Totara Release Notes

Totara TXP 18.4, 17.17, 16.23, 15.29, 14.34, 13.42, 12.61, 11.61, 10.63, 9.69, 2.9.66, 2.7.71, 2.5.90, and 2.2.85 are now available

 
Curry (Core Developer)David
Totara TXP 18.4, 17.17, 16.23, 15.29, 14.34, 13.42, 12.61, 11.61, 10.63, 9.69, 2.9.66, 2.7.71, 2.5.90, and 2.2.85 are now available
Curry (Core Developer)David 发表于 2024年03月19日 Tuesday 13:26
小组 Totara

Hello everyone,

The following versions of Totara Learn have now been released:

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards Release Team

Release 18.4 (19th March 2024):

Important:

    TL-39838       Fixed question bank text not being cleaned on output

                   In Totara 13 the consistent cleaning functionality was applied, which will clean
                   content on the site to prevent issues such as cross-site scripting. This
                   resulted in a change of behaviour in certain areas that are documented in our
                   developer
                   docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation.

                   This change fixes a problem where question text was bypassing the content
                   filtering system, even if consistent cleaning was enabled.

                   If your quiz questions or question banks have custom HTML in them, the data may
                   be lost on the next save. Please check any quiz questions if they need to be
                   modified to work with consistent cleaning.

Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Performance improvements:

    TL-39814       Reverted a previous improvement that caused performance degradation in visibility queries on large datasets

Bug fixes:

    TL-36940       Fixed Engage playlist and resource navigation to remember more than one level of history
    TL-37252       Included approval workflow assignment ID number in the fields which get updated when an organisation, position, or audience changes

                   The approval workflows framework observes change events for the organisations,
                   positions, and audiences to which assignments are related, and updates those
                   assignments to match. Previously, just the assignment name was changed. But the
                   assignment ID number is based on the organisation or position shortname, or the
                   audience ID number, so this patch ensures they are updated to match. Note that
                   it is not currently possible to manually change an assignment ID number.

                   The included upgrade step will sync assignment ID numbers so that they match the
                   current state of the related organisations, positions, and/or audiences.

    TL-38483       Fixed a scenario where users being restored from suspension are no longer members of their tenant audience

                   Previously when a suspended user’s audiences were purged, it would also remove
                   them from the tenant audience. Then if the user was then unsuspended they may
                   not have been returned to their tenant again. The only way to fix it would be to
                   remove them from the tenant and add them back again on their profile page.

                   With this change there is a new ‘unsuspend_user’ event, and when it is
                   triggered the correct tenancies are applied. Previously when unsuspending a user
                   the suspended event was also triggered, this has been changed so either the
                   suspend or unsuspend events are triggered.

                   There is a new script provided that can be run to find and fix any users who are
                   not in their tenant audience: 'server/admin/cli/fix_orphan_tenant_members.php'.

    TL-38582       Fixed notification log report error which was thrown when linked preference was deleted or didn't exist
    TL-38748       Fixed a warning showing in the scheduled tasks output when using Redis
    TL-39056       Fixed accounts created via 'Self-registration with approval' sometimes being auto-confirmed by third-party email systems

                   When an account is created with the ‘Self-registration with approval’
                   plugin, an email is sent to the account with a link the user must click to
                   confirm the account. In some cases the email system would scan links in emails
                   and preload them, in this instance confirming the account. When the user would
                   then click the link, Totara would show an error as the account had already been
                   confirmed.

                   With this fix the link sent in the email will open a page where the user must
                   press a button to confirm their account.

    TL-39160       Fixed user interest tags not obeying multitenancy visibility rules
    TL-39163       Fixed guest autologin not working on dashboards
    TL-39182       Centralised notifications can now be disabled by a user in their notification preferences

                   Centralised notifications will now correctly adhere to the 'emailstop' setting.
                   This setting can now be set on the notification preference page for a user.

                   This also prevents notifications from being sent unexpectedly when adding users
                   via HR import with ‘emailstop’ set.

    TL-39197       Fixed tenant-related notifications not appearing in notification logs for administrators

                   This was achieved by bypassing user content restrictions for site
                   administrators. As a result, site administrators can now view data relating to
                   users from all tenants in reports.[evergreen-20240319]This was achieved by
                   changing the user content restrictions to allow system users (those not
                   belonging to a tenant) to view data relating to users from all tenants in
                   reports. This brings user content restrictions for system users in line with
                   documentation and other functionality.[evergreen-20240319]

    TL-39230       Fixed the seminar fatal error on updating settings when using 'Require event over for' setting
    TL-39271       Changed seminar reservation cancelled notification to send to affected managers only

                   Before this change, if a manager’s reservations were cancelled, a notification
                   was sent to all managers who have reservations. Now it is only sent to the
                   affected manager. Third-party recipients will now receive one notification for
                   each affected manager.

