Portfolio blog

Blog

Product news and other information from the developers of Portfolio.

Migration to Ubuntu 22.04, Perl 5.38 and PostgreSQL 14

Today's update (645472d) brings with it the following changes:

Security issues

  • Operating system has been updated to Ubuntu 22.04.

Performance improvements

  • Perl has been upgraded to version 5.38.
  • PostgreSQL has been upgraded to version 14.

Enhancements

  • Ensure e-Portal product only assigned to teachers are not accessible for students.
  • Changed HTTP status code emitted from front page handler to 200 when site is not configured.
  • Support IPv6 clients.

Bugfixes

  • Update atime when blob is accessed in cache directory. This improves cache cleanup behavior.

Feature removals / deprecations

  • Client-side performance monitoring using Report-To HTTP header has been disabled. This is to reduce costs for storage of this information, as it is no longer needed.

Fix e-mail and user name conflicts during e-portal login

Today's update (a557bed) brings with it the following changes:

Enhancements

  • If an email or user name was in conflict with an existing user in Portfolio during e-portal login, it would generate a generic error message and synchronization would be aborted. Now the error message will contain either the user name or email in conflict, making it easier to figure out which user must be modified to fix the conflict.
  • If a user name from e-portal is in conflict with an existing user name in Portfolio, an error during synchronization would occur. With this change a new user name will be generated during login based on the conflicting user's full name.

Fixed e-portal login edge case and other bugs

Today's update (ba9f819) brings with it the following changes:

Security issues

  • Set a limit on how large HTTP uploads are allowed to be, to avoid a potential denial-of-service situation.

Bugfixes

  • When logging in directly by clicking on a product in e-portal that uses the OIDC-based login method, a session cookie was not generated before redirecting to e-portal login system. This caused a Portfolio login prompt to be shown when returning from e-portal and trying to synchronize permissions. This issue should now be fixed.
  • Fixed issue where HTTP uploads larger than 1MB might not work properly.

Feature removals / deprecations

  • Removed unused Portfolio::Course->student_progress() method.

Bugfix for broken reset password feature

Today's update (58269faf3) brings with it the following changes:

Bugfixes

  • The last update caused a regression in the "reset password" feature. If one reset token was requested, another could not be requested before a successful account reset was performed. If this took more than 24 hours to perform, the password reset feature would be completely blocked.

Auditing of security events and lots of infrastructure changes

Today's update (b36b08a) brings with it the following changes:

Security issues

  • Added audit messages for the following security events:
    • Login success/failure
    • E-portal authentication callback
    • User impersonation
    • User created/modified/deleted
    • User accessed (profile page viewed)
    • Credential modified
    • Credential recovery
    • Group membership modified
    • Institution membership modified
    • Role modified
  • A programming error in the reset_pw request handler made it possible to modify the password of any user without knowning the correct reset token. This issue has been improved further since the hotfix.
  • Changed behavior to not remove existing reset tokens when creating a new one. This avoids a potential denial-of-service attack vector in the reset password feature.
  • When logging in as a new user while already logged in, a login failure will now log out the existing session.
  • Upgraded to Perl 5.34.1 to fix security issues in Archive::Tar and Compress::Raw::Zlib.
  • Updated to cpanm 1.7045 to address the issue with CHECKSUMS file validation during CPAN package installation.

Performance improvements

  • Started using the new e-portal health check endpoint to determine if API is available.

New features

  • Changed Nginx web server from FastCGI to HTTP protocol for reverse-proxying to web application server. The web application server now uses standard PSGI/Plack runtime. Static file serving is now also supported directly in the web application server.
  • Added test infrastructure to run NATS server and fully validate audit events.

Enhancements

  • Changed CPAN dependency manager from Pinto to Carton.
  • Now uses upstream versions of perlbrew and cpanm directly, allowing for easier upgrades.
  • Simplified the code to support the explain template function.

Bugfixes

Feature removals / deprecations

  • Removed support for FastCGI protocol for reverse-proxying. We use plain HTTP now, via PSGI.
  • Removed Pinto and all CPAN packages directly from upstream.
  • Stopped using Module::Build for running test suite.

Fixed high severity security issue

Today's hotfix (12964b5) brings with it the following change:

Security improvements

  • Fixed a high severity issue in the reset_pw request handler.

Content parser, bugfixes and lots of feature removals

Today's update (472a4b4) brings with it the following changes:

Performance improvements

  • Stop robots/spiders from trying to index login/logout links.

New features

  • Added plaintext dependency and cross-reference parser, enabling extensive analysis of authored content and making it easier to understand how content is dependent on each other. Also indexes content for template and JavaScript function usage, so it is easier to figure out if deprecated features are in use or not.
  • The referenced identifiers, template functions and JavaScript functions are now possible to view in the object editor. This should simplify finding content in complex documents. It should also make it very easy to find broken internal links.
  • Added identifier references tab to object and container editor.

Enhancements

  • The user course progress report now shows number of read objects instead of course element index reached. The percent is also calculated based on read objects, making it more in line with actual course progress. The index reached is now shown on the object tooltip.
  • Extensive layout/behavior cleanup in object/container editor.
    • Moved container additional fields from main tab over to advanced tab.
    • Added a container metadata tab and moved LOM field over to it.
    • Added LOM generator button to container editor

Bugfixes

  • Fixed an issue where student/supervisor relationships are not properly removed when a member is removed from an institution.
  • Fixed issue where non-ASCII characters in user name would cause the student or supervisor to not show up in relationship lists.
  • Fixed issue with object comment content overflowing when TTS HTML content is copied into the comment editor.
  • Now reports proper error message when configuration variable is deleted, but name of variable is not specified.

Feature removals / deprecations

  • Removed all workarounds and special features targeting the legacy Internet Explorer (MSIE) browser.
  • Removed all features that requires web browser plugins. They are no longer supported by modern browsers.
  • The following features have been removed:
    • Java applets and Java client-side apps
    • Flash video and Flash client-side apps and applications
    • Windows Media Player video/audio playback
    • Realplayer video playback
    • QuickTime video playback
    • ListenUp Java-based voice recorder
    • Web-based spreadsheet editing (using Java applet)
    • Spreadsheet object type (now uses binary)
    • Stylesheet workarounds for MSIE
    • Removed jQuery 1.11.2, which was needed by MSIE
    • Removed Content-Disposition HTTP header workarounds for MSIE
  • SVG images are now always rendered as inline HTML5.
  • Self-registration feature has been removed. If you need to register for access to a site, use the self-registration feature in e-portal instead.
  • Removed the CEFR / placement-test feature completely because it has some GDPR compliance issues.
  • Also removed the csv request handler which was only used for sending CEFR email reports.
  • The PIN-code self-registration feature has been completely removed. Registration using PIN-code or other automated registration is now handled by e-portal.
  • The feature to store quiz observations has been removed, as it is no longer in use.
  • The interactive chat feature that was developed for CampusOnline has been removed, as it was not used by anyone.
  • The Skype appointment/calendar feature implemented for CampusOnline has been removed as it is no longer used.
  • Removed unused Heap Analytics tracking implementation and AddThis social media integration.
  • Removed the deprecated description_alias kludge for Internet Explorer. Now the DOM element is just named description, as it always should've been named.
  • Removed various unused DOM identifiers and styling in object/container editor.

Enabled e-portal OIDC-based login method

Today's update (568f91c) brings with it the following changes:

Bugfixes

  • Fixed issue related to e-portal external identifier during e-portal OIDC login.

New e-portal OIDC-based login and various bugfixes

Today's update (29bf398) brings with it the following changes:

Security issues

  • Secure application better against XML-based attack vectors.
  • Explicitly use Samesite=Lax cookie policy on insecure cookies.

