Totara Release Notes

Totara TXP 18.0 is now available

 
David Curry (Core Developer)
Totara TXP 18.0 is now available
par David Curry (Core Developer), Monday 27 November 2023, 19:06
Groupe Totara

Hello Everyone,

I am pleased to announce that the Totara TXP 18.0 release is now available.

To see a summary of the new features and improvements included in this release, visit the What's new page on the Totara help site.

For detailed change-management information, please see the Technical Release Notes immediately following this post.

A big thank you as well to everyone who has contributed to this release!


Release 18.0 (28th November 2023):

Important:

    TL-32537       Removed legacy program and certification assignment interface

                   The program assignment interface was replaced in Totara 13 to improve usability
                   with large numbers of assignments, deprecating the legacy interface and hiding
                   it behind the 'enablelegacyprogramassignment' setting.

                   This legacy interface, and associated setting, have now been removed.

    TL-36674       Login screen refresh

                   A new login screen is available with a new look and feel, and a prominently
                   presented image to the side. The image can be configured inside theme settings.

                   The old login screen is still available, but is deprecated in Totara 18. You can
                   revert to it by setting `$CFG->enable_legacy_login = true;` in config.php.

    TL-37624       Legacy Appraisals and 360 Feedback activities are forced to read-only as part
                   of the deprecation process for those features

                   An optional read-only setting for Legacy Appraisals and Legacy 360 Feedback was
                   added in Totara 17.9. This setting is now forced on, and the associated task is
                   queued for the next cron run.
                   * All action functionality such as Create, Activate, Copy, Edit etc. is
                   disabled.
                   * Users and administrator/manager see a banner notifying them that all actions
                   are in transition to close before the cron task has occurred.
                   * After the cron task has occurred all active activities will be closed.

                   Users and administrator/manager will still have access to Legacy Appraisals
                   and/or Legacy 360 Feedback historic records.

    TL-38114       Improved request performance by closing user session before resolving GraphQL queries

                   This enhancement improves the performance of GraphQL queries that are executed
                   concurrently, by automatically closing the user session for writing before the
                   query resolves. It does not apply to mutations.

                   As a direct consequence of this change, modifying website sessions during
                   GraphQL query resolution is no longer possible without modifying the resolver.
                   Attempting to do so will result in an exception being thrown:
                   `totara_webapi\exception\reopen_session_for_writing_exception`

                   To maintain the ability to write to sessions within custom query resolvers,
                   developers must take the following steps:

                   - Add the `core\webapi\middleware\reopen_session_for_writing middleware` to the
                   GraphQL query resolver class.
                   - Ensure that the `core\webapi\middleware\reopen_session_for_writing` middleware
                   is positioned as the topmost middleware in the list of middleware used in the
                   query.

                   This change may increase the total number of PHP processes running concurrently
                   so it might be a good idea to review your webserver configuration to make sure
                   it can handle the increased number of total concurrent connections.

                   Additionally, it is possible to disable this optimization completely by setting
                   `$CFG->graphqlsessionwritecloseenabled` to false in the config.php file. This
                   allows users to retain the previous behaviour of session handling within GraphQL
                   queries, should it be required for specific use cases.

    TL-38476       Upcoming changes to component overrides in themes

                   In order to enable a future upgrade to Vue 3, we had to make some changes to how
                   component overrides in themes work.

                   Partial component overrides in themes have been deprecated, and will be removed
                   in Totara 19. Partial component overrides are those that do not contain a
                   `script` tag, or `script extends`, unless they _only_ contain a `style`
                   tag.