    TL-39398       Fixed that Pathway format course triggers three course_viewed events

                   Removed trigger of course_viewed event from get_course_completion_for_header and
                   get_course_navigation queries for the Pathway course format since they were
                   creating additional course_viewed events but they didn’t allow users to view
                   course contents.

    TL-39426       Moved seminar virtual room URL from location to description in iCal

                   When a seminar room contains a virtual room link, the link was being included in
                   the LOCATION property of the iCal email attachments. This caused problems in
                   some calendars, where clicking the location would attempt to find a place on a
                   map using the URL as text. Now the virtual room URLs are added to the iCal
                   DESCRIPTION and can be clicked to open the virtual meeting.

    TL-39429       Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error

                   In a scenario where the ‘User reports to any of these users’ dynamic
                   audience rule was applied and there were no users with a matching job
                   assignment, an error could have appeared in the scheduled tasks job.

    TL-39511       Fixed locale not being applied correctly in approval workflows date fields
    TL-39530       Allowed admins to change activity completion method for activities requiring a passing grade
    TL-39548       Improved keyboard navigation to block sidebars
    TL-39574       Fixed wrong progress sorting order for the Totara Goals status report
    TL-39576       Fixed HTMLPurifier stripping ARIA attributes from content during cleaning
    TL-39612       Fixed current filters being forgotten when multiple report table blocks are added to the same page
    TL-39614       Moved results information to a heading above the report results tables

                   Previously the number of found rows in different kinds of reports were
                   inconsistently displayed. With this change the number of records loaded now
                   shows in a heading above the report table. 

                   All existing pages embedding reports have been updated. Any custom code
                   embedding reports need to be manually updated to reflect this.

    TL-39670       Fixed an error when adding an external LTI tool with PHP 8.0 or higher

                   Previously, adding an external LTI tool with Totara running on PHP 8.0 or higher
                   could result in an error under certain conditions, related to the
                   lti_is_cartridge() check. This patch fixes the problem.

    TL-39699       Fixed placeholder failure in Course Due Date course notification during audience assignment
    TL-39786       Fixed user profile blocks relying on expected autoincrement IDs
    TL-39808       Added lang string replacement to the application form preview in approval workflows

                   Previously approval forms would show the lang string keys when previewing. This
                   has now been updated to replace the lang string keys with their corresponding
                   values.

    TL-39843       Fixed links to tel and sms protocols being removed by HTMLPurifier during cleaning
    TL-39852       Fixed sections in topic format not having the correct role for screen readers
    TL-39859       Fixed dates not translating correctly on Windows servers
    TL-39904       Fixed Workspace Owner and Workspace creator roles having no context level set
    TL-39914       Addressed an issue where view-only participants couldn't preview Totara goals within a performance activity

Tui front end framework:

    TL-37951       Updated WorkspaceDiscussionTab.vue to ignore errors in fetchMore queries if the component has been unmounted

                   This is a workaround for an error that occurs when a fetchMore apollo query
                   returns after the component has been unmounted. This only happens with the
                   fetchMore method so is likely an issue with vue apollo.

    TL-39926       Fixed Tui checkboxes having double labels when used in Uniform


Release 17.17 (19th March 2024):

Important:

    TL-39838       Fixed question bank text not being cleaned on output

                   In Totara 13 the consistent cleaning functionality was applied, which will clean
                   content on the site to prevent issues such as cross-site scripting. This
                   resulted in a change of behaviour in certain areas that are documented [in our
                   developer docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation.

                   This change fixes a problem where question text was bypassing the content
                   filtering system, even if consistent cleaning was enabled.

                   If your quiz questions or question banks have custom HTML in them, the data may
                   be lost on the next save. Please check any quiz questions if they need to be
                   modified to work with consistent cleaning.


Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Performance improvements:

    TL-39814       Reverted a previous improvement that caused performance degradation in visibility queries on large datasets

Improvements:

    TL-37335       Remove toast from atto editor auto save on draft.

Bug fixes:

    TL-36940       Fixed Engage playlist and resource navigation to remember more than one level of history
    TL-37252       Included approval workflow assignment ID number in the fields which get updated when an organisation, position, or audience changes

                   The approval workflows framework observes change events for the organisations,
                   positions, and audiences to which assignments are related, and updates those
                   assignments to match. Previously, just the assignment name was changed. But the
                   assignment ID number is based on the organisation or position shortname, or the
                   audience ID number, so this patch ensures they are updated to match. Note that
                   it is not currently possible to manually change an assignment ID number.

                   The included upgrade step will sync assignment ID numbers so that they match the
                   current state of the related organisations, positions, and/or audiences.