New features

  • Added login and authorization feature against e-portal, based on OpenID Connect workflow. Disabled until e-portal is fully configured.
  • Added Log in using e-portal-button to standard right hand side menu. Disabled until e-portal is fully configured.
  • Added eportal template function, giving access to issuer, API and logout URLs, making it possible to use these variables in templates.
  • User details, institution memberships, groups, roles, course access and student/supervisor relationships are automatically provisioned when logging in using e-portal.
  • User identity token (claims collection) from e-portal is verified by signature using JWT semantics. Reduces attack surface. Verification only allows RSA, ECC and Ed algorithms. Decoded identity claims are available in a session variable for use by templates.
  • During login using e-portal, the user is redirected to a common Portfolio site before being redirected back to the original site. This is normal and part of the e-portal login process.
  • Users without any email registered in e-portal will get an auto-generated email address associated with their Portfolio account.
  • If no username has been defined in e-portal, existing users will keep their existing Portfolio username when they login using e-portal.
  • If an institution with no owner is imported using e-portal, the owner is set to the orphan user.
  • Information from e-portal is cached for a short while to decrease load on e-portal API during login.
  • When logging out a session authenticated using e-portal, e-portal session is also logged out.

Enhancements

  • Set HTTP user-agent so that when Portfolio is operating as an HTTP client, it can be more easily identified in remote systems.
  • Use contact manager UI for adding user in event log report.

Bugfixes

  • Logout and redirect to front page when deleting your own account, to avoid a weird login issue.
  • Changed the logout request handler to be available to anonymous, so that when you explicitly try to logout when your session is already expired, it doesn't show a login prompt followed by an immediate logout.
  • Fixed issue with negative time intervals in time usage reports causing skewed reports.
  • Fixed grammar inconsistency with regards to the phrase "login/logout" being used as a verb, when it should be phrased as "log in/log out".
  • Ensure consistent phrasing of the word e-portal.

Another hotpatch to fix recipient issue when forwarding message

Today's hotpatch update (91deaac) brings with it the following changes:

Bugfixes

  • Fixed issue with removing existing recipient when forwarding message.

Documentation

  • Added or cleaned up reference documentation for the following modules: Portfolio::Context::Request, Portfolio::PlacementTest::CSVParser, Portfolio::Variable, placement_test(t)

Hotpatch: Fix invisible recipient in message system

A hotpatch (dcf5929) was deployed today. It contains the following changes:

Bugfixes

  • Fixed issue with recipient not visible when replying or forwarding messages.

Contact manager is now used in more places and more documentation available

Today's update (b81e7aa) brings with it the following changes:

Performance improvements

  • Students and supervisor relationship table now uses pagination, which increases performance.
  • Contact manager has changed backend API from XML to JSON.

Enhancements

  • Improved the user experience in new message feature. It is now possible to add recipient using contact manager, and recipient auto-complete is better looking and more accessible.
  • Permission editor (for objects and containers) is now using contact manager.
  • Added contact manager for username lookup in file manager.
  • Reduced technical debt significantly. This means a lot of code has changed, which increases the change of regressions.

Bugfixes

  • The message body text area is now focused when the user is replying to a message.

Documentation improvements

  • Added more reference documentation for model classes.
  • All relevant reference documentation is now available.

Improved documentation and code quality

Today's update (2832387) brings with it the following changes:

Enhancements

  • A lot of the database queries have been refactored, which should make them more robust. There is also a slightly higher risk of regressions.
  • Added more test cases for better code coverage.
  • Started using better tools to improve code quality and avoid bad practices.

Documentation improvements

  • Added reference documentation for Site, Tag and Messages model classes.

Improved email validation and other bugfixes

Today's update (a6933a0) brings with it the following changes:

Enhancements

  • Improved pin registration request handler to show email validation error.

Bugfixes

  • Fixed error when nickname is longer than 100 characters.
  • Show error message when email is already taken.

Improved message reading experience and other accessibility improvements

Today's update (5b56347) brings with it the following changes:

Enhancements

  • Back button was added in the message reading pane, so that user can go back to their corresponding location.
  • Improved accessibility in object/container button bar.
  • A lot of the database queries have been refactored, which should make them more robust. There is also a slightly higher risk of regressions.

Bugfixes

  • Active tab selection in message reading pane has better usability.
  • New message link in message reading pane can now be clicked.
  • Removed unwanted "Unread" button from outbox message reading.

Improved object editor workflow and fixed user membership issues

Today's update (6b463a0) brings with it the following changes:

Security issues

  • Now avoids non-read permissions assigned to anonymous user.

Performance improvements

  • Increased hardware resources to handle additional load because of home-schooling situation.

New features

  • Enabled teachers to save edits without notifying student until the document is ready.
  • Added assessment plugin to object editor, which enables teachers to highlight different parts of the text with color and information.

Enhancements

  • Improved voice recorder app to use current browser APIs for microphone access.
  • The add new site behavior has been improved to avoid accidential overwriting of site information.
  • The notify supervisor feature in the object editor has a simpler user experience.
  • Improved process-oriented document writing workflow by allowing the description field to be used as a comment for author.
  • Improved readability of object editor contents by increasing line height.
  • Fixed accessibility issues in synthetic speech user interface.
  • Some buttons in the user profile page now have improved accessibility.

Bugfixes

  • Large resolution video can now be played without overlapping the viewport. This isssue should now be fixed.
  • Fixed issue with no memberships being shown in user profile if e-Portal user isn't a member of any institution groups.
  • Fixed issue where administrator role from e-Portal is turned into an institution and course administrator role. Now it properly assigns the supervisor role in the same situation.
  • Fixed an issue in the message reading pane where the delete or mark as unread button would redirect to new message instead of back to list.

Improve messaging and Google Chrome cookie behavior fixes

Today's update (40f90ea39) brings with it the following changes:

Security issues

  • Google Chrome v80 made changes to SameSite cookie behavior. The SameSite attribute on cookies is used to control cross-domain behavior. All cookies are now set to Samesite=Lax, but session cookies are explicitly set to Samesite=None.
  • Talkbook sound files are now served with CORS headers. This solves a playback issue with translation audio files used in D-bok.
  • HTTPS certificates are now issued using LetsEncrypt ACMEv2.

Performance improvements

  • Updated to the latest Perl toolchain. This might give minor performance improvements.

New features

  • Added conversation view for messages. Now users can see all of the conversations they have had with another person on a single page.
  • Added inline attachment option to new message screen, now user can upload new file or choose any existing object as attachment to a message. Where you want to store the uploaded attachment can be chosen.

Enhancements

  • Message reply status is now available in the messaging system.
  • Messaging inbox/outbox search query is sticky now, it remembers what you have searched when you re-enter the page.
  • Accessibility of the sound player has been improved.
  • Accessibility of the manage_language template function has been improved.

Bugfixes

  • Fixed user-interface inconsistency with tab navigation in messaging feature.
  • Fixed inability to navigate cells in quiz type matchbox with keyboard.

Documentation improvements

  • Added reference documentation for:
    • Template behavior
    • BlobMachine behavior
    • User collection and permission manager behavior
    • User, object and quiz container models
    • CSV parsing, captcha validation, business metric logging, pagination, macro and talkbook libraries

Migration from Rackspace to Azure data center

The entire system has been moved from the Rackspace London data center to the Azure North European data center.

Contact support if any unexpected issues that might be related to this migration happen.

More user behavior reports and improved report performance

Today's update (6f5f52e) brings with it the following changes:

Performance improvements

  • The performance of the user memberships report was improved a lot.
  • The performance of the course results report was improved.

New features

  • A report for how much a user has progressed in courses was added to the user profile.
  • A report with the lowest course object scores was added to the user profile. It makes it easy to see which course objects the student needs to work on. It is a subset of what is available in the course result report.
  • A report for user submissions was added to the user profile. This makes it easy to find essays that the student is working on. It is a subset of what is available in the course result report.