                   This mainly affects components where only the `template` tag was overridden. All
                   components overridden in themes will need to replace the entire component from
                   Totara 19 onwards, unless they are only overriding `style` tags.
New features: TL-16231 Site Administrator users can now use multi-factor authentication The login process has been modified to introduce multi-factor authentication (MFA) for Site Administrator users. To set up, first enable the appropriate MFA plugin in the plugins page, and then each Site Administrator user can register their own authenticator app via manage user login. MFA will only support authentication methods that have been updated for compatibility. All authentication methods included by Totara have been updated, however any third-party plugins installed will need to be updated before they are available with MFA. The MFA and authentication screens will report any incompatibilities. TL-28559 Added site administration tool to test outgoing email settings The Quick-access menu > Server > Email > Test outgoing email settings page allows administrators to send an email from Totara, with SMTP debugging information displayed. Also available in 17.3 and later releases. TL-30141 Tenant isolation setting has been taken out of experimental mode The tenant isolation setting has now been taken out of experimental mode. The setting has been moved from the experimental settings page to the shared services settings page. TL-33784 Scheduled user actions You can schedule actions to occur on users, using filters. This initial version allows you to delete users who have been suspended for a certain amount of time, and optionally restrict by audience. In conjunction with configured purge types, this is designed to assist organisations in automating the deletion of user data in line with their own data retention policy and relevant GDPR requirements. Also available in 17.3 and later releases. TL-34972 Added a new show and hide input for client secrets Client secrets can now be viewed by clicking on the new 'Show/Hide' button on the API clients and OAuth2.0 provider details pages. Also available in 17.3 and later releases. TL-34982 Added a new Check API and converted security, performance and system status reports to use it A new Check API has been implemented, with all system status, performance and security reports converted to use it. The Check API is extensible, and plugins can now introduce their own checks. Additionally this is compatible with Moodle's Check API, and Moodle plugins that implement it will start reporting their state. The API includes a CLI script at server/admin/cli/checks.php that can be used to check the status of the system via the command line. TL-34991 Added totara_job_job_assignments query to the external API A new query 'totara_job_job_assignments' was added to the external API to fetch all job_assignments, providing options for sorting and paginating results. Also available in 17.1 and later releases. TL-35895 Added support for privacy-aware page titles to $PAGE object It is now possible for a page to optionally set a 'privacy-aware' page title as well as the normal title. This title is stored in the $PAGE object and can be retrieved when a page title that does not contain personally identifiable information is needed. We have modified all known pages that contain the users' names to specify a second title that excludes the name. A use case for this is to avoid sending Personal Identifiable Information (PII) to a third-party analytics service. Also available in 17.1 and later releases. TL-36262 Added a new performance overview page which summarises a user's progression in performance activities, competencies and Totara goals The performance overview page displays items with four progression states based on the selected period filter. The progression states are: * Not started: No progression has ever been made * In progress: Progression has been made in the current period * Not progressed: Progression has not been made in the current period * Achieved/Completed: Progression has been marked as completed in the current period Progression for competencies is based on current scale values: * A new checkbox option was included on the scale setting pages that allows the least complete scale values to be considered 'Not started' * Completion is based on the scale 'Consider complete' values The performance activities use existing activity progress states to track progression: * Completion is based on all required participants having completed their participation A new concept of 'Due soon' was also introduced for goals and performance activities, this is when they are due within the next seven working days. The page also includes a 'Require action' block which provides a summary of the user's participation in others' activities and if they are required to select participants for certain activities. TL-36328 Add SAML 2.0 (SSO) authentication plugin Totara can now authenticate via SAML 2.0. To configure a SAML 2.0 connection visit the Quick-access menu > Plugins > Manage authentication page, and enable SAML SSO (2.0) to start registering identity providers. TL-36505 Added H5P plugin Added the H5P activity plugin, which allows you to author content directly into your courses with an easy-to-use library of creation and editing tools. Select from activity types such as interactive video, quizzes, collage, timelines, and more. TL-37567 Database column values can be encrypted Individual columns in the database can now be encrypted, preventing the values from being read unless they are accessed via the appropriate model. This implementation is only appropriate for storing generated values such as security tokens. On a new install or upgrade a new encryption key will be generated automatically. If needed, we provide a command line script to add new keys and to roll over any previously encrypted values, where it is required. Encrypted columns are currently only used by the authentication SSO SAML plugin and Multi-factor Authentication TOTP plugin, to store authentication-related tokens. To ensure that columns can be encrypted, we require the mcrypt PHP module to be installed. If it is not installed then features that require encryption will not be available. TL-37570 Added IntelliData plugin which allows integration with IntelliBoard Learning Analytics Platform IntelliBoard is a learning analytics platform that provides reports showing user engagement, learner completion, engagement metrics, instructor activity, progress summaries, and more. It integrates with Totara with the help of the IntelliData plugin, which is built on top of Totara's GraphQL external API. You can access this plugin via a new group of business intelligence plugins under Quick-access menu > Plugins > Business intelligence. TL-37594 Added a new 'Pathway' course format The Pathway format adds a more modern UI using Tui componentry, providing a more streamlined experience for learners. This includes: * An improved course header and administration settings * New side panel for navigation, showing the activities in order and the user's progress through the course * A content panel to display the current activity without navigating away from the course page TL-37614 Programs can now be cloned Users with the `totara/program:cloneprogram` permission can now clone programs, selecting which parts of the program to clone. Any combination of the details, course sets, and notifications can be cloned. TL-37615 Updated interface when managing program content When managing a program's course sets, the interface has been improved to be more dynamic using the Tui framework. Using a recurring course set or a competency course set still uses the old interface. The old interface can also be forced by using the 'Enable legacy program content' setting. TL-37619 Introducing tenant reports Tenant Domain Managers now have the ability to generate reports that focus exclusively on tenant-specific data. * Tenant-level reporting: Tenant Domain Managers now have the ability to generate reports that focus exclusively on tenant-specific data. Tenant Domain Managers will be required to have the `totara_reportbuilder:managereports` capability to generate tenant reports. * Data isolation for tenant members: With tenant reports, the reported data is isolated for tenant members to reflect only the content pertinent to the tenant. * My reports page: Site Managers now have the ability to create tenant-specific reports from the 'My reports' page. In order for Tenant Domain Managers to create tenant reports, we recommend allowing two capabilities on the system Tenant Domain Manager role: * totara/reportbuilder:managereports * totara/reportbuilder:overrideexportoptions TL-37726 New tenant selection filter for user reports A new tenant selection filter has been added for user reports. Users with the `totara/tenant:view` capability can use this filter to filter the users to tenant members in a report. TL-38227 Added activity completion report source TL-39058 Added new endpoints to the external API to enable the functionality necessary for integration with e-commerce platforms Introduced new functionalities to our external API, allowing integration with e-commerce platforms. Here's a breakdown of the key features: Audiences support: - Added core_cohort_static_cohorts query to retrieve a list of audiences - Added core_cohort_is_user_member query to check if a user is a member of an audience - Added core_cohort_add_cohort_member mutation to add a user to an audience - Added core_cohort_remove_cohort_member mutation to remove a user from an audience - Expanded functionality for interacting with cohorts via a core_interactor class - Added a 'tags' property to the core_cohort type Courses API upgrades: - Added core_course_courses query to retrieve a list of courses - Added core_course_is_user_enrolled query to check if a user is enrolled in a course - Added core_completion_get_course_completion query to retrieve course completion details - Added a 'tags' property to the {{core_course}} type Users API enhancements: - Added core_user_user query to retrieve details of a specific user - Added filters to core_user_users query for more refined user queries Enrolment API advancements: - Added enrol_manual_enrol_user mutation to enrol a user into a course using a manual enrol plugin - Added enrol_manual_unenrol_user mutation to unenrol a user from a course using a manual enrol plugin Security issues: TL-34338 Prevented content author information display to non-privileged users in global search Previously, it was possible for global search users to see the author of documents, even if they did not have the appropriate capabilities. Now users need the 'moodle/user:viewdetails' or 'moodle/course:viewparticipants' capability to see the author. Fixes CVE-2022-30598 Also available in 17.13 and later releases. TL-35830 Fixed trending content block showing items across tenant boundaries With this change trending content from different tenants can no longer show across tenants. Also available in 17.13 and later releases. TL-38789 Fixed possible XSS vulnerability in course activity headings on some pages TL-38845 Fixed an XSS vulnerability in activity names when restoring courses Also available in 17.13 and later releases. Visual improvements: TL-33818 Block titles are no longer all uppercase Also available in 17.9 and later releases. TL-37206 Improved the look of the legacy progress bar TL-37207 Improved the look of the quick-access menu TL-37350 Added a single point for typography to improve consistency of typography throughout the product TL-37352 Improved the look of the top navigation toolbar TL-37353 Improved styling of dropdowns Both Tui and non-Tui dropdowns now have a similar design, with rounded corners and better spacing. TL-37355 Improved styling of mobile navigation menu TL-37465 Adjusted Tui grid spacing for consistency TL-37466 Improved UI grid alignment consistency across Totara TL-37597 Improved alignment in Totara Learn's Find Learning page TL-38015 Updated dropdown menu styling TL-38016 Centre aligned breadcrumb elements vertically TL-38481 Made styling changes to the Tui Tree component TL-38490 Moved header menu dropdown chevron to the right and aligned to the end horizontally. TL-38528 Updated the default theme to be more consistent across product With this change we have aligned the look and feel across different aspects of the default theme. This includes admin forms, Tui forms, legacy forms, legacy and Tui tabs and the layout of the header and footer. TL-38534 In various pages (such as Define Roles) the page heading position is now standardised, with action buttons moved to the right. TL-38560 Updated the look of the Messages and Notifications menu items TL-38578 Updated Tui modal design TL-38612 Improved button and input styling Button, input, and select styles now no longer apply to plain buttons, inputs, and selects. Add `btn btn-default`, `form-control`, or `custom-select` classes (respectively) to elements you need to be styled. The Bootstrap implementation of button and form styling has been replaced with a custom one, compatible with the same classes, but with improved styles aligned with the Tui design system. TL-38640 Improved display of secondary nav items TL-38742 Updated the look and feel of blocks Updated the default block style to round the corners and align the padding with the rest of the site. TL-39037 Improved consistency of modals Modals have numerous CSS changes so that they look more consistent across the application. These will be