    TL-38483       Fixed a scenario where users being restored from suspension are no longer members of their tenant audience

                   Previously when a suspended user’s audiences were purged, it would also remove
                   them from the tenant audience. Then if the user was then unsuspended they may
                   not have been returned to their tenant again. The only way to fix it would be to
                   remove them from the tenant and add them back again on their profile page.

                   With this change there is a new ‘unsuspend_user’ event, and when it is
                   triggered the correct tenancies are applied. Previously when unsuspending a user
                   the suspended event was also triggered, this has been changed so either the
                   suspend or unsuspend events are triggered.

                   There is a new script provided that can be run to find and fix any users who are
                   not in their tenant audience: 'server/admin/cli/fix_orphan_tenant_members.php'.

    TL-38582       Fixed notification log report error which was thrown when linked preference was deleted or didn't exist
    TL-38748       Fixed a warning showing in the scheduled tasks output when using Redis
    TL-39056       Fixed accounts created via 'Self-registration with approval' sometimes being auto-confirmed by third-party email systems

                   When an account is created with the ‘Self-registration with approval’
                   plugin, an email is sent to the account with a link the user must click to
                   confirm the account. In some cases the email system would scan links in emails
                   and preload them, in this instance confirming the account. When the user would
                   then click the link, Totara would show an error as the account had already been
                   confirmed.

                   With this fix the link sent in the email will open a page where the user must
                   press a button to confirm their account.

    TL-39160       Fixed user interest tags not obeying multitenancy visibility rules
    TL-39163       Fixed guest autologin not working on dashboards
    TL-39182       Centralised notifications can now be disabled by a user in their notification preferences

                   Centralised notifications will now correctly adhere to the 'emailstop' setting.
                   This setting can now be set on the notification preference page for a user.

                   This also prevents notifications from being sent unexpectedly when adding users
                   via HR import with ‘emailstop’ set.

    TL-39197       Fixed tenant-related notifications not appearing in notification logs for administrators

                   This was achieved by bypassing user content restrictions for site
                   administrators. As a result, site administrators can now view data relating to
                   users from all tenants in reports.[evergreen-20240319]This was achieved by
                   changing the user content restrictions to allow system users (those not
                   belonging to a tenant) to view data relating to users from all tenants in
                   reports. This brings user content restrictions for system users in line with
                   documentation and other functionality.[evergreen-20240319]

    TL-39271       Changed seminar reservation cancelled notification to send to affected managers only

                   Before this change, if a manager’s reservations were cancelled, a notification
                   was sent to all managers who have reservations. Now it is only sent to the
                   affected manager. Third-party recipients will now receive one notification for
                   each affected manager.

    TL-39426       Moved seminar virtual room URL from location to description in iCal

                   When a seminar room contains a virtual room link, the link was being included in
                   the LOCATION property of the iCal email attachments. This caused problems in
                   some calendars, where clicking the location would attempt to find a place on a
                   map using the URL as text. Now the virtual room URLs are added to the iCal
                   DESCRIPTION and can be clicked to open the virtual meeting.

    TL-39429       Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error

                   In a scenario where the ‘User reports to any of these users’ dynamic
                   audience rule was applied and there were no users with a matching job
                   assignment, an error could have appeared in the scheduled tasks job.

    TL-39548       Improved keyboard navigation to block sidebars
    TL-39576       Fixed HTMLPurifier stripping ARIA attributes from content during cleaning
    TL-39595       Fixed accessibility issue with single activity course headings
    TL-39612       Fixed current filters being forgotten when multiple report table blocks are added to the same page
    TL-39614       Moved results information to a heading above the report results tables

                   Previously the number of found rows in different kinds of reports were
                   inconsistently displayed. With this change the number of records loaded now
                   shows in a heading above the report table. 

                   All existing pages embedding reports have been updated. Any custom code
                   embedding reports need to be manually updated to reflect this.

    TL-39670       Fixed an error when adding an external LTI tool with PHP 8.0 or higher

                   Previously, adding an external LTI tool with Totara running on PHP 8.0 or higher
                   could result in an error under certain conditions, related to the
                   lti_is_cartridge() check. This patch fixes the problem.

    TL-39699       Fixed placeholder failure in Course Due Date course notification during audience assignment
    TL-39786       Fixed user profile blocks relying on expected autoincrement IDs
    TL-39843       Fixed links to tel and sms protocols being removed by HTMLPurifier during cleaning
    TL-39852       Fixed sections in topic format not having the correct role for screen readers
    TL-39859       Fixed dates not translating correctly on Windows servers
    TL-39904       Fixed Workspace Owner and Workspace creator roles having no context level set

Tui front end framework:

    TL-37951       Updated WorkspaceDiscussionTab.vue to ignore errors in fetchMore queries if the component has been unmounted

                   This is a workaround for an error that occurs when a fetchMore apollo query
                   returns after the component has been unmounted. This only happens with the
                   fetchMore method so is likely an issue with vue apollo.