Enhancements

  • The user activity report now supports reporting activity information for a range of dates, not just a single day or week. Additional information was added to the table legend to clarify some date range issues.
  • The course results report now supports a range parameter, making it possible to only see activity for a certain date range.
  • The report of access keys assigned to a user and the report to show all institution, group and course memberships were extracted out of the user profile and moved to their own request handlers. The user profile still load these reports into the page.
  • Added user name to page title for the following reports:
    • course_result
    • user_access_keys
    • user_course_progress
    • user_memberships
    • user_object_scores

Bugfixes

  • When a supervisor views the course result of a student the student identifier wasn't logged. This is now fixed.
  • Downgraded FFMPEG from version 4.x to version 3.x because of unmaintained third-party code. This might impact the ability to create thumbnails for some video formats.
  • Improved developer documentation for the course_result request handler.

Improved documentation and page navigation

Today's update (2f25d62) brings with it the following changes:

Security improvements

  • Secure websockets are now allowed by our CSP policy on secure sites.

Performance improvements

  • Improved navigation between pages by avoiding deprecated browser features.

Documentation improvements

  • Added reference documentation for:
    • Email-sending behavior
    • Object rendering behavior
    • Factory behavior
    • Flash message behavior
    • File manager parameter validation
    • FastCGI web worker behavior
    • File type detection behavior
  • Added reference documentation for the following HTTP request handlers:
    • aicc
    • dev
    • edit_autoreg
    • eportal_push
    • execute
    • external_search_config
    • help
    • list_permission
    • login
    • logout
    • mark_message
    • measure
    • move_element
    • nav_course
    • new_message
    • online
    • page_view_log
    • ping
    • placement_test
    • preview_content
    • quiz_editor
    • read
    • read_exam
    • read_site
    • register_account
    • resolve_path
    • session
    • sso
    • talkbook
    • update_autoreg
    • update_class
    • update_config
    • update_order_course_element
    • update_site
    • update_site_containers
    • upload
    • user_activity
    • watermark
    • welcome
    • write
    • write_account
    • write_account
    • write_autoreg
    • write_course_element
    • write_glossary
    • write_institution

Fixed issue with client-side cookies on some sites

Today's hotpatch (66ebc45) brings with it the following changes:

Bugfixes

  • A regression in the CGI.cookie() template plugin method was causing existing cookies to not be retrieved, even though they existed in the HTTP request. The old behavior has been restored and the issue should be fixed.

New macro feature, hardened security settings and lots of reference documentation

Today's update (fc0b9c4) brings with it the following changes:

Security improvements

  • An extensive review of HTTP security headers has been performed and several improvements to the security of the system has been implemented. This can, in some situations, cause behavior that previously worked to not work anymore, especially those involving cross-site requests involving authentication and iframes.
  • How the session identifier is stored has been hardened to protect against malicious behavior. It is no longer possible to read it using JavaScript code.
  • Cross-origin HTTP request validation now supports specific URIs, not just the * value.
  • HTTP headers to enable reporting of client errors were added.
  • Code was hardened by avoiding code conventions that can lead to security issues.

Performance improvements

  • Improved performance in file manager and object/container selector by consolidating database queries.
  • A small optimization to how we populate system groups was implemented. This should give a minor speed increase to anonymous requests.

New features

  • It is now possible to create macros that can be used everywhere template markup can be used. Macros are named units of behavior that support required and optional parameters. The parameters are validated when the macro is called, to avoid the need for the implementing template to perform this validation. See the macro template function documentation for more details.
  • A script for exporting contents of an XML dump/export into files was added. It is useful when e.g. binary content needs to be exported into another CMS.
  • DuckDuckGo was added as a search engine provider.

Enhancements

  • It's now possible to return JSON responses from the read request handler.
  • System groups and users where previously always shown with an English name. Now the name can be localized to the user interface language.
  • The label template function now supports model instance as first parameter.
  • Simplified the user event log user interface a bit.
  • Now all search providers use HTTPS URLs. The addresses of several search providers have been updated to match current APIs.
  • Added logging of e-portal session validation URL when failing to improve ability to troubleshoot issues.

Documentation improvements

  • Improved rendering and layout of reference documentation.
  • Unrestricted methods in classes are now shown in reference documentation.
  • Added reference documentation for:
    • Client-side app behavior
    • Appointments and calendar availability
    • Configuration variables and sets
    • Model class attributes
    • Eportal behavior
    • Asynchronous jobs, job notifications and job queue manager behavior
    • Main configuration and search provider configuration
    • Container model class
  • Added reference documentation for the following HTTP request handlers:
    • history
    • impersonate
    • leseweb
    • list
    • list_class_permission
    • list_log
    • read_container
    • read_glossary
    • read_institution
    • read_message
    • rebuild_course
    • remove_institution_course
    • remove_student
    • reorder_course_element
    • score
    • selector
    • selfreg
    • send_message
    • set_assignment_score
    • set_course_supervisor
    • set_ownership
    • start_exam
    • stop_exam
    • tag_message
    • tts
    • unlink_access_key
    • unpack
    • update
    • update_config_set
    • update_container
    • update_course
    • update_course_element_order_list
    • update_institution
    • update_institution_course
    • write_class
    • write_class_membership
    • write_config
    • write_config_set
    • write_container
    • write_course

Feature removals / deprecations

  • The filters for containers and groups have been removed in the event log user interface. They were not used anywhere.
  • The object type script is now deprecated. It's not been in use for a long time.
  • The request handler delete_account_membership is now deprecated. Use the collection manager remove_from_group action instead.
  • Some search providers that are no longer valid have been removed (most notably ordboka.net). The category religious scriptures was removed because there are no more entries.

Voice message menu item, additional documentation and various bug fixes

Today's update (f1916f2) brings with it the following changes:

Performance improvements

  • Container listings should be slightly faster to load because the amount of generated HTML code is smaller.
  • The identifier (UUID) generator and validation methods were refactored, fixing some bugs and slightly improving performance.

New features

  • The top menu has been extended with an option to send a new voice message directly to your supervisor.

Enhancements

  • The new_message and add_recording request handlers now properly supports customized page redirection.
  • Documentation for the following request handlers were added:
    • list_account
    • list_account_membership
    • list_account_registrations
    • list_autoreg
    • list_autoreg_detail
    • list_class
    • list_class_membership
    • list_config_set
    • list_course
    • list_course_users
    • list_icons
    • list_institution
    • list_institution_blog_items
    • list_institution_courses
    • list_institution_users
    • list_message
    • list_observation
    • list_quota
    • list_site
    • list_site_config
    • list_student
    • list_student_supervisor
    • list_stylesheets
    • list_supervisor
    • list_templates
    • manage_config_set
    • manage_course
    • manage_institution
    • manage_language
    • manage_site_containers
    • read_account
    • read_config
    • search
    • search_course
    • search_group
    • search_inside_container
    • search_inside_course
    • search_institution
    • search_site
    • search_user
    • update_account
    • update_account
    • user
  • Documentation for Portfolio::UUID was added.

Bugfixes

  • Comments are now always edited with the WYSIWYG editor (TinyMCE), which should ensure whitespace is maintained on display.
  • Empty popups are no longer shown when you click on them.
  • Added back support for talkbook lookups in popups using the legacy format lookup => "X_lyd" to indicate a letter phoneme.

Email notifications, better spam protection and improved documentation

Today's update (39c09ac) brings with it the follow changes:

Security issues

  • Improved our HTML form spam protection mechanism. You'll now need to check a box to confirm you're a human when you want to recover your password or register an account.

New features

  • You'll now be notified by email if you have unread messages in your inbox. You can choose to get these notifications immediately when a new message arrives, or once per day or week. You can also turn them off if you don't want them. The default is to get weekly notifications. You'll need to go to your user profile page to change this setting. Only the user itself can change this setting.