applied across YUI, Bootstrap and Tui Modals. Performance improvements: TL-34242 Improved performance of seminar session list display by optimising the loading of enrollable sessions Also available in 17.6 and later releases. TL-34384 Improved performance of file picker on large sites Also available in 17.5 and later releases. TL-36192 Updated user data query to convert username to lowercase prior to execution The user data query was querying with the username in a case-insensitive way, this change converts the username to lowercase prior to execution which should improve the query's performance. Also available in 17.3 and later releases. TL-36204 Removed a needless check for new notifications happening at the start of each page Also available in 17.3 and later releases. TL-36206 Improved the performance of the Global Search API This patch improves the performance of the Global Search API in how it finds searchable areas. Also available in 17.3 and later releases. TL-36236 Optimised the query that removes orphaned competency assignment user records In some circumstances, this function was taking a long time to run and timing out. The SQL in the function was optimised. Also available in 17.3 and later releases. TL-36530 Improved the performance of the audience enrolment tab on courses when using MariaDB Also available in 17.11 and later releases. TL-36597 Improved performance of course, program and certification visibility checks when being part of a database query Also available in 17.12 and later releases. TL-36829 Improved the performance of the catalogue A logic bug was fixed in how course category caches were primed before being needed by the catalogue, the improved priming will increase cache use and decrease interaction with the database. Also available in 17.10 and later releases. TL-38548 Reduced number of database queries on the course and category management page When multitenancy is enabled an additional database query was triggered for each category to check whether the category is a tenant category or not. This is now being cached to avoid the unnecessary queries and to improve the performance of the page load. Also available in 17.13 and later releases. TL-38606 Improved the performance of the notification event queue task The performance of the task `\totara_notification\task\process_event_queue_task` has been improved by caching data which is loaded repeatedly. In addition the theme is not reset for each notification anymore which had quite an impact on performance. This has been addressed. To improve performance of the task further we recommend reviewing the setting 'SMTP session limit' (smtpmaxbulk) and consider increasing it. It defaults to 1 which means the task will create a new SMTP connection for each email it sends out and will not use an existing connection. Also available in 17.13 and later releases. Improvements: TL-30248 Added support for multi-selection position and organisation filters in tenant embedded reports Before the patch users with correct capabilities could not use multi-selection filters in tenant embedded reports. We removed the second check ability to see the report without embedded data. Also available in 17.11 and later releases. TL-33639 Added the 'new tab' icon to the warning links in the confirm activity deletion modal Also available in 17.7 and later releases. TL-33941 Improved the layout for the workflow settings on the activity management content tab Also added independent loading states for the 'On completion' and 'On due date' settings. TL-34302 Added a scheduled task for deleting expired OAuth 2.0 access tokens from the database Also available in 17.3 and later releases. TL-34814 Added a warning to seminar ad hoc messages when legacy notifications are disabled Also available in 17.1 and later releases. TL-34846 Extended create/update user services to offer more password-related options Boolean fields have been added to the create and update user mutations for 'force_password_change' and 'generate_password'. Also available in 17.2 and later releases. TL-34919 Disallowed API users from updating locked fields without valid capability if fields are locked by the authentication plugin Also available in 17.3 and later releases. TL-34922 The performance activity role change override settings now reflect the current global settings when not enabled TL-35074 Ensure sort order for seminar sessions is consistent Also available in 17.1 and later releases. TL-35096 Added the progress tracker to the activity 'View details' modal and made the sections collapsible TL-35097 Updated the 'View details' modal on a performance activity to align with the new design * The sections are now separated by role * Added the user avatar, progress status, and 'closed' message if the section is closed * Added the appropriate icon alongside the progress status TL-35098 Added a 'View more' button to the tables on the activity details modal when there are more than three participants TL-35099 Updated the 'View details' modal on a performance activity to align with the new design for anonymous responses * Included a count of the anonymous respondents excluding the current user * Included a count of the completed anonymous responses excluding the current user * Included the message 'All complete' when all other anonymous responses are complete TL-35120 Removed view-only participant instances upon relationship changes TL-35156 Added a capability to allow users access to their notification logs This adds a new capability 'totara/notification:auditownnotifications', which will allow the user to view their own notification logs. This is not added to any role by default. Also available in 17.1 and later releases. TL-35223 Added support for tenant isolation to user API Added support for tenant isolation to the external API. Tenant API clients can use external API if tenant isolation is on, and also can manage system users if they have capabilities at the system level. Also available in 17.3 and later releases. TL-35230 Added the 'Section title' multi-select filter to the performance activities response data report Also available in 17.1 and later releases. TL-35278 Added default filters to the performance activity response data reports for 'Element type', 'Response data text' and 'Review type' Also available in 17.1 and later releases. TL-35410 Added default error response_debug site setting Added a 'response_debug' setting to the API site-level settings to configure the amount of error information returned in API responses. Also available in 17.1 and later releases. TL-35460 Improved the language string for the seminar purge type Also available in 17.5 and later releases. TL-35483 Allow administrators to approve requests that require role approval Also available in 17.3 and later releases. TL-35517 Updated help for MySQL collation conversion script to advise increasing execution time Also available in 17.8 and later releases. TL-35593 Added a 'Go back' button on the performance activity content print view TL-35628 Improved documentation for API client settings token expiration form field Also available in 17.1 and later releases. TL-35898 API client can now delete an existing user custom profile field value This improvement adds a 'delete' flag to the 'custom_fields' per-field input for the 'core_user_update_user' mutation, allowing an external API client to remove custom user profile field values when updating a target user's profile. Also available in 17.2 and later releases. TL-35908 Added support to the performance activity redisplay element for redisplaying elements in previous sections of the same performance activity TL-35942 Added ability to change external API debug level setting per API client Each API client can now have its own debug level setting. Also available in 17.2 and later releases. TL-35947 Added job assignments to core_user type for the external API Also available in 17.3 and later releases. TL-36067 Replaced the manage program header with Vue componentry TL-36134 Added support for tenant isolation to job assignments external API Also available in 17.3 and later releases. TL-36137 Added a description to the 'Enable comments' setting under 'Shared services settings' Also available in 17.3 and later releases. TL-36154 Improved the performance of pluginfile.php This is achieved by responding to HTTP HEAD requests more efficiently, and detecting when file data doesn't exist. Also available in 17.3 and later releases. TL-36179 Improved error handling on tenant participant report page when opening the report without the required parameter Also available in 17.3 and later releases. TL-36187 Added support for additional languages to LinkedIn Learning Also available in 17.3 and later releases. TL-36196 Cherry-picked MDL-64454: Admin screen should show warning if cron does not run frequently A new config option has been added to specify a maximum time elapsed since last cron run before showing the warning about running the cron on the admin pages. Previously it would show after 24 hours, this allows for more regular checks. Default setting is 200 seconds. Also available in 17.3 and later releases. TL-36208 Added CLI script that allows plugins to be programmatically uninstalled A new CLI script has been added at server/admin/cli/uninstall_plugins.php It can be used to programmatically run the uninstall routines for plugins. It also can list plugins, including missing plugins which have been previously installed, but which no longer have code in place. Also available in 17.3 and later releases. TL-36217 Added a new event that is triggered when an admin uses the database search and replace tool Port of MDL-68193 / MDL-68276 to provide an audit trail when values are replaced in the database. Also available in 17.3 and later releases. TL-36327 Improved the gap between course multi-select custom fields Also available in 17.4 and later releases. TL-36347 Improved alignment for text in answers for the Lesson activity Also available in 17.8 and later releases. TL-36475 Improved the description for the seminar 'One email per day' setting The description of the setting has been improved to indicate that it only relates to legacy seminar notifications, and describes how attachments are sent when using centralised notifications. The setting is now hidden when legacy seminar notifications are disabled. Also available in 17.7 and later releases. TL-36542 Changed featured links to use editor instead of plain text TL-36552 Added middle location option for featured links headings Featured links now include the option to vertically align content to the middle of the tile. TL-36559 Added full width (no page margins) option for featured links sizing at block level TL-36641 Added setting to allow automatic redirection from login page to a selected authentication provider A new 'Automatic single sign-on redirect' setting has been added to the 'Manage authentication' settings page. When a provider is selected, users will automatically be redirected to the selected provider when accessing the login page. The redirect can be avoided by adding 'nossoautoredirect=1' to the URL. This setting has priority over any similar functionality provided by individual authentication plugins. TL-36700 Added a setting to disable enforced visibility checks in certain report sources The following reports automatically apply visibility checks for courses: * Course completion * Course completion including history * Course membership * Seminar events * Seminar sign-ups * Seminar sign-in sheet * Seminar sessions Previously it was not possible to deactivate those visibility checks and make full use of the existing content restrictions. We have now introduced a new setting in the 'General' tab of these reports which allows admins to disable the checks if required. Default behaviour for these report sources is unchanged. In addition we added the ability to use the 'Enforce sitewide visibility restrictions' content restriction for the following report sources: * Record of learning: certifications * Seminar asset assignments * Seminar facilitators assignments * Seminar room assignments * Seminar interest Also available in 17.10 and later releases. TL-36774 Added placeholders for the currently logged-in user to the featured links block This adds a new placeholder provider to allow user placeholders like `[user:full_name]` to be added to the descriptions of featured link tiles when using the Weka editor. TL-36824 Improved the help text for the seminar direct enrolment automatic signup setting Also available in 17.8 and later releases. TL-37065 Updated program and certification extension request notifications to use centralised notifications TL-37187 Updated course save to turn on editing mode by default if the user has sufficient permissions When a user saves a course, they will automatically have editing mode switched on when being redirected to the sections and activities page. TL-37260 Added requirements for Totara 18 to the environments checks page and readme file TL-37282 Added empty state for pie charts Empty states have been added for pie, doughnut and progress charts for report builder to remove unnecessary whitespace and tidy up the page. TL-37311 Set up the 'Facilitator sessions details changed' trigger to activate when there is a change in the room Whenever a room changes in the session, you will receive a notification called 'Facilitator sessions details changed'. Additionally, the title of the notification resolver has been changed from 'Facilitator sessions date/time changed' to 'Facilitator sessions details changed' to make it more suitable for all session changes. TL-37383 