    TL-39926       Fixed Tui checkboxes having double labels when used in Uniform


Release 16.23 (19th March 2024):

Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Bug fixes:

    TL-38483       Fixed a scenario where users being restored from suspension are no longer members of their tenant audience

                   Previously when a suspended user’s audiences were purged, it would also remove
                   them from the tenant audience. Then if the user was then unsuspended they may
                   not have been returned to their tenant again. The only way to fix it would be to
                   remove them from the tenant and add them back again on their profile page.

                   With this change there is a new ‘unsuspend_user’ event, and when it is
                   triggered the correct tenancies are applied. Previously when unsuspending a user
                   the suspended event was also triggered, this has been changed so either the
                   suspend or unsuspend events are triggered.

                   There is a new script provided that can be run to find and fix any users who are
                   not in their tenant audience: 'server/admin/cli/fix_orphan_tenant_members.php'.

    TL-38748       Fixed a warning showing in the scheduled tasks output when using Redis
    TL-39429       Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error

                   In a scenario where the ‘User reports to any of these users’ dynamic
                   audience rule was applied and there were no users with a matching job
                   assignment, an error could have appeared in the scheduled tasks job.

    TL-39612       Fixed current filters being forgotten when multiple report table blocks are added to the same page
    TL-39786       Fixed user profile blocks relying on expected autoincrement IDs


Release 15.29 (19th March 2024):

Important:

    TL-39838       Fixed question bank text not being cleaned on output

                   In Totara 13 the consistent cleaning functionality was applied, which will clean
                   content on the site to prevent issues such as cross-site scripting. This
                   resulted in a change of behaviour in certain areas that are documented [in our
                   developer docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation.

                   This change fixes a problem where question text was bypassing the content
                   filtering system, even if consistent cleaning was enabled.

                   If your quiz questions or question banks have custom HTML in them, the data may
                   be lost on the next save. Please check any quiz questions if they need to be
                   modified to work with consistent cleaning.


Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Bug fixes:

    TL-39429       Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error

                   In a scenario where the ‘User reports to any of these users’ dynamic
                   audience rule was applied and there were no users with a matching job
                   assignment, an error could have appeared in the scheduled tasks job.

    TL-39612       Fixed current filters being forgotten when multiple report table blocks are added to the same page


Release 14.34 (19th March 2024):

Important:

    TL-39838       Fixed question bank text not being cleaned on output

                   In Totara 13 the consistent cleaning functionality was applied, which will clean
                   content on the site to prevent issues such as cross-site scripting. This
                   resulted in a change of behaviour in certain areas that are documented in our
                   developer docs.

                   This change fixes a problem where question text was bypassing the content
                   filtering system, even if consistent cleaning was enabled.

                   If your quiz questions or question banks have custom HTML in them, the data may
                   be lost on the next save. Please check any quiz questions if they need to be
                   modified to work with consistent cleaning.


Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Bug fixes:

    TL-39429       Fixed a problem when the 'User reports to any of these users' dynamic audience rule would show an error

                   In a scenario where the ‘User reports to any of these users’ dynamic
                   audience rule was applied and there were no users with a matching job
                   assignment, an error could have appeared in the scheduled tasks job.

    TL-39612       Fixed current filters being forgotten when multiple report table blocks are added to the same page



Release 13.42 (19th March 2024):

Important:

    TL-39838       Fixed question bank text not being cleaned on output

                   In Totara 13 the consistent cleaning functionality was applied, which will clean
                   content on the site to prevent issues such as cross-site scripting. This
                   resulted in a change of behaviour in certain areas that are documented [in our
                   developer docs: https://totara.atlassian.net/wiki/spaces/DEV/pages/121185890/Totara+13+changes+to+content+sanitisation].

                   This change fixes a problem where question text was bypassing the content
                   filtering system, even if consistent cleaning was enabled.

                   If your quiz questions or question banks have custom HTML in them, the data may
                   be lost on the next save. Please check any quiz questions if they need to be
                   modified to work with consistent cleaning.


Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Bug fixes:

    TL-39612       Fixed current filters being forgotten when multiple report table blocks are added to the same page


Release 12.61 (19th March 2024):

Security issues:

    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades


Release 11.61 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades


Release 10.63 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades

Release 9.69 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades


Release 2.9.66 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades


Release 2.7.71 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades


Release 2.5.90 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades


Release 2.2.85 (19th March 2024):

Security issues:

    TL-36056       Added additional check to local URLs params
    TL-39347       Fixed authenticated remote code execution vulnerability in block backup and restore
    TL-39921       Fixed CSRF vulnerability in XML import for course grades