Enhancements

  • It is now possible to preload videos by using the preload attribute in the embed template function. It is actually enough to just preload metadata to ensure the video object is cached properly by the backend. This is most likely only needed for somewhat large videos.
  • Syndication feeds (RSS) are now handled by an external component instead of using XSLT. This should ensure we encode content much more standards-compliant. We also now support all RSS variants and Atom. The default feed format has changed from RSS 2.0 to Atom. If you have used feeds from Portfolio somewhere else you'll need to update the link to the new format.
  • Additional reference documentation for template handlers have been added from our internal wiki. Especially the quiz and embed template functions have gotten much better documentation, including examples. Clarification on recommended and deprecated ways of calling them are now documented.
  • All of the XML returned by the HTTP API is now generated in a more consistent way. This should not impact anyone.
  • We're now using an automated method for gathering code coverage, which will help the developers to improve the quality of the service over time.
  • The access key feature has been modified extensively in the backend. This means it has a higher risk of regressions. Be aware.

Feature removals / deprecations

  • The XSLT feature was completely removed. That also means that the server_xsl query parameter to read_container request handler was removed.
  • The PORTFOLIO.do_decoding() JavaScript function was removed. It was not in use.

Bugfixes, tracing identifers, improved metrics and more

Today's update (9899ece) brings with it the follow changes:

Security issues

  • Updated third-party SSL/TLS modules to support OpenSSL 1.1 properly.

Performance improvements

  • Diminished the number metrics emitted from the queue worker when new jobs are created.

New features

  • A tracing identifier is now generated and added to all HTTP requests, allowing for more in-depth analysis when issues are encountered.

Enhancements

  • Improved database restore script allowing for point-in-time recovery.

Bugfixes

  • Fixed issue with accidental overwriting of config set entries, site config entries and user config entries.
  • Fixed issue with course rebuilt timestamp not being updated when course is rebuilt.
  • Previously plain text files created in Notepad with default encoding would be detected as UTF-8, which was wrong. They should now detect properly as ISO-8859-1 (Latin1).

Operating system upgrade

Today's update (d75be48) brings with it the following changes:

Security issues

  • Operating system of all servers upgraded to Ubuntu 18.04. This was part of a larger process to migrate away from the soon-to-be unsupported Ubuntu 14.04 version.

Bugfixes

  • Fixed a race condition in the wav2mp3 request handler that could sometimes cause the playback of voice recordings to not play back on the initial attempt.

Improved database backup solution

Today's update (a195d1b) brings with it the following backend changes (no user-facing changes were added in this update):

Performance improvements

  • The database backup solution has been changed from a logical to a physical backup, decreasing page load while the backup is running.

Enhancements

  • It is now possible to do point-in-time recovery of the database in case of disasters.
  • Testing of template functions was improved.
  • Diminished backend logging from ffmpeg when generating video thumbnails.

Fixed server errors on delete_quiz and increased thumbnail timeouts

Today's hotpatch (3b3bbbc) includes these changes:

Performance improvements

  • Increased number of BlobMachine workers. Should allow fetching of more blobs concurrently.

Bugfixes

  • It was not possible to remove your saved or sent answers because the delete_quiz request handler was generating an internal server error. This should now be fixed.
  • Increased timeout for thumbnail and avatar request handlers to 30 seconds, to avoid timeout issues on large video objects.

Fixed thumbnail generation issues, accessibility issues and more

Today's update (e359913) brings with it the following changes:

Performance improvements

  • Fixed issue with thumbnail request handler sometimes crashing when generating thumbnail from an image object.
  • Changed thumbnail request handler to only ever request a single frame when generating thumbnail from a video object. It still crashes when trying to generate thumbnail from incompatible video objects.

Enhancements

  • The font size in the TinyMCE text editor has been changed from 10px to 12px for better readability.
  • Refactored a lot of request handlers, ensuring more consistent code. There is a small risk of regressions. Please report any unexpected behavior.
  • Performance statistics are now logged in a common format, ensuring consistency with other applications. The old JSON format is no longer used.

Bugfixes

  • Added missing alt attribute on MP4 video objects, improving accessibility.
  • Fixed an issue where alt and title attributes weren't rendered on thumbnails if the value was the empty string or the value 0.
  • The template function get_group_member_count() now properly returns an array, even when the array contains only a single item.
  • Fixed wrong documentation on several request handlers.

Fix password-changing issue and other bugs

Today's update (b33e7c9) brings with it the following changes:

Security issues

  • An issue preventing users without impersonate permission (almost everyone) from changing their own password was fixed.

Performance improvements

  • When trying to render a thumbnail for an unsupported file format or broken file, the web worker process generating that image would exit early because of a PIPE signal, potentially triggering overload on that web worker node. It could also happen when transcoding wave audio files to MP3. These error conditions should no longer cause unexpected web worker process exits.
  • A lot of database refactoring has been done, some of it improving performance in certain situations.

Enhancements

  • Improved language in messages related to password reset and user account deletion procedures.
  • The amount of inactive users deleted is now increased from 5% to 40% each time the job is run. This should ensure inactive users are deleted faster.
  • Improved automatic test coverage, giving better protection against regressions.
  • Refactored a lot of request handlers to use newer coding style. This should allow us to remove unused, old code eventually.

Bugfixes

  • In the My students report the dropdown group filter and the filter textbox wasn't always synchronized. Now, whenever one of them is used, the other is reset to avoid confusion. Only one of them can be used at the time. In addition, if you use the back browser button to navigate back to the page, the previous settings are put back. This information is stored in a cookie for 30 minutes.
  • Fixed an issue in report_score template function, where passing an empty string where a UUID is needed would trigger an error.
  • Fixed an issue in list_account_registrations request handler, where users with an unknown created timestamp wouldn't show up in reports. This should now be fixed.
  • In the avatar template function, if it was called without a size value, a warning was emitted. This is now fixed.
  • Avoid warning being emitted if object without created or updated timestamp is rendered.

Fix issue with application error page being shown more than usual

A hotpatch (4dc3625) was deployed today to address the issue where users would see the "an application error occurred, try again later" page more often than usual.

Another hotpatch: PIN codes can be validated again

Another hotpatch (3c27a9a) was deployed today. It contains the following changes:

Bugfixes

  • Fixed issue with validation of PIN codes generating a database error.

Hotpatch: Object comments can now be saved again

A small hotpatch (4db6824) was deployed today.

Bugfixes

  • It fixed the issue with saving object comments.
  • It also fixed a minor issue with HTTP requests without User-Agent header causing errors.

Improved self-registration workflow, increased performance and more

Today's update (d2fd5d2) brings with it the following changes:

Security issues

  • The online request handler is now only accessible by global administrators. This is to avoid leaking personal information from online users to all other users, according to GDPR regulations.

Performance improvements

  • Rendering container breadcrumbs in templates should now be much faster, as multiple database calls to check permissions are avoided.
  • The get_child_containers() and get_child_objects() container methods should be much faster, because permission checking is now done in a single database query.
  • The count_children() container method is now faster because it calculates the number of objects and containers in a single database query.
  • The has_role() user method should be about four times faster because of improved database query syntax.

Enhancements

  • The self-registration workflow on CEFR sites required two emails sent to the newly registered user, when one would technically suffice. Now only a single email is sent that includes the reset password URL and the URL you should use to login once the password is set.
  • The help text in the user self-registration form has been improved to mention the set password URL instead of password. The same form now also mentions that you need to answer the security question to prove you're not a robot.
  • The inactive users removal process is now more randomized, to avoid users with undeletable data blocking removal of other users for an extended time.
  • The render_link() method now supports a show_path boolean argument which turns on breadcrumb rendering.
  • When the send to supervisor object editor feature is used, the link which is sent is now rendered with a breadcrumb, so it is easier to figure out where it is located in the folder structure.
  • The TinyMCE/WYSIWYG HTML editor rectangle can now be resized.
  • The extra toolbars in the advanced TinyMCE layout can now be toggled on/off using a button.
  • A lot of the database queries have been refactored, which should make them more robust. This has been a very large task, which might trigger some regressions. Please inform us as soon as possible if you notice something not working properly.