The quiz navigation block now appears above the page content when no block regions are available Previously when a course format or theme did not support blocks a user could not jump around between questions easily. Now the quiz will have the equivalent navigation displayed above the question that the learner is currently viewing. TL-37438 Added option to unset the 'force password change' flag to bulk user actions It is now possible to run a bulk user action to remove the 'force password change' flag from a large number of users at the same time. TL-37493 Improved the responsiveness of learning plan page content Also available in 17.8 and later releases. TL-37525 Added support for PostgreSQL 15 TL-37527 Added support for MariaDB 10.11 TL-37587 Added new 'Display link' option in URL and File course resources A new 'Display link' setting has been added to the URL and File course resources and is available in these resources by default. When enabled in a URL or File resource, clicking the resource will show a page containing a link to the URL or file. When clicked, the URL or file will be opened in the current page. When the course format is set to Pathway, only the Link and Embed options can be used. TL-37623 Added more specific information to course completion log In the completion log, added text to indicate which function was responsible for the call to completion_completion::_save. Also available in 17.8 and later releases. TL-37640 Added exclude_courses hook to the Current learning block The new hook on the Current learning block gives third-party components the ability to exclude specific courses from appearing in the Current learning block. In addition the exclude courses argument on the Last course accessed block has been updated to be passed by reference. TL-37650 Refined the naming conventions for tenant pages to ensure consistency with our help documentation This improvement aims to make it easier for users to locate the information they need and navigate through the system effortlessly. TL-37651 Modify auto-guest login behaviour to only occur on courses with guest access enabled Previously it was possible to configure site-wide guest access such that a user would be enrolled as a guest when visiting a course that didn't have guest access enabled. This would then lead to an error and prevent them from being directed to login. Now in the same situation the user will only be auto logged in as a guest if the course they are visiting has guest enrolment enabled. TL-37655 Hide Feedback preview mode control to avoid non-submissions User feedback pointed out that users were able to mistakenly view a Feedback preview, thinking their feedback was being submitted. The user control for this has been visually hidden, but the functionality still remains. TL-37656 Added small visual improvements to Quiz module question and control display Display of images inserted into Quiz module questions and minor spacing changes have been made to make minor visual alignment and readability improvements. TL-37693 Improved the edit behaviour of multi-choice questions when there are already answers submitted When a user tries to update the values of a 'Multi-choice' or 'Multi-choice (rated)' question, the warning banner will be displayed and warns the user of potential data corruption or data loss. Also available in 17.12 and later releases. TL-37694 Rearranged user report output so that session can be closed before report data is fetched and displayed Report builder now closes the user session before fetching user report data, meaning that long-running reports no longer prevent a user from carrying out other actions in the system. Also available in 17.12 and later releases. TL-37729 It is now possible to grant the 'log in as' capability to Tenant Domain Managers TL-37752 Restricted access to the Feedback module's preview feature to roles capable of editing the module TL-37854 Added language string support for section and field labels in approval workflow forms TL-37870 Updated environment checks for PHP Just-In-Time opcache compilation Totara currently does not support PHP with Just-In-Time compilation enabled. This change adds a check to both the install/upgrade environments check, and the internal environments check page. Also available in 17.11 and later releases. TL-37883 Added a lozenge on edit report page for tenant reports Added a lozenge on tenant reports in edit report page to indicate that it is a tenant report. TL-38055 Added description field to approval workflow forms TL-38065 Cleaned up the approval workflow class to allow for easier extendability TL-38075 Moved feature text to below title in catalogue TL-38093 Changed default event filter when learner views a seminar When learners navigate to a seminar, if they have upcoming booked events then the 'Booked' filter will automatically be applied. If they have no upcoming booked events, or they navigate to the seminar by clicking 'All events', then the 'Booked' filter will not be applied. TL-38112 Warning added for the minor versions of MariaDB (10.7, 10.8, 10.9 and 10.10) that are not supported Also available in 17.12 and later releases. TL-38145 Swapped user menu language list for a language preferences link In the user menu we no longer have quick-switching of languages available. Instead, there is now a link to the user language preferences page. As changing languages is usually fairly infrequent, this should declutter the menu. TL-38156 Removed dashed separator and find workspace link from workspace sidebar TL-38206 Added hook to base event class A new hook has been added to the base event class to allow watchers to modify event content. TL-38207 Added report log hook for modification of user's full name TL-38222 Added lang string support for the content of the help icons in approval workflows TL-38235 Added multitenancy support to the course completion report source TL-38397 Improved error messages when notifications scheduled tasks encounter errors Also available in 17.12 and later releases. TL-38409 Renamed centralised notifications scheduled tasks to make them easier to understand Also available in 17.12 and later releases. TL-38445 Page layouts no longer display the breadcrumbs bar when the theme "nonavbar" is set to true TL-38734 Prevented notification processing warnings if the event context they relate to no longer exists Also available in 17.13 and later releases. TL-38767 Prevent users from running more than one report simultaneously Recently we introduced a change which allows a user to continue using the site while a report loads in another tab/window. This inadvertently allowed a user to run more than one report at once. With this change, only one user report or report export (user or embedded) can be run at once. Viewing embedded reports are excluded, so that pages which render embedded reports will continue to work as normal. Also available in 17.13 and later releases. TL-38897 Improved warning message in the performance tab of reports when caching is not available Also available in 17.13 and later releases. Accessibility improvements: TL-28041 Updated focus styles to meet future accessibility requirements Focus rings are now 2px thick and solid instead of dashed. Now that :focus-visible is supported by all of our supported browsers, we have also made use of it where possible, in order to only show the focus ring when navigating by keyboard. TL-37400 Notification content in the list of received notifications is now accessible via keyboard Bug fixes: TL-23403 Fixed modals closing when you click and drag from the inside to the outside TL-36934 Fixed the full text search for MySQL binary mode to prevent wildcard character errors Also available in 17.13 and later releases. TL-37199 Fixed course completion historic grades corrupted by course changes When changing course grades, historic course completions are affected and the 'Grade at time of completion' column in reports does not reflect the right information as the grade is taken from the current information stored in the grade tables for the course and not the information at the time the historic record was created. To fix that, we have included two more fields in the course_completion_history database table to fill accordingly when this happens. The new report builder column 'Grade at time of completion' will now display the value calculated using the course grade minimum and maximum that were set at the time the grade was achieved. On upgrade, all records of prior learning will be updated to include the current course min and max grade. If the course max or min grade has changed since the completion records were added then they may appear to have a different 'Grade at time of completion' compared to what they originally had. This can be corrected manually by using the completion editor and setting the course grade min and max that were present at the time the grade was achieved. When resetting and therefore archiving all completion records any record with values in the rplgrade database column was not properly transformed to decimal values usually stored in the course_completion_history table. This has also been addressed with this patch. Changes introduced with this fix: * Added new fields grademax and grademin to the course_completion_history DB table. * Added new fields "Maximum Grade" and "Minimum Grade" to be filled when creating or editing historic course completions in the completion editor. * The "Grade at completion" report builder column has been renamed to "Grade based on current course" in the course completion reports. * A new "Grade at time of completion" report builder column has been added to the course completion reports and its value is calculated based on min/max grade at the time of completion for historic records and current completion records deemed as completed by the user. This column replaces the renamed default column "Grade at completion" for reports based on the "Course Completion Including History" or "Record of Learning: Previous Course Completions" report sources. TL-37205 Fixed the UTF-8 encoding of embedded calendar blocks in emails for foreign characters Also available in 17.13 and later releases. TL-37292 Removed confusing help text from the Virtual Meeting Provider Connect button Also available in 17.13 and later releases. TL-37324 Fixed featured link heading levels and sizes TL-37602 Created correct supersede submission after rejecting approval workflow application Also available in 17.13 and later releases. TL-37645 Fixed incorrect path in eslintignore file TL-37683 Fixed visibility map query causing database crash on MariaDB 10.8 Only on MariaDB 10.8 the visibility map query causes the database to crash. This has been addressed now. Also available in 17.13 and later releases. TL-37757 Removed broken help links from the course activity selector TL-37808 Fixed the alignment of popups in reports grid TL-37812 Event custom field URLs are no longer double-escaped in notifications TL-37841 Prevent infinite redirect when receiving Oauth2 errors and admin setting 'loginpageredirect' is enabled In some situations, instead of displaying an OAuth2 authentication error users could end up in an infinite loop of redirects if the site has enabled the admin setting 'loginpageredirect' and set it to use the OAuth2 provider. TL-37984 Updated event log description for tenant reports TL-38021 Fixed find learning popup escaping bounds of item grid TL-38098 Added a legacy Moodle constant back into Totara, so the Big Blue Button plugin can still operate Also available in 17.13 and later releases. TL-38233 Deprecated \core_component::get_component_classes_in_namespace() This method has a big performance impact and should not be used anymore. \core_component::get_namespace_classes() can be used instead. All existing usages have been replaced with calls to \core_component::get_namespace_classes() and tests added to make sure both return the same result. TL-38570 Fixed User profile hover style TL-38626 Updated LTI OAuth provider URL The previous server reference for the LTI OAuth provider was not working when a reverse proxy was set. This change updates the URL to reference $FULLME, rather than the $_SERVER vars TL-38653 Ensured content marketplace course activity visible if completed_initial_sync_learning_asset was failed to set LinkedIn Learning's initial sync task should set the completed_initial_sync_learning_asset flag to true. If the initial process is interrupted LinkedIn Learning courses can be used but they are not available in the list when adding activities to an existing course. After the patch, you can add available courses as activities even if the initial sync task has not finished successfully. Also available in 17.13 and later releases. TL-38670 Restored missing headings in the external API documentation Also available in 17.13 and later releases. TL-38704 Removed the ability to select a system user using the user_reference_record class as a tenant API user As part of this change, the behaviour of user_record_reference::get_record() (released in Totara 17) will no longer check the acting user's ability to see the target user. Please use user_record_reference::load_for_viewer() in custom GraphQL resolvers instead. Also available in 17.13 and later releases. TL-38788 Improved display of the review options section when editing a quiz's settings TL-38829 Added language strings for machine learning, JSON editor and multi-factor authentication on the plugins page Also available in 17.13 and later releases. TL-38938 Session language is reset when the user changes their language preference In some situations a language