled tasks do not contain additional debugging
information.
This has been changed to help identifying problems during the task runs.
TL-37225 Fixed ical attachment not reset between notifications when SMTP session limit greater than 1
Under certain circumstances, it was possible for a seminar notification email to
contain the calendar invitation belonging to another user. This only occurred
when "SMTP session limit" was set to more than 1, two seminar notifications were
processed one after the other within one SMTP session (e.g. if the session limit
was set to 5 then both notifications would need to be processed in the same
batch of 5), the first notification related to a seminar event with only one
session, and the second notification related to an event with more than one
session.
TL-37302 Updated the readme file with the correct MariaDB supported versions
Database upgrades:
TL-36808 Allow memoization for Postgres 14.2 and above.
PostgreSQL 14 introduced memoization as a feature that can improve performance.
However with PostgreSQL versions 14.0 or 14.1 it would cause several Totara
queries to return incorrect results. Because of this a requirement was added for
PostgreSQL 14 that the enable_memoize flag be set to off.
This has been fixed from PostgreSQL 14.2. With this patch in place the
enable_memoize=off setting is only required if you're using PostgreSQL 14.0 or
14.1.
Technical changes:
TL-36403 Added 'mobile_coursecompat' property to the catalog_item GraphQL type, so it could be used in the mobile_findlearning_view_catalog GraphQL query
Library updates:
TL-37326 Updated nyholm/psr7 library to 1.6.1
Release 15.19 (25th May 2023):
Important:
TL-37167 Fixed LTI 1.3 external tool viewing not being logged and not recognised for completion
When launching an External tool activity based on a LTI 1.3 compatible provider
the viewing event did not get triggered. This resulted in no event log entry
being created and completion through the activity completion setting "Learner
must view this activity to complete it" not being recognised. This has now been
fixed.
Security issues:
TL-36538 Ensure return URLs that were previously validated with PARAM_URL are validated with PARAM_LOCALURL instead to prevent reflected XSS attack
TL-36869 Fixed an XSS risk when misconfigured Algebra filter displayed an error message
TL-37228 Cherry-picked MDL-77187 Validate external method sort parameters
Improvements:
TL-33639 Added the 'new tab' icon to the warning links in the confirm activity delete modal
Bug fixes:
TL-36042 Fixed inaccurate Seminar notification name
The name 'Facilitator sessions details changed' inaccurately described the
behaviour of this notification. The name has been changed to 'Facilitator
sessions date/time changed' to more accurately indicate what event will trigger
sending the notification.
TL-36226 Fixed a bug where closed activity instances were still showing on the priority cards on the users activity page
TL-36397 Fixed a formatting issue for the 'noreplyname' string when sending emails
TL-36826 Changed usages of array_key_exists to property_exists
array_key_exists() will also return {{true}} if {{key}} is a property
defined within an object given as {{{}array{}}}. This behaviour is deprecated
as of PHP 7.4.0, and removed as of PHP 8.0.0.
For such a case, we changed array_key_exists() to property_exists().
TL-36847 Added spacing above the 'Back to audiences' button when editing audience members
TL-36895 Made API for deleting notification records consistent with newer versions
The code which deletes notification records and which is used in newer versions
when deleting activities or courses has been made consistent. This ensures
customisations and future changes will work as expected when deleting records.
TL-36975 Fixed an error with the Course Catalog when displaying a role which has a shortname longer than 30 characters
Previously a character limit for placeholder names in database queries existed.
This was only due for compatibility reasons with Oracle which Totara does not
support. The limit has been removed.
TL-37139 Fixed 'Grade at time of completion' column showing empty for historic records when maxgrade for the course was zero
TL-37153 Fixed notifications being sent twice if they were overridden in more than one context
If a notification was created in the higher context (such as at site-level), was
customised in more than one intermediate context (such as both course and
activity contexts) and the related notification event occurred in a lower
context (e.g. extended context from an activity) then the notification system
would send a notification for each of the customisations at the intermediate
levels (e.g. the notifications as they appear in both course and activity). This
has been fixed - now only one notification will be sent, which will use the
properties defined at the lowest context (e.g. activity context in this
example).
TL-37208 Fixed error messages triggered during centralised notification tasks not showing debugging details
When debugging is enabled on the site any error triggered during the run of the
centralised notification scheduled tasks do not contain additional debugging
information.
This has been changed to help identifying problems during the task runs.