Bugfixes

  • The template plugin CGI can now be used with a lower-case name. Previously it silently did nothing.
  • Bullets in unordered lists in message content was not shown. They are now shown, as expected.
  • Fixed a bug causing JavaScript syntax error if PORTFOLIO.page_url contains single quotes.
  • Fixed an issue with users being notified again about deletion of account because of slow deletion process. When users that have been notified about account deletion was not deleted within 2 weeks, a new message was sent to them, delaying deletion even further. Now the re-notification won't happen until after 4 weeks of their first notification, giving the system 2 weeks to actually delete the user after their notification limit has expired.
  • Personal groups are now removed during the delete user process. They previously caused an error during user removal.
  • Institution groups associated with a user is now turned into an institution group without an owner during the delete user process. They previously caused an error during user removal.

Feature removals / deprecations

  • The get_parent() container method is no longer available. If you previously used it, use parent_data() instead.

Remove inactive users feature and more GDPR privacy improvements

Today's update (bc6c820) brings with it the following changes:

Security issues

  • Removed debugging code which accidentally revealed a secret key for interaction between Portfolio and e-Portal in server logs.

Performance improvements

  • Added ability to better inspect database performance.

New features

  • User accounts which have been inactive for a long time are now automatically deleted.
    • Users that have never logged in are removed after 1 month.
    • Users that have logged in, but never created any content, are removed after 6 months.
    • Users that have logged in and created content are removed after 26 months.
    • Users that have content will be notified 14 days before they are removed. If they log in again within those 14 days they will not be removed.
    • Users with content that have an auto-generated e-Portal or empty email address will not be notified, but they will be automatically removed after 26 months and 14 days.
    • The job that notifies users about deletion will notify 400 new users every hour instead of all inactive user at once. This is to avoid overloading email systems and accidentally put our servers on spam blacklists. This should ensure all users are notified in approx. 3 weeks.
    • The job that performs the deletions will not be activated until August 15th. This is to avoid that teachers and students that are on summer holiday accidentally get removed while they're not checking their email.

Enhancements

  • IP addresses gathered by Google Analytics are now properly anonymized. This should ensure we are compliant with GDPR regulations.

Template cookie access and improved email templates

Today's hotpatch (bd3294e) brings with it these minor changes:

Enhancements

  • The self-registration email now contains a sentence describing that you need to use the forgotten password feature to set your password if you don't know it.
  • Improved the PIN code registration email text similar to the self-registration email.
  • Added more Norwegian nynorsk translations.

Bugfixes

  • Re-enabled the ability to use CGI.cookie() template plugin method. It was mistakenly removed when the CGI template plugin was rewritten from scratch.

Users are not deleted when ePortal message is received

Today's hotpatch (2aedfdc) brings with it the following changes:

Bugfixes

  • In the update deployed on Tuesday, users were automatically removed when the ePortal sent a remove user message. This was not the intended behavior. When a user is removed in the ePortal it should be in quarantine for some time before it is removed. Disabled automatic deletion of users until ePortal sends the correct messages at the correct time. That is, the old behavior we had before the update on Tuesday is reinstated as-is.
  • The confirmation message shown when an account is tried deleted is more expressive about what will happen. Hopefully this should cause less confusion.
  • Quiz observations were collected, but wasn't mentioned in our privacy policy. This data collection has now been disabled.

Minor bugfix fixing user deletion issue

In certain situations a user might not be deleted when they asked for it because their home container wasn't properly removed first. This issue should be resolved in this release, 9799ad3.

Security fix, ability to delete user account and more

Today's update (94c74a7) brings with it the following changes:

Security issues

  • It was possible to change a user's password without their consent by sending specially crafted HTML which would be activated automatically using a CSRF/XSS attack when the user reads the message.
    • This vulnerability was fixed by asking for the user's existing password before setting a new password or changing their email address.
    • Users with access to the impersonate feature (special support staff) are allowed to change another user's email address without needing to enter the user's password.

Performance improvements

  • The list_quota request handler now only shows the first 1000 users ordered by used storage size. This should ensure it never times out.

New features

  • It is now possible to delete your user account. Only global administrators are allowed to delete accounts other than their own. If an account that owns course content (or other content outside their home folder) is deleted, that content is transferred to the orphan user. All remaining objects and containers, object quiz assignments, scores and account activity are deleted. It is not possible to login as this orphan user.
  • Added privacy policy link to standard footer template. When logged in, the link is moved to the top help menu. The link is only shown if the configuration variable privacy_policy contains an object identifer.

Enhancements

  • When an ePortal push message with the remove user action is received, the user is now permanently removed in Portfolio. If the user is a global administrator or has institutions associated with it the user is not deleted, only institution and course relationships are removed.
  • All links in the standard footer now uses HTTPS and have been updated. The HTML markup has also been improved.

Bugfixes

  • Fixed some CSS bugs in the standard stylesheet. Should have no user impact.
  • Added a wrapper class for the template plugin CGI. Only the param() method is implemented, allowing for template code to easily use query string parameters.
  • When users register themselves using the selfreg request handler, the group they're registered into is now properly logged.

Feature removals / deprecations

  • The course progress limit feature was never used. It has now been removed.
  • The event log action account_delete was removed. It didn't contain any usable metadata. All event log entries with this action have been removed.
  • The event log column container_id was never used. It has now been removed.
  • The object attributes cost and copyright wasn't used anywhere. They have now been removed.

Hashed passwords, faster search and more

Today's update (3648106) brings with it the following changes:

Security issues

  • Passwords are now hashed with the Bcrypt algorithm. If you need to recover your password this is now done by sending a time-limited password reset link by email.
  • The forgotten password form is now protected by a honeypot security feature that should stop most spambots. This should reduce the possibility that the form is used in a DDoS amplification attack against a third party.

Performance improvements

  • Search features should now be much faster, as they use trigram database indexes. Searches for containers, objects, courses, institutions, users and mailbox messages should be significantly faster. The user search feature supports substring matching again, making it easier to search for partial user names.

New features

  • When the sound recorder is used an event is sent to our metrics aggregation service (InfluxDB). This enables us to measure sound recorder usage on different platforms and browsers.
  • Ownership of any container or object can now be transferred to a predefined user by global administrators. This should make it possible to clean up ownership on all of our existing course content. When an administrator use the feature a status message is sent to them when the job is completed.
  • Select support staff can now impersonate another user. When this feature is used it is logged in a way that can't be removed by support staff. The feature was added to make it easier for support staff to help end-users without needing to know their password.

Enhancements

  • Modernized HTTP/CGI request parsing. This moves us one step closer to not being dependent on the FastCGI protocol for communication between our web workers and the reverse proxy. Should have no end-user impact.
  • Google Chrome Headless is now used instead of unmaintained PhantomJS to perform browser-based testing.

Bugfixes

  • Successive empty URL path parameters are now normalized away.

Feature removals / deprecations

  • Completely removed PhantomJS support code.
  • Removed various database columns, indexes and sequences related to local file storage that are no longer in use.

Fix for contact manager timeout issue

Today's update (6ac882b) fixes a timeout issue with the contact manager.

Be aware that members of self registration groups you are a member of are no longer listed in the contact manager.

Database upgrade, persistent connections and bulk metadata editor

Today's update (a8632bd) brings with it the following changes:

Performance improvements

  • The database system has been updated to PostgreSQL 10. This should give numerous performance improvements.
  • Persistent database connections feature has been implemented. This should lower load on the database system during high-traffic situations.
  • Certain features that would require database locking, like updating user's last activity timestamp and object last read timestamp is now done in a single atomic database call, getting rid potential race conditions and locking issues.
  • Improved performance when listing contents of inbox/outbox.

New features

  • The CodeMirror and TinyMCE editors now have a word counter.
  • It's now possible to edit metadata for all containers and objects in a container in a simple user-interface. You can access this feature in the Edit menu when viewing a container. You can use Ctrl-Up/Down/Home/End to more quickly navigate the input fields in the table.