preference may be persisted to session. When a user changes their preferred language, previously Totara would not reset the session language, so the new language would not kick in until the user logged out and logged back in. With this fix, changing the preferred language option should immediately work for a user. TL-38955 Added title to reports pages when accessed by users who do not have access to it via the admin tree TL-39064 Prevented user list queries being triggered on initial load on the performance activity participant select page Previously, each user selector on the participant selection page for performance activities triggered a GraphQL query on page load to fetch the initial set of users. The more activities are listed on the page the longer it took for all initial queries to finish. During this time the user could not search in any of the user selectors. This patch ensures that GraphQL queries are only triggered when interacting with a user selector. Also available in 17.13 and later releases. TL-39104 Fixed the environment check for Totara 18 and MariaDB reporting incorrect incompatible versions Also available in 17.13 and later releases. Database upgrades: TL-36237 Introduced index for suspended column on user table Also available in 17.3 and later releases. TL-36808 Allow memoization for Postgres 14.2 and above. PostgreSQL 14 introduced memoization as a feature that can improve performance. However with PostgreSQL versions 14.0 or 14.1 it would cause several Totara queries to return incorrect results. Because of this a requirement was added for PostgreSQL 14 that the enable_memoize flag be set to off. This has been fixed from PostgreSQL 14.2. With this patch in place the enable_memoize=off setting is only required if you're using PostgreSQL 14.0 or 14.1. Also available in 17.7 and later releases. Technical changes: TL-35168 Added new after_require_login and after_config hooks There is a new hook at the end of the require_login() function 'after_require_login' that can be used to customise the function. There is also a new 'after_config' hook at the end of setup.php allowing customisations to be run as soon as possible after the config has been loaded. Also available in 17.3 and later releases. TL-35277 Remove unnecessary core component check in api builds Previously there was a check that the core component was included in the list of components on the front end. However the backend ensures the core component is always included, so it was unnecessary. Also available in 17.1 and later releases. TL-35315 Added custom field type property to core_user.custom_fields object Also available in 17.3 and later releases. TL-36039 Support for IE-specific JS and CSS builds and polyfills have been removed With partner consultation, we made the decision [to drop support for IE 11 in Totara 17](https://totara.community/mod/forum/discuss.php?d=26053). While Totara 17 does not support IE 11, the supporting build tooling and JavaScript polyfills were still present. In line with our announced plan, these were removed in Totara 18. See the [end-user system requirements](https://totara.help/docs/end-user-system-requirements) documentation for all supported browser versions. TL-36210 Redis cache store can now compress data before storage The Redis cache store now has a compression setting that allows a site to configure a Redis cache store to compress data before it is sent for storage. The options available are no compression, gzip compression, and zstandard compression (providing zstandard is available). Also available in 17.3 and later releases. TL-36274 The Redis5 session handler now supports connecting via TLS Also available in 17.6 and later releases. TL-36403 Added 'mobile_coursecompat' property to the catalog_item GraphQL type, so it could be used in the mobile_findlearning_view_catalog GraphQL query Also available in 17.7 and later releases. TL-36430 Added a new hook 'auth_enable' to allow watchers to interrupt the enabling of a specific auth plugin Added a new core hook which can be used by third-party plugins to prevent specific authentication plugins from being enabled, and optionally provide a reason which will be displayed to the user if they try to enable one. Also available in 17.4 and later releases. TL-36652 Added new /api/pluginfile.php endpoint for downloading files via external API TL-36727 Added a method to the flavour helper class to detect if the table belongs to the specified flavour TL-36840 Added require_plugin_enabled middleware that checks if the specified plugin is enabled TL-36845 Allowed flex_icons to be instantiated without checking they are valid Previously, when a flex_icon was instantiated, it was checked to make sure it existed. To do this, the theme had to be initialised. To avoid this, it is now possible to specify that the check should be skipped. Also available in 17.6 and later releases. TL-36878 Added hooks for setting page layout, modifying header, modifying footer Added 3 new hooks to modify page output: * The 'set_page_layout' hook allows modifications to the page layout * The 'modify_header' hook allows modifications to the HTML header * The 'modify_footer' hook allows modifications to the HTML footer TL-36882 Updated page_requirements_manager to support more detailed tracking of requirements The page_requirements_manager now tracks page-specific requirements separately from system-level requirements, in order to better support modernisation of the UI. If you have extended page_requirements_manager, you may need to update your code. TL-36889 Added new hook triggered when 'setup_blocks()' is called This hook will allow a single place for additional course formats to set the page layout, this should only ever be called once in the page setup. TL-36905 Added visible field to course activities and modules GraphQL types TL-36921 Added a new hook 'activity_enable' to allow watchers to interrupt the enabling of a specific activity module Added a new core hook which can be used by third-party plugins to prevent specific activity modules from being enabled, and optionally provide a reason which will be displayed to the user if they try to enable one. Note that this will not disable the plugin if it is enabled, but it will prevent it from being enabled if currently disabled. TL-36922 Added a new hook 'format_enable' to allow watchers to interrupt the enabling of a specific course format plugin Added a new core hook which can be used by third-party plugins to prevent specific course format plugins from being enabled, and optionally provide a reason which will be displayed to the user if they try to enable one. Note that this will not disable the plugin if it is enabled, but it will prevent it from being enabled if currently disabled. TL-37278 Added a hook to allow course formats to control which activities can be added This hook is currently used by the new pathway format to limit the options when adding activities to a course, the limitations are: * Wiki * Book * Folder * Data * Label TL-37452 Legacy action menus are initialised at the time they are added to the DOM TL-37613 Modernised the back-end code for programs * TL-35960 - Cleaned up old deprecated code in the program code * TL-35966 - Moved old program classes into new auto-loaded namespaces. The classes in the following program files classes are no longer being used and have been deprecated, please refer to the programs upgrade.txt for a more detailed list of class names and suggested alternatives: - program.class.php - program_content.class.php - program_courseset.class.php - program_user_assignment.class.php - program_assignments.class.php - program_exception.class.php - program_exceptions.class.php - program_message.class.php, - program_messages.class.php * TL-36875, TL-36838 - Further modernisation improvements to the newly namespaced classes, including: - Additional docblocks - Additional parameter type hinting - Additional return type hinting * TL-35984, TL-36019, TL-36020 - Added entity and repository classes for core program tables, covering: - Programs (ttr_prog) - Group assignments (ttr_prog_assignment) - User assignments (ttr_prog_user_assignment) - Future user assignments (prog_future_user_assignment) - Exceptions (ttr_prog_exception) - Extension requests (ttr_prog_extension) - Completions (ttr_prog_completion) - Course sets (ttr_prog_courseset) - Course set courses (prog_courseset_course) - Recurrence settings (prog_recurrence) TL-37664 Added reset_theme_and_output hook TL-38113 Upgraded PHPUnit to 9.6.11 and Paratest to 6.8.1 and added tool to generate coverage map The CLI tool "test/phpunit/generate-coverage.map.php" has been added. It enables developers to update the phpunit.xml file, adding the files/directories which should be included/excluded for code coverage generation. The tool comes with a --help option. TL-38126 PHPUnit test file and class names now conform to a new standard PHPUnit test files must now conform to the following standard: * Test file names must end with "_test.php" * Test class names must be "_" (which always ends in _test) * Test files can only contain a single test class * Namespaces are not allowed in test files * advanced_testcase and basic_testcase can no longer be used Future improvements will see namespacing allowed providing it follows a standardised pattern, and will see autoloading improved so that in the future we can look to migrate to PHPUnit 10. Only standard core plugins _must_ conform to these standards, but other plugins _should_ conform. Also available in 17.11 and later releases. TL-38154 Added PHPUnit commands in test/phpunit/phpunit.php to run code coverage more easily TL-38200 Database module static caching is reset during unit tests Also available in 17.11 and later releases. TL-38634 Updated the unserialize array function to support some extra characters This updates the unserialize_array() function moodlelib, allowing support for characters like semi-colons. Also available in 17.12 and later releases. Tui front end framework: TL-34425 The filters icon was removed from FilterBar TL-34732 Added new AdvancedSelect component for the SelectTable component to provide a consistent UI for customisable bulk selections TL-35991 Created new core component InputGroup to handle multiple use cases for password input field Also available in 17.3 and later releases. TL-36239 Fixed audience adder being cut off in Safari 13.1 Also available in 17.3 and later releases. TL-36251 Fixed issue where buttons in dropdowns would not get separators applied Also available in 17.3 and later releases. TL-36379 Added a course adder Tui component This is designed to be used by Tui components to find courses and return them back to the calling component. TL-36495 Fixed display issue in the tree component where siblings sometimes looked like child nodes Also available in 17.5 and later releases. TL-36697 FilterBar component now uses the button component for the reset button Previously the reset button was a ButtonIcon component. TL-36713 A `copyText` clipboard helper is now available in `tui/dom/clipboard` TL-36714 Improved sizing of InputGroup InputGroupInput is now sized correctly when the type prop is not supplied, and InputGroup now supports the char-length prop. Also available in 17.5 and later releases. TL-36804 Fixed double scroll bar on adder core component. Also available in 17.9 and later releases. TL-36805 Added ability to add indicator icons to tabs TL-36843 Fixed InputSetCol sometimes being sized inconsistently TL-36965 Updated the Tag component to include various new properties * bold: A boolean which sets the font weight of the main text to bold * label: A string for providing a label text in addition to the main text * large: A boolean that increases the text size, padding, and border radius of the tag * noBorder: A boolean that removes the border from the tag These changes were made to accommodate the features in TL-36966. TL-37404 Added hidden state to ProgressTrackerNavCircleWorkflow.vue TL-37434 Aligned collapsible chevron to the top of collapsible components TL-37470 Confirmation modals can no longer be dismissed while the action is executing TL-37609 Refactored Tui Grid gutter handling to allow custom 2-d values Before this change, Grid component gutters accepted a single gutter size, although based on a CSS variable, the single usage limited all Grids to have the same gutter sizing regardless of their placement on the page, e.g. Page layout or deeply nested. This change refactors both vertical and horizontal gutters so that different values can be used for each axis, per-Grid. The Tui Samples page demonstrates the changes available via new props. TL-38210 Added a large variant to inputs TL-38438 Added lint warning for $str / getString usages that cannot be automatically replaced TL-38470 Added a new "drawer" style modal Recommendations engine: TL-37444 Upgraded the requests library to version 2.26.0 Also available in 17.8 and later releases. Library updates: TL-35875 Upgraded the library Video.js to version 7.21.1 Fixes CVE-2022-39353 Also available in 17.4 and later releases. TL-37326 Updated the nyholm/psr7 library to version 1.6.1 Fixes CVE-2023-29197 Also available in 17.7 and later releases. TL-37450 Updated the tcpdf library to version 6.6.2 With this change the ability to generate a QR code via the pdf library is now possible, by calling pdf::qr. TL-37451 Added the Constant Time Encoding library The Constant Time Encoding library has been included and the base32 encode/decode functions are now available. Contributions: * James Tombs at Think Learning - TL-36597 * Michael Trio at Kineo USA - TL-34242