TL-37302 Updated the readme file with the correct MariaDB supported versions
Library updates:
TL-37326 Updated nyholm/psr7 library to 1.6.1
Release 14.24 (25th May 2023):
Important:
TL-37167 Fixed LTI 1.3 external tool viewing not being logged and not recognised for completion
When launching an External tool activity based on a LTI 1.3 compatible provider
the viewing event did not get triggered. This resulted in no event log entry
being created and completion through the activity completion setting "Learner
must view this activity to complete it" not being recognised. This has now been
fixed.
Security issues:
TL-36538 Ensure return URLs that were previously validated with PARAM_URL are validated with PARAM_LOCALURL instead to prevent reflected XSS attack
TL-36869 Fixed an XSS risk when misconfigured Algebra filter displayed an error message
TL-37228 Cherry-picked MDL-77187 Validate external method sort parameters
Improvements:
TL-33639 Added the 'new tab' icon to the warning links in the confirm activity delete modal
Bug fixes:
TL-36042 Fixed inaccurate Seminar notification name
The name 'Facilitator sessions details changed' inaccurately described the
behaviour of this notification. The name has been changed to 'Facilitator
sessions date/time changed' to more accurately indicate what event will trigger
sending the notification.
TL-36161 Backported learning item visibility fixes
The totara_mobile_certification query now returns a 'viewable' flag for all
courses in certifications and programs
TL-36397 Fixed a formatting issue for the 'noreplyname' string when sending emails
TL-36826 Changed usages of array_key_exists to property_exists
array_key_exists() will also return {{true}} if {{key}} is a property
defined within an object given as {{{}array{}}}. This behaviour is deprecated
as of PHP 7.4.0, and removed as of PHP 8.0.0.
For such a case, we changed array_key_exists() to property_exists().
TL-36847 Added spacing above the 'Back to audiences' button when editing audience members
TL-36895 Made API for deleting notification records consistent with newer versions
The code which deletes notification records and which is used in newer versions
when deleting activities or courses has been made consistent. This ensures
customisations and future changes will work as expected when deleting records.
TL-37139 Fixed 'Grade at time of completion' column showing empty for historic records when maxgrade for the course was zero
TL-37153 Fixed notifications being sent twice if they were overridden in more than one context
If a notification was created in the higher context (such as at site-level), was
customised in more than one intermediate context (such as both course and
activity contexts) and the related notification event occurred in a lower
context (e.g. extended context from an activity) then the notification system
would send a notification for each of the customisations at the intermediate
levels (e.g. the notifications as they appear in both course and activity). This
has been fixed - now only one notification will be sent, which will use the
properties defined at the lowest context (e.g. activity context in this
example).
TL-37208 Fixed error messages triggered during centralised notification tasks not showing debugging details
When debugging is enabled on the site any error triggered during the run of the
centralised notification scheduled tasks do not contain additional debugging
information.
This has been changed to help identifying problems during the task runs.
TL-37302 Updated the readme file with the correct MariaDB supported versions
Release 13.32 (25th May 2023):
Important:
TL-37167 Fixed LTI 1.3 external tool viewing not being logged and not recognised for completion
When launching an External tool activity based on a LTI 1.3 compatible provider
the viewing event did not get triggered. This resulted in no event log entry
being created and completion through the activity completion setting "Learner
must view this activity to complete it" not being recognised. This has now been
fixed.
Security issues:
TL-36538 Ensure return URLs that were previously validated with PARAM_URL are validated with PARAM_LOCALURL instead to prevent reflected XSS attack
TL-36869 Fixed an XSS risk when misconfigured Algebra filter displayed an error message
TL-37228 Cherry-picked MDL-77187 Validate external method sort parameters
Bug fixes:
TL-36042 Fixed inaccurate Seminar notification name
The name 'Facilitator sessions details changed' inaccurately described the
behaviour of this notification. The name has been changed to 'Facilitator
sessions date/time changed' to more accurately indicate what event will trigger
sending the notification.
TL-36161 Backported learning item visibility fixes
The totara_mobile_certification query now returns a 'viewable' flag for all
courses in certifications and programs
TL-36397 Fixed a formatting issue for the 'noreplyname' string when sending emails
TL-36847 Added spacing above the 'Back to audiences' button when editing audience members
TL-37139 Fixed 'Grade at time of completion' column showing empty for historic records when maxgrade for the course was zero
Release 12.53 (25th May 2023):
Security issues:
TL-36538 Ensure return URLs that were previously validated with PARAM_URL are validated with PARAM_LOCALURL instead to prevent reflected XSS attack
TL-36869 Fixed an XSS risk when misconfigured Algebra filter displayed an error message
TL-37228 Cherry-picked MDL-77187 Validate external method sort parameters
Bug fixes:
TL-36397 Fixed a formatting issue for the 'noreplyname' string when sending emails