Enhancements

  • When adding users to institutions using the table or text user interface, our standard CSV parser is now used.
  • It is now possible to not inform the supervisor when an assignment is delivered. You can enable this feature by setting the custom_init variable dont_inform_supervisor=1 on the hand-in object.
  • Exception handling has been completely reimplemented, which should give more sane error handling.
  • Some database queries have been moved out into external files to make it easier to develop them further. Some of them now use newer PostgreSQL 10 features.

Fixing regressions with new quiz() XHR submit feature

A minor update (dc8cdd4) was performed today to fix regressions with the new behavior for quiz submission using XHR.

User session limit introduced, Flash rendering bugfixes and more

Today's update (42590a8) brings with it the following changes:

Security issues

  • User sharing has never been allowed in Portfolio. It could sometimes cause performance issues that would impact the page response time of the entire system. A security feature was implemented that blocks a user from being logged in more than five places at the same time.

Performance improvements

  • Several database queries that work with arrays was changed to avoid generating very long queries. Now they use bind variables instead, which should be faster and cause less logging overhead.

New features

  • Objects that use quiz() template functions can now be rendered with a submit button outside of the read request handler. You need to set the embed template function parameter is_quiz_context to 1 to use this feature. When it is activated, the quiz form will be submitted using XHR/AJAX instead of generating a page load.

Enhancements

  • The user-interface in the object/container selector was changed from using multiple confirmation buttons to a single OK button and multiple radio buttons used to choose the insert method.
  • When the object selector is used from TinyMCE the object you've highlighted in the editor is now selected in the object selector.
  • The list of fully translated user-interface languages can now be customized. The site configuration variable translated_ui_languages contains a comma-separated list of additional languages that should be supported on the site. This should solve the issue on CEFR sites that couldn't use German translations before logging in.
  • More API documentation for request handlers was added.

Bugfixes

  • In recent versions of Chrome, the iframe-based method of embedding Flash content no longer works. The way Flash (.swf) content is embedded on the page has been changed to be compatible. The use_resolve_path object custom_init parameter no longer has any purpose and can be removed. All Flash files now resolve relative file references based on the .swf object itself.
  • Fixed navigation issue with add comment button on minvei.no
  • Fixed issue with keyboard events not noticed by ping timer inside TinyMCE edit window.
  • Fixed issue with non-HTTPS URLs being returned from LeseWEB API server preventing usage of synthetic speech feature.
  • The JavaScript code for the quiz_timer() template function has been refactored into something that works with the new quiz form.
  • Fixed issue in object selector when width and height was customized. It previously wasn't included in the injected HTML. Now it is. It now supports all CSS units.
  • Fixed an issue where PIPE signal could interrupt WAVE to MP3 transcoding in an unexpected way.

Feature removals / deprecations

  • The Flash plugin checker code was completely removed, as it no longer instructs modern browsers to initiate a Flash runtime download dialog anymore.
  • The older Flash-based MP3 playback engine (musicplayer) used in the object selector was removed. The existing HTML5-based audio player (SoundManager2) is now used in the object selector. The musicplayer 3rd party component was removed.
  • The read request handler query parameter ignore_resolve_path was removed. The old method of embedding Flash content (.swf) was the only code that used it.
  • The metadata panel in the object/container selector wasn't really used for anything, so it was removed.
  • The title and uuid insert method options in the object/container selector were removed, as they weren't useful.

Fixed issues after yesterday's update

This update (293e7d9) brings with it the follow changes:

Bugfixes

  • CEFR reports to multiple recipients were not allowed. This has now been fixed.
  • When editing documents with template code in them, template code could be encoded incorrectly. This should now be fixed.

Reimplemented selector and quiz editor, lots of bugfixes and more

This update (4bed6c98f) brings with it the following changes:

Security issues

  • Unicode control characters are now stripped from plain-text input fields to protect against certain types of injection attacks.

Performance improvements

  • The text-to-speech (TTS) feature now uses iterative tree traversal instead of recursion to mark all the words in the page. This should make it more performant because it avoids certain hard-to-optimize JavaScript features (arguments.callee).

New features

  • Added script used to transcode all RIFF WAVE objects to MP3. This script will run regularly to ensure uploaded wave files don't take up too much space.

Enhancements

  • Our TinyMCE plugins, the object/container selector and quiz editor, have been refactored extensively.
    • The code is now much more understandable and layout has been cleaned up quite a lot.
    • Various unimplemented behavior has been removed.
    • The template code parser has been made much more robust and simpler, allowing for further improvements in the future. It has also been separated out into a separate TinyMCE plugin.
    • Resizing of the dialog windows now expand the appropriate sections properly.
    • Popup windows now show up on the same monitor as the main window in multi-monitor setups.
    • Styles for these two dialog windows are in the behavior stylesheet, so that they are always available and consistent on any site.
    • User interfaces for the plugins are now implemented in the request_selector and request_quiz_editor templates, allowing for better localization and more.
    • TinyMCE language packs are no longer needed, allowing for somewhat faster loading.
  • Quiz editor playback language now defaults to current content language.
  • Quiz editor preview feature is now located on the quiz type image instead of a separate button.
  • Object selector preview thumbnail no longer generate invalid size warnings because of CSS units.
  • The existing HTML5 uploader is used in the object selector which enables drag-n-drop uploading, progress indicator and multiple file upload during file selection.
  • The object/container selector is now easier to use from other code. The metadata for the selected element in the selector can now be dispatched to a user-supplied callback function.
  • It is now possible to navigate in the object/container selector using the keyboard. Arrow keys, Up/Down, Home/End and Enter/Backspace can be used to navigate the tree with ease.
  • The tab pages in the object selector now uses jQuery UI tabs instead of TinyMCE tabs.
  • Object selector now uses browser-native color selector.
  • There is still an issue in the object/container selector where double-click events are not properly handled on mobile devices. They trigger page zoom instead. This is not a new issue introduced by the refactoring.
  • Simplified code in PORTFOLIO.is_uuid() and PORTFOLIO.is_integer().
  • Disabling/enabling DOM elements is now done using jQuery .prop() method.
  • The selector request handler now has a boolean variable called tinymce_mode which is set to true when called from the TinyMCE plugin.
  • The list_log request handler has been converted to use jQuery DataTables plugin, more consistent with other user interfaces. Now allows sorting on date.
  • Improved talkbook feature to not require sound files to be present on web worker nodes, simplifying deployment. The talkbook feature can now be automatically tested. Multiple variants of the same word is now made available to code that uses it instead of just the first variant.
  • The login page displayed when the anonymous user doesn't have access now always contain a link to the forgotten password page, allowing for easier password recovery.

Bugfixes

  • Fixed invalid CSS border shorthand syntax.
  • An obscure bug when using TT BLOCK constructs together with process_template() TT function has been fixed.
  • Fixed a long-standing layout issue with the element_nav_course template.
  • Adjustment functions that work with the standard layout exit early if DOM elements are not present in the page.
  • Added support for Spanish user-interface language properly. It impacted CEFR sites.
  • Tables rendered using jQuery DataTables now support Spanish language.
  • Tightened the valid email regular expression, avoiding some forms of invalid emails, minimizing mail server errors.

Feature removals / deprecations

  • The WebFX ColumnList library is no longer used anywhere, so it was removed.
  • The pf_ordbok TinyMCE plugin was no longer used anywhere. It has been removed.
  • Renamed use of tinyMCE global JavaScript variable to tinymce. This should've been done when migrating from TinyMCE version 2 to version 3.
  • The object/container selector UI is no longer implemented using an XSL template. The list_element XSL template was removed.
  • The update metadata on server and create folder features in the object/container selector has been removed. They never did anything.

Fixed issue with formatting of timestamps from database

There was a small issue with formatting of timestamps coming from the database that was not fixed in the update that was deployed yesterday. This should now be fixed with release cde6b8e.