David Curry (Core Developer)
Re: Totara TXP 18.0 is now available
par David Curry (Core Developer), Monday 27 November 2023, 19:52
Groupe Totara
Update: A small but fatal issue has been identified in a front page block, this release is still great to have a look around but please hold off fully upgrading until 18.0.1 which will be coming very soon
Sam Hemelryk
Re: Totara TXP 18.0 is now available
par Sam Hemelryk, Monday 27 November 2023, 22:35
Groupe Totara

Hello everyone,

Totara TXP 18.0.1 has been made available.

It contains a single bug fix for TL-39152.

Fixed missing requires in the "Upcoming certifications" and "Program completions" blocks

The issue arose when attempting to view a dashboard that contained Totara Certification block or the Totara Program Completion block, but did not contain any other program or certification blocks.
When encountered the dashboard would fail to load and a fatal error would be generated.

This has now been fixed.

Kind regards
Sam Hemelryk


(Edited by Fabian Derschatta - original submission Tuesday, 28 November 2023, 7:35 PM)

Chris Snyder
Re: Totara TXP 18.0 is now available
par Chris Snyder, Monday 27 November 2023, 20:19
Groupe Totara

Totara TXP 18 Technical Release Notes

A change management guide for Totara developers and implementers, also in the distribution at ./release_notes.md

System requirements

  • PHP
    PHP 8.1 is now the recommended version.

  • MariaDB
    MariaDB 10.7 and 10.8 are no longer supported
    Added support for MariaDB 10.11
    Note 1: For MariaDB 10.6 onwards, innodb_read_only_compressed setting must be off.
    Note 2: MariaDB 10.9 and 10.10 were never supported

  • MySQL - No change

  • PostgreSQL
    PostgreSQL 10 is no longer supported
    Added support for PostgreSQL 15
    Note: For PostgreSQL 14.0 and 14.1, the enable_memoize setting must be off

  • MSSQL - No change

  • Python (for Machine Learning Service) - No change

  • Node.js - No change

  • Web browsers
    Safari support now limited to "the last two major versions"

Breaking and important code changes

Core

The auth_plugin_base now has a support_mfa() method that auth plugins should override when/if they support the new login flow with MFA. Additionally, complete_user_login() now has two optional arguments to enable login flow with MFA: * $complete_login_callback Callable function executed after MFA verification has passed. * $persistent_login If true, MFA check is skipped

Storage of requirements in the page_requirements_manager class has changed. In order to support separation of page-specific requirements from system-level requirements, it now tracks things such as JS to load on the page using a separate tracker class instead of plain arrays. If you have extended page_requirements_manager, you may need to update your code.

A specific course can be set on the remove_modules_hook hook, allowing watchers to discover the course format, among other things.

Login screens have been updated to use Tui components, and to only render signup container when either instructions or identity providers are provided. The old login screen is still available, but deprecated. You can revert to it by setting $CFG->enable_legacy_login = true; in config.php.

Added static method qr() to pdf allowing a base64-formatted QR code to be generated.

Ventura / default theme

A large number of changes have been made to legacy component styles to make them consistent with Tui components. For a detailed list of changes, see server/theme/legacy/upgrade.txt, as well as upgrade.txt for theme_basis and theme_roots.

Message

To mitigate the risk of denial of service, changes have been made to the external function 'core_message_data_for_messagearea_search_users' regarding the validation of the 'limitnum' parameter: - The maximum possible value for the parameter is set to a default of 20, but can be overridden by setting a different value in config.php for $CFG->message_area_search_max_limitnum. Please make use of this if you need to call this external function with a 'limitnum' parameter greater than 20. - A value of integer zero (the default when the parameter was omitted) will not return unlimited results anymore. It will return up to the configured maximum amount. - A Null value, negative value, or a value above the configured maximum amount will lead to an error.

Perform

Added a new field 'progress_updated_at' to the table 'perform_participant_section'. This is for tracking the time of the section's last progression.

Added element_plugin::get_permissions(), for getting permission information specific to an element plugin.

Added section_element_response::permissions property, for passing on permission information specific to the element plugin along with response data.

Redisplay elements can now be configured to redisplay responses from elements in the same activity instance (instead of previous instances from the same activity). For this, an input parameter same_subject_instance was added to the GraphQL type subject_instance_previous_responses_input.

Programs

The core PHP classes that drive Totara Programs have been refactored to use namespaces, and the original classes have been deprecated. See the section Deprecations section or server/totara/program/upgrade.txt for more information.

The 'enablelegacyprogramassignments' setting and the legacy program assignment code, which was deprecated in Totara 17.1, have been removed. This includes: - Function display_edit_assignment_form() - File program_assignment.js Any sites with custom code that rely on either of these will need to be updated.

A modern interface for program course-set management has been introduced. It does not support competency course-sets or recurring courses; the 'Enable legacy program content' setting can be used to restore the legacy interface.

Quiz module

The quiz module has been updated to render the navigation block as part of page content when there are no available block regions on the page, as is the case with Pathway format.

Totara completion editor

Added new fields "Maximum Grade" and "Minimum Grade" to be filled when creating or editing historic course completions in the completion editor, in order to properly scale percentage grades as the course changes over time.

GraphQL APIs

Instantiation of the handle_request_pre_hook and handle_request_post_hook now requires the \totara_webapi\server instance to be passed as a third parameter. This is not a breaking change for hook watchers.

When resolving a user reference input, to load a target user for an external API operation, user_record_reference::get_record() does not check whether the acting user has capability to view the target user anymore. If you have custom GraphQL resolvers that load a user_record_reference, please use user_record_reference::load_for_viewer() instead.

AJAX API GraphQL query session closing

The behaviour of the internal AJAX GraphQL API has changed, to allow more than one query at a time per user session. This is a breaking change if your site uses custom GraphQL queries which write to the user's session during processing. The result of calling an affected query will be that it returns a reopen_session_for_writing_exception exception, causing a dialog box to be displayed to the user. This is fixed by adding reopen_session_for_writing middleware to the affected query resolver, see the change log for TL-38114.

This optimisation can be disabled completely via config.php, by setting $CFG->graphqlsessionwritecloseenabled to false. This will revert to the previous behaviour, forcing one query to be executed at a time per user session.

Report Builder

Previously deprecated add_audiencevisibility_columns() methods have been undeprecated in the core_course and mod_facetoface required_columns traits.

Report builder has been updated to make it safe for tenant-level reporting. As a result, optional tenant-specific parameters have been added to an number of PHP and GraphQL APIs, see server/totara/reportbuilder/upgrade.txt for details.

New capabilities have been allowed on the existing Tenant Domain Manager role in order to support tenant reports: - totara/reportbuilder:managereports - totara/reportbuilder:overrideexportoptions

GraphQL API

Changes to external API

There are no breaking changes to the external API between Totara 17.0 and Totara 18.0.

For full documentation of the Totara 18.0 external API, see https://graphql-schema.totara.com/docs/totara-18.0.html

New capabilities added to the API User role archetype

The API User archetype and default role was introduced in Totara 17.0 to provide the full set of capabilities required to use any external API query or mutation. Any site using the API User role this purpose will need to add new capabilities as they are added to the archetype, or create a new role from the API User archetype to use going forward.

  • enrol/manual:enrol
  • enrol/manual:unenrol
  • moodle/role:assign
  • moodle/cohort:manage
  • moodle/cohort:assign
  • moodle/cohort:view
  • moodle/course:view
  • moodle/course:enrolreview
  • moodle/course:viewhiddencourses

New external API queries & mutations

E-commerce enablement

The following have been added to support e-commerce integrations and other use cases.

Audiences API - core_cohort_static_cohorts
List set audiences, can be filtered by tag - core_cohort_is_user_member
Discover whether a user is a member of an audience
- core_cohort_add_cohort_member (mutation)
Add a user to a set audience
- core_cohort_remove_cohort_member (mutation)
Remove a user from a set audience

Course enrolment and completion info API - core_completion_get_course_completion
Get course completion status information for a user - core_course_is_user_enrolled
Discover whether a user is enrolled on a course (yes/no) - enrol_manual_enrol_user (mutation)
Create a manual course enrolment for a user - enrol_manual_unenrol_user (mutation)
Remove all of a user's manual enrolments on a course

Courses API - core_course_courses
List courses, can be filtered by tag

Totara goals

The following have been added as part of the new Totara goals feature. Note that these do not provide access to legacy goals. Only personal goals are implemented.

  • perform_goal_view_goal
    Get goal details
  • perform_goal_user_goals
    List a user's personal goals
  • perform_goal_create_goal (mutation)
    Create a personal goal for a user
  • perform_goal_update_goal (mutation)
    Update the details of a personal goal
  • perform_goal_delete_goal (mutation)
    Delete a personal goal
  • perform_goal_update_progress (mutation)
    Update the status and/or progress of a personal goal

HR Services

The following queries have been added to expand the HR Services API.

  • core_user_user
    Returns details of a user.

  • totara_job_job_assignments
    Returns a paginated list of all job_assignments in the system.

IntelliBoard integration

The following have been added to support the third-party IntelliBoard learning analytics service. These endpoints are only available when the bi_intellidata plugin is enabled.

  • bi_intellidata_plugin_config
  • bi_intellidata_validate_credentials
  • bi_intellidata_export_logs
  • bi_intellidata_dbschema_unified
  • bi_intellidata_live_data
  • bi_intellidata_dbschema_custom
  • bi_intellidata_data_files
  • bi_intellidata_enable_processing (mutation)
  • bi_intellidata_export_data (mutation)
  • bi_intellidata_set_datatype (mutation)

Important changes to AJAX / Mobile APIs

  • The type resolver for the mod_perform_activity query now returns the global configuration values for the settings 'sync_participant_instance_creation' and 'sync_participant_instance_closure' when the activity setting 'override_global_participation_settings' is turned off. Before this change, it returned the activity-specific settings in this case.

  • The return type for the mod_perform_override_global_participation_settings mutation has been changed from Boolean to a new result type mod_perform_override_global_participation_settings_result that includes a list of the current settings.

New capabilities

Core capabilities

  • Manage SAML Configuration
    auth/ssosaml:manage
    Allows the user to configure the SAML authentication method.

  • Send a message to the support user from the error page
    moodle/site:senderrormessage
    Allows the user to use the 'Report error' form on the 404-Not-Found page.

  • View system status
    report/status:view
    Companion to report/performance:view and report/security:view, allows the user to view the system status report.

  • Manage User Actions
    totara/useraction:manage_actions
    Allows the user to create and manage scheduled user actions.

Notifications capabilities

  • Audit own notifications
    totara/notification:auditownnotifications
    Allows the user to view delivery information about notifications where they are the recipient.

Program capabilities

  • Clone Program
    totara/program:cloneprogram
    Allows the user to clone Totara programs.

H5P activity capabilities

  • See and interact with H5P activities
    mod/hvp:view
    Allows the user to view H5P activities in a course.

  • Create new H5P activites
    mod/hvp:addinstance
    Allows the user to create new H5P activities for a course.

  • Edit existing H5P activites
    mod/hvp:manage
    Allows the user to manage H5P course activities.

  • Share content on the H5P OER Hub
    mod/hvp:share
    Allows the user to share H5P activities with h5p.org. The H5P Open Educational Resources Hub is also known as the H5P Content Hub.

  • Download .h5p file when 'controlled by permission' option is set
    mod/hvp:getexport
    Downloading H5P activities can optionally be restricted to users with this capability.

  • View H5P embed code when 'controlled by permission' option is set
    mod/hvp:getembedcode
    Discovering the embed code for H5P activities can optionally be restricted to users with this capability.

  • Save the results from completed H5P activities
    mod/hvp:saveresults
    Allows the user to save the results of their completed H5P activities.

  • Save the users's progress for H5P activities
    mod/hvp:savecontentuserdata
    Allows the user to save their progress in H5P activities.

  • View own results for completed H5P activities
    mod/hvp:viewresults
    Allows the user to view the results of their own completed H5P activities.

  • View all results for completed H5P activites
    mod/hvp:viewallresults
    Allows the user to view the results of other users completed H5P activities.

  • Restrict access to certain H5P content types
    mod/hvp:restrictlibraries
    Allows the user to mark libraries as 'restricted' for use in their Totara site.

  • Use restricted H5P content types
    mod/hvp:userestrictedlibraries
    Allows the user to use H5P libraries marked as 'restricted'.

  • Install new H5P content types or update existing ones
    mod/hvp:updatelibraries
    Allows the user to install or update H5P libraries from h5p.org or local storage.

  • Required for viewing H5P activities
    mod/hvp:getcachedassets
    This capability must be allowed in order for a user to view/interact with H5P activity code, regardless of whether they can see the activity in the course.

  • Install new safe H5P content types recommended by H5P.org
    mod/hvp:installrecommendedh5plibraries
    Allows the user to install/update a recommended supset of H5P libraries from h5p.og.

  • Register site with the H5P Content Hub
    mod/hvp:contenthubregistration
    Allows the user to register the Totara site with H5P.org.

Totara goals capabilities

  • View own goals
    perform/goal:viewownpersonalgoals
    Allows the user to view their own personal goals.

  • Create/edit/delete own goal
    perform/goal:manageownpersonalgoals
    Allows the user to manage their own personal goals.

  • Set current value and/or status of own goal
    perform/goal:setownpersonalgoalprogress
    Allows the user to update the progress of their personal goals.

  • View goals for another user
    perform/goal:viewpersonalgoals
    Allows the user to view the personal goals of another user.

  • Create/edit/delete a goal for another user
    perform/goal:managepersonalgoals
    Allows the user to manage the personal goals of another user.

  • Set current value and/or status of a goal for another user
    perform/goal:setpersonalgoalprogress
    Allows the user to update the progress of another user's personal goals.

IntelliData integration capabilities

These capabilities generally enable the IntelliData service to communicate with Totara and sync data for business intelligence purposes.

They should only be allowed for roles that absolutely need them, as they bypass many other system capabilities and visibility rules, and allow the collection and sharing of user data via the external API.

  • IntelliData edit configuration
    bi/intellidata:editconfig
    Allows the user to manage the IntelliData plugin configuration.

  • IntelliData view database schema
    bi/intellidata:viewdbschema
    Allows the API user to view the site database schema.

  • IntelliData view live data
    bi/intellidata:viewlivedata
    Allows the API user to sync data directly from database tables.

  • IntelliData manage files
    bi/intellidata:managefiles
    Allows the API user to work with and sync data snapshot files.

  • View ad hoc tasks
    bi/intellidata:viewadhoctasks

  • Delete ad hoc tasks
    bi/intellidata:deleteadhoctasks

  • IntelliData track data
    bi/intellidata:trackdata
    Allows the IntelliData plugin to track activity data for the user.

  • IntelliData view LTI
    bi/intellidata:viewlti
    Allows the user to view embedded IntelliData reports via LTI, if enabled.

  • IntelliData view logs
    bi/intellidata:viewlogs
    Allows the API user to share system logs with IntelliData.

  • IntelliData view configuration
    bi/intellidata:viewconfig
    Allows the API user to share system configuration information with IntelliData.

New scheduled tasks

Notifications tasks

The following scheduled tasks have been renamed: - Send immediate notifications was 'Queue event scheduled task' - Send non-immediate scheduled notifications was 'Queue scheduled event task'

SSO SAML tasks

  • SSO SAML Session clean up
    Deletes expired SAML session information.

  • Cleanup expired IdP sessions
    Removes stale identity provider state records.

  • Cleanup expired authentication assertions
    Removes expired authentication assertions from the cache.

  • Metadata refresh
    Checks and updates identity provider metadata.

OAuth 2 providers tasks

  • Expired OAuth2 tokens task
    Cleans up expired OAuth2 tokens.

Scheduled user actions tasks

  • Process scheduled user actions
    Processes scheduled user actions that have come due since the last time the task was run.

MFA factor tasks

  • Clear used TOTP tokens
    Removes generated authenticator tokens that are more than one hour old.

H5P activity tasks

  • Look for H5P updates
    Looks for updated libraries from h5p.org.

  • Remove old H5P temporary files Removes unneeded temporary files associated with H5P.

  • Remove old H5P log entries
    Removed expired log entries.

  • Remove old H5P mobile auth entries
    Removes expired records from the hvp_auth table.

IntelliData tasks

  • Export files task
    Prepares a new batch of data as snapshot files for sync with IntelliData.

  • Export data task
    Prepares a new batch of data as records for sync with IntelliData.

  • Cleaner task
    Deletes old batches of exported data.

  • Migration task
    Special export task to assist with initial migration of data.