Timestamps now show in correct time zone and more lists are sorted correctly

Today's update (0863168) brings with it the following changes:

Security issues

  • The HTTP request handler read_config is now accessible by anonymous users when you're fetching global or site configuration. This fixes an issue with DrillPro apps on Servus.
  • Talkbook sounds were previously not available to d-bok reader because of a HTTP CORS issue. This should now be fixed.
  • All Unicode text input should now be normalized to the NFC form to avoid hard-to-notice comparison bugs.

New features

  • A new template handler, current_timezone is available, which includes the time zone value from the browser (or a default value if not yet set). The default time zone can be set with the global configuration variable timezone.
  • The test suite can now test job queue and web worker behavior better, allowing for improved code coverage.

Enhancements

  • Timestamps are now shown in the time zone the user expects. This is implemented in the template handler human_date, which is used in most situations to display timestamps. Timestamps generated before this update will show up in the UTC time zone, regardless of what time zone the user uses. The current time zone is now shown in the standard footer template, allowing for easier time zone debugging.
  • The sort_object template handler now supports locale-aware sorting.
  • The unpack HTTP request handler now always dispatches to an async job.
  • The job queue has been reimplemented using Redis queue and distributed locking primitives.
  • PORTFOLIO.session_set_var JavaScript function now supports async operation.

Feature removals / deprecations

  • The job queue is no longer implemented using Beanstalk, so it has been completely removed.
  • The unpack HTTP request handler no longer supports unpacking archives without using async job.

New image measurement handler, Heap Analytics user tracking added and default permissions warning removed

Today's update (e9988b9) brings with it the following changes:

New features

  • New request handler for images was added that make it possible to quickly measure the dimensions of a rectangle in an image which can be used directly in the findinpicture app. This handler is available in the edit top menu. A copy-to-clipboard button is also available which is focused after a selection is done. Some SVG images are not compatible with this rendering method and can't be properly measured. This issue might be fixed in a later update.
  • Added user client-side event tracking using HeapAnalytics.com. This can be selectively enabled for a site by setting the heap_analytics_id configuration variable.
  • When you're creating exercises (app-input objects) it is now possible to quickly look up the app you want to use with the app selector located next to the custom_init input box in the object editor.

Enhancements

  • The list_config request handler has been completely rewritten to use the new list_config template function.

Bugfixes

  • When new objects were created a warning about broken default permissions was shown. This should no longer happen if no default permissions are set.

Feature removals / deprecations

  • The object attributes structure, version and aggregation_level was removed, along with their backing database columns. They have never been used for anything useful. They were removed to save space and decrease user interface complexity.

Default permissions, CodeMirror editor improvements and bugfixes

Today's update (a1a3d64) brings with it the following changes:

New features

  • It's now possible to save a set of default permissions which will be applied whenever you create new objects or containers.
    • These permissions are also applied when you unpack zip files or upload files directly.
    • When you create voice recordings using the recorder app these default permissions are not applied.
    • If you unpack a zip file over existing content the permissions of the existing content will not be modified, although the content will be.
  • A button has been added to the metadata tab of the container and object editor to allow for generation of the LOM XML content. This should make it easier to add additional titles in other languages.
  • A help feature has been added to the CodeMirror editor. Press F1 while the cursor is inside the editor to access the help feature.
  • It's now possible to randomize and sort lines in the CodeMirror editor. You use the keys F8 and F9 respectively to perform these actions.

Enhancements

  • The current_timestamp template function now returns a DateTime instance instead of a string, allowing for more date math and other behavior. The returned timestamp always has the timezone set to UTC, instead of using local timezone. This does mean that users will see timestamps with an offset from what they're used to, but this can't be improved unless we have some way of gathering the time zone from the browser and storing it in the session (or cookies).
  • A lot of the behavior around adding and removing permissions to containers and objects has been changed. It should now be more consistent all over.
  • Some strings in the Spanish translation was updated.

Bugfixes

  • When the create_response template function was used and the CodeMirror editor was used, saving and sending in content was impossible. This has now been fixed.
  • HTTP redirects didn't include a CORS header, even if one was specified for the site. This has been fixed.

Feature removals / deprecations

  • Removed the old and unused get_isbn HTTP request handler.

Rewritten create_response() feature and various other improvements

Today's update (e736cb2) brings with it the following changes:

New features

  • The create_response() template function has been more or less completely rewritten. It is now rendered on the page instead of opening a new window/tab. It allows inline editing of a response object. This should improve useability for students quite a lot.
  • It is now possible to see how much blob storage space a user has consumed.

Enhancements

  • Added font-size option to the simple TinyMCE editor.
  • Improved message when object is saved and sent to supervisor.
  • When rendering origin object while editing a response object, the response is no longer shown in the dropdown, avoiding double display of the same content.
  • Inconsistent styles for info/warning/error messages has been cleaned up.
  • Test suite has been improved quite a lot. It can now be run in continuous integration services.

Bugfixes

  • The human_size() template function now works with the value 0.
  • Fixed issue with inconsistent padding/margin around some TinyMCE toolbar elements.

Feature removals / deprecations

  • Several JavaScript functions which are no longer in use have been removed:
    • PORTFOLIO.helpSuccessHandler
    • PORTFOLIO.helpFailureHandler
    • PORTFOLIO.getAjaxObject
    • PORTFOLIO.PopDocAjax
    • PORTFOLIO.contentSuccessHandler

Unexpected downtime because of hardware issue

On the 8th of June 2017 between 8:25 and 8:55 CET our services where unexpectedly down because of a hardware issue with our load-balancer.

The issue has been corrected and services are back up. We're sorry for the inconvenience.

Improved performance, WAV to MP3 transcoding and lots of other improvements

Today's update (4bbbf6f) brings with it the following changes:

Performance improvements

  • Rewritten most of the database functions related to filesystem tree traversal. Should almost double performance in a lot of situations, allowing for most page loads to be faster. Several redundant functions were removed or inlined to make everything faster.
  • Container sort key is now consistently stored in the database, allowing for some performance improvements.
  • The permission-checking database functions were also rewritten, giving almost a 10 times performance improvement in most situations.
  • When navigating to the root level in the file manager, it was not uncommon to get a timeout. This should now be fixed. Now the root level takes about 10-20 seconds to render. Not optimal, but within the timeout threshold. It is no longer possible to list the root level with all user's home containers.

New features

  • Wave audio files which are recorded or uploaded are now automatically converted to MP3 to save backend storage space. Because of the smaller size they should also download faster to clients.
  • Automatic playback of next audio object when one has finished playback is now possible by customizing page templates.
  • Video playback now logs playback duration to Google Analytics, allowing for calculation of royalty payments on video files as well as audio files.

Enhancements

  • The validation logic in the file manager was rewritten as part of the tree-traversal performance improvement. It should now be more consistent and faster. There is one behavior difference to the old implementation. The containers and objects are returned from the validator in no specific order, so adding them to a course would not yield a traversal-specific order. It is therefore recommended to only use it to add aux. objects using this method.
  • The element_favicon template is now overridable.
  • A new favorite/bookmark icon was added. Now Portfolio has a slightly better design profile. Bookmark icons should now be available in larger sizes.
  • When you're editing an object it is now possible to see which courses it is part of, regardless of course permissions.
  • Improve HTML markup error message to take into account if you're using WYSIWYG editor or not.
  • The json, xml and view request handlers are now documented.

Bugfixes

  • Avoid using NPAPI plugins to render video in browsers where these are no longer allowed. Affecting Microsoft Edge, Firefox v52 and above and Chrome v45 and above.
  • All timestamps should now be stored with time zone information, hopefully fixing most timestamp offset issues.
  • Audio file autoplay is always disabled on mobile devices because most mobile devices don't allow it without clicking first.
  • The get_containers() method on course instances was renamed to get_container_ids().
  • Only complete user-interface languages are now used to autoselect a language based on browser preference.
  • Fixed missing translations in TinyMCE if using Portuguese language.

Feature removals / deprecations

  • Removed several database functions, tables and views which are no longer in use.
  • Removed a duplicate database index, slightly improving performance.