New notifications

MFA notifications

  • Multi-factor authentication added to user
  • Multi-factor authentication removed from your account

Perform notifications

  • Participant due date reminder (for subject)

Certification notifications

  • Extension denied
  • Extension granted
  • Learner requesting extension (for managers)

Program notifications

  • Extension denied
  • Extension granted
  • Learner requesting extension (for managers)

Site administration

Learn settings

Enable legacy program content - enablelegacyprogramcontent
Reverts the program content tab back to the legacy view. This is necessary if you need to manage programs with competency course sets and recurring courses.

H5P settings

Save content state - mod_hvp | enable_save_content_state
Automatically save the current state of H5P content for each user. This means that the user may pick up where he left off.

Save content state frequency - mod_hvp | content_state_frequency
Controls how often the user's content state is sent back to the server.

Contribute usage statistics - mod_hvp | send_usage_statistics Reports H5P usage information to h5p.org. Default is off.

Display action bar and frame - mod_hvp | frame
Controls the display of chrome around the H5P activity.

Allow download - mod_hvp | export
Controls whether and how users are able to download/export H5P activities from the site.

Embed button - mod_hvp | embed Controls whether and how users are able to embed H5P activities from the site into other pages/sites.

Copyright button - mod_hvp | copyright Whether or not to display copyright information as part of H5P activities.

About H5P button - mod_hvp | icon Whether or not to display link to h5p.org as part of H5P activities.

Enable LRS dependent content types - mod_hvp | enable_lrs_content_types Makes it possible to use content types that rely upon a Learning Record Store to function properly, like the Questionnaire content type.

Use H5P Hub - mod_hvp | hub_is_enabled The H5P hub provides an interface for getting new content types and keeping existing content types up to date. Note that H5P Hub resources are not vetted by Totara for security or accessibility.

Manage authentication settings

Redirect login page to single sign-on provider - loginpageredirect Users will automatically be redirected to the selected SSO provider when accessing the login page, unless they add ?nosso=1 to the login URL.

SAML Authentication settings

The new SAML 2.0 authentication plugin introduces a collection settings to lock any or all of the user profile fields for users who use SAML SSO for authentication.

Theme settings

Allow unsafe markup to user menu - allowunsafemarkup
If enabled all users authorised to add or update user menu items will be able to add unsafe markup to menu items.

API settings

Default error response - totara_api | response_debug Determines the amount of information returned by an API response when an error occurs.

IntelliData settings

The new IntelliData business intelligence plugin introduces a large number of settings to control specific aspects of the site's integration with IntelliBoard's services.

New hooks

Please see the hook implementations for details.

  • block_current_learning\hook\exclude_courses
  • core\hook\activity_enable
  • core\hook\after_config
  • core\hook\after_require_login
  • core\hook\before_output_start
  • core\hook\business_intelligence_enable
  • core\hook\course_module_available_info
  • core\hook\modify_event_data
  • core\hook\modify_footer
  • core\hook\modify_header
  • core\hook\module_available_display_options core\hook\module_get_final_display_type
  • core\hook\reset_theme_and_output
  • core\hook\set_page_layout
  • core\hook\theme_initialised_for_page_layout
  • core_auth\hook\auth_enable
  • core_completion\hook\override_activity_self_completion_form report_log\hook\modify_col_fullnameuser
  • totara_cohort\hook\delete_affects
  • totara_webapi\hook\external_pluginfile_allowed_hook
  • totara_webapi\hook\pluginfile_pre_hook

New events

Please see the event implementations for details.

  • Goal category activated
  • Goal category created
  • Goal category deactivated
  • Goal status updated during performance activity review
  • Personal goal created
  • Personal goal deleted
  • Personal goal details updated
  • Personal goal status updated
  • Personal goal viewed
  • Certificate regenerated (auth_ssosaml)
  • Database global search and replace
  • MFA factor enabled/disabled
  • MFA factors revoked
  • MFA factor registered
  • MFA factor unregistered
  • Viewed performance check report
  • Viewed security check report
  • Status report viewed
  • Program cloned
  • Encryption rollover job queued
  • Encryption key added
  • mod_hvp: attempt submitted
  • Course module instance list viewed
  • Course module viewed

New plugins

H5P course activity

The H5P plugin makes it easy to create, share and reuse HTML5 content and applications as course activities.

Multi-factor authentication (MFA)

A new subsystem that implements multi-factor authentication (for admin users only, initially).

Defines a new plugin type, factors, in the server/mfa/factors directory. The first two are 'Button' (mfa_button) (for testing) and 'Authenticator app' (mfa_totp), which implements a time-based one-time-password authentication factor.

Business intelligence

A new plugin type bi has been created in the server/integrations directory, for 'Business intelligence' integrations that extract, transform, and send data from Totara to another service or reporting tool.

The first of its type is bi_intellidata, a Totara-supported integration with the third-party IntelliBoard service.

Pathway course format

The format_pathway plugin implements a streamlined, modern interface for courses and activities.

Totara goals

A new goals framework (perform_goal) was created to eventually replace the existing goal hierarchies implementation, which is now called 'legacy goals.'

Only personal goals are implemented in the Totara 18 perform_goal framework.

As part of this implementation, a new performance activity element 'Perform goal creation' was created (performelement_perform_goal_creation).

A new sub-plugin type goaltype was created, along with the Basic type (goaltype_basic) sub-plugin used by personal goals.

Totara SAML 2.0

The auth_ssosaml plugin implements SAML 2.0 authentication using a third-party identity provider.

Totara placeholder

The totara_placeholder plugin implements an internal PHP API for working with placeholders in editor fields.

Status report, and Check API

The report_status plugin implements the 'Status report', a collection of Check API checks of system status.

Additionally, the report_performance and report_security reports have been refactored to use the Check API to generate their reports.

Scheduled user action (added in Totara 17.3)

The totara_useraction plugin provides an admin interface for scheduling actions to occur on users, using filters. Currently only the delete_user action is implemented.

SMTP test tool (added in Totara 17.3)

Provides an admin interface for troubleshooting outbound notification issues by sending an email from the site.

New Tui components

Core Tui components

  • datatable/AdvancedTableSelect
  • form/InputGroup
  • form/InputGroupButton
  • form/InputGroupInput

Core course components

  • cards/CourseCard
  • category_tree/CategoryTree
  • course_adder/CourseAdder
  • course_adder/Row

Totara goal components

  • adder/PerformGoalAdder

Deprecations

Core

  • search_users() has been deprecated due to it not being used. There is no alternative or replacement for this function.
  • get_users_listing() has been deprecated due to it not being used. There is no alternative or replacement for this function.
  • As we no longer support IE 11:
    • core_useragent::is_totara_legacy_browser has been deprecated
    • theme_config::set_legacy_browser has been deprecated
    • The "cssvars" CSS variable compiler has been deprecated
    • IE 11 JavaScript polyfills in javascript_polyfill have been removed
  • The method \core_component::get_component_classes_in_namespace() is now deprecated, please use \core_component::get_namespace_classes() instead (please note that the format of the result differs).
  • \core_user\external\user_helper::create_user() third optional parameter $tenant_id has been removed
  • \core_user\external\user_helper::update_user() third optional parameter $tenant_id has been removed

Programs

The various un-namespaced program classes been deprecated, and most have been converted to namespaced classes. This means that instances of require_once($CFG->dirroot . '/totara/program/program.class.php'); can be removed, and replaced with use \totara_program\program includes at the top of the file instead.

Please refer to server/totara/program/upgrade.txt for the full list of classes which have been deprecated because they were moved to the \totara_program\* namespaces in Totara 18.0.

Also deprecated in this area:

  • The program::display_timedue_date() method was deprecated as unused. See \totara_program\rb\display\programduedate class for replacement.
  • The program::display_exceptions_link() method was deprecated as unused.
  • program_renderer::render_current_status() has been deprecated
  • program::display_current_status() has been deprecated
  • Legacy program message and message_manager classes have been deprecated in favour of modern (centralised) notifications

Certifications

The following message classes have been deprecated, along with the rest of the eventbased program message classes: - \totara_certification\message\eventbased\recert_failrecert_message - \totara_certification\message\eventbased\recert_windowdueclose_message - \totara_certification\message\eventbased\recert_windowopen_message

Legacy Appraisals and Feedback360

Totara 18 makes legacy Appraisals and Feedback360 functionality read-only, see the change log entry for TL-37624.

Deprecation notices have not been added as of Totara 18, but debugging notices are generated whenever code is executed that violates the read-only nature of these features.

LTI module

  • serialise_tool_proxy() has been deprecated

Learning plans

  • The 'Plan template start date' column has been deprecated in the 'Record of Learning: Competencies', 'Record of Learning: Courses', 'Record of Learning: Objectives' and 'Learning Plans' reports

Totara core

  • get_my_reports_list_and_errors() has been deprecated, please use get_my_reports_data() instead.
  • totara_core_renderer::my_reports_page() has been deprecated
  • Template totara_core/myreports has also been deprecated

Report builder

  • The scheduled_reports_add_form class has been deprecated and no longer in use.