More powerful database server and some bugfixes

This update (11ee2cf) brings with it the following changes:

Security issues

  • Ensure variables used in the list_log request handler are properly validated before use, avoiding a potential SQL injection security issue.

Performance improvements

  • The database server hardware was upgraded to handle more load, decreasing overall page load latency.

New features

  • When editing objects, you're now able to see which course the object is used in. Only users with editor access to the course can see this information.

Bugfixes

  • Fixed a database error when no valid users where specified in the user_activity request handler.
  • Large videos would sometimes not load because the timeout on the data request handler was set a bit low. Bumped the timeout to 30 seconds to mitigate the issue.
  • A textarea line-wrapping issue was fixed in the CSV editor view in the manage_course request handler.

Feature removals / deprecations

  • The last parts of the video transcoding feature was removed.

Migration to cloud environment, removal of cookie warning and chat feature

Today's update (88c928d) brings with it the following changes:

Performance improvements

  • The entire system has been moved to a cloud-based environment, allowing us to better meet future performance requirements. This is the first step to being able to utilize horizontal scaling more extensively.

Enhancements

  • The cookie warning at the top of the page has been removed. A link somewhere on the page to our cookie policy is enough according to regulations.
  • Anonymous sessions from our server monitoring software should no longer show up in the online list.

Bugfixes

  • File uploading has been improved to be even more robust.

Feature removals / deprecations

  • The real-time chat feature has been removed, as it was not used by anyone.
  • The object attribute client_mimetype has been removed. It is not used by any code.

File uploading now fixed!

An emergency update (1f07d10) was pushed out today. It fixed the regression from yesterday's update that broke file uploading. Now it should work again.

New plain-text editor, updated third-party packages in backend and more

Today's update (b827b0037) brings with it the following changes:

Performance improvements

  • Upgrade to newest version of Perl (5.24.1) and CPAN modules to get an overall performance improvement.
  • The main dropdown menu (top left) is written in a slightly faster way which should make all normal page loads slightly faster.

New features

  • When the WYSIWYG editor (TinyMCE) is disabled, which is common for power users, you now get a plain-text editor called CodeMirror which has better editing features than a normal HTML textarea. It has tab indenting, syntax highlighting and code folding, to name a few. It is also possible to customize how you want the editor to function on a site-by-site or user-by-user basis.

Enhancements

  • Perlbrew and Pinto are now used to manage Perl and CPAN packages. This ensures we always used the same version of perl and CPAN modules on all installations. This should avoid test failures and other unexpected behavior because different versions of third-party dependencies are used. As this changes a lot of the underlying foundation, there is a higher chance of regressions from this update. Get in touch with support if you notice something out of the ordinary that our testing didn't catch.
  • The type of objects which supported WYSIWYG mode and file upload was updated. This should allow e.g. text files to be uploaded to overwrite existing content (you don't have to paste the file into the editor now).
  • The first tab in object editor is activated when object type is changed to allow editor to initialize with visible viewport, avoiding potential issues.
  • Moved some inline styles in request_add_edit template over to the standard stylesheet, simplifying the template.

Bugfixes

  • The default width of 12.5em on textareas from normalize.css was reset, because it conflicts with our usage of rows/cols attributes to set the size of the editor.
  • Dropdown boxes rendered using element_select without onchange argument are no longer rendered with an empty onchange attribute, allowing event handlers to be applied normally.
  • More modern JavaScript code is now used to show/hide the language metadata dropdown menus in object editor.
  • Fixed some JavaScript errors related to TinyMCE when changing type in the object editor.
  • Non-ASCII text was sometimes encoded in a wrong way in email headers and when downloading files. This should now be fixed.

Feature removals / deprecations

  • The transcode checkbox in the object editor was removed because the video transcoding feature is no longer supported.

Show all children in containers, signup form spambot protection, synthetic speech configuration persistence and more

Today's update (977e443) brings with it the following changes:

Security issues

  • The user self-registration form didn't have any protection against spambots. This caused unwanted user registrations to be added to the database. A captcha question was added to the form to block most naive robots.

Performance improvements

  • Used a faster third-party package to perform URL escaping. This should improve performance slightly in a lot of situations.

Enhancements

  • It is now possible to list all children of a container in read_container request handler and filesystem template function without checking permissions. You activate it by using a custom_init value of show_all_children=1 on a container.
  • The synthetic speech configuration was not kept when loading a new page. The configuration is now persisted for the lifetime of your browser session.
  • The confirmation message you get when you send your CEFR placement test report now includes your own email address.

Bugfixes

  • The template function link() was not resolving courses. This has now been fixed.

Network upgrade completed

A short maintenance was performed this night to upgrade our backend switch to gigabit speed to improve performance of our database access and backups. The maintenance completed successfully and everything is back to normal. Increased network speed should result in slightly better overall performance.

Fix audio playback in popups and various other minor issues

Today's update (ade4039) brings with it the following changes:

New features

  • Allow load balancers with SSL termination in front of web servers by supporting X-Forwarded-For and X-Forwarded-Proto HTTP headers.

Enhancements

  • Added a max_depth parameter to the explain template function.
  • Changed link template function to always use two database calls when resolving identifier. Should avoid an edge case in identifier resolving.

Bugfixes

  • Changed talkbook feature to use URLs encoded in UTF-8 instead of legacy character sets. This should fix the inability to play back sounds with non-ASCII characters in popups.
  • Fixed broken rendering of template objects in history feature. This should ensure template objects shown in the history feature doesn't break page layout.

Hardware upgrade improves response time

This night we had a hardware upgrade which added additional CPU cores to our web server to mitigate the poor response time that has been plaguing us for some time.

Based on preliminary readings of our statistics the upgrade was a success and response time during peak hours should now be much better.

New fs2tree template function, iOS MP3 playback bugfix and more

Today's update (e49fef5) brings with it the following changes:

Performance improvements

  • The folder menu template (element_menu) has been rewritten to use the new fs2tree template function, which should speed it up quite a bit.
  • Display of forum comments should be faster because the backend database structure has been significantly improved.

New features

  • A new template function called fs2tree has been added, which is used to convert the array from filesystem template function into a tree structure, which should be useful for template designers.
  • The translation languages Amharic, Oromo and Swahili has been added.

Enhancements

  • On Safari (Mac/iOS) autocorrection and autocapitalization was done to the quiz type text, which was unfortunate, as it caused a lot of typing errors which could've been avoided. This behavior has been disabled.
  • The HTML layout of the filesystem request handler has been improved by using the new fs2tree template function.
  • Virtualhost and response time has been added to backend web server logs, allowing better monitoring.
  • The commenting feature was redesigned to avoid a circular foreign-key constraint, allowing improved database backup performance.
  • The database backup script is now more automation-friendly.

Bugfixes

  • SoundManager was upgraded to version 2.97a.20150601, which should fix the HTML5 MP3 playback issue on iOS/Safari.
  • An internal error when trying display a message without a sender was fixed.
  • Tables were missing labels if user interface language was set to Arabic. This has been fixed.
  • A file-not-found error was triggered if the incomplete Spanish user interface language was used. This has been fixed.

Unexpected downtime because of network issue

Because of an unexpected network issue with our backend network the servers were down from 14:49 to 15:52 (Europe/Oslo timezone). Our data center provider was able to resolve the issue and services are now operational again.

Faster user search, improved history feature and more bugfixes

Today's update (4920618) brings with it the following changes:

Performance improvements

  • The user search now uses an indexed search method, making it much faster. This has a side-effect that pure substring search is no longer possible. You can now only search on full tokens (like the full name or email).

New features

  • The read request handler and embed template function are now history-aware. This feature enables the history request handler to show the historic content of objects that use data request handler to refer to the content, like images, videos and other binary content. The thumbnail, watermark and wav2mp3 request handlers have also been made history-aware.
    • The following object types don't support relative file references (because they use resolve_path) when viewed using history:
      • Flash apps
      • JavaScript apps and scripts
      • SVG images
      • Perl scripts
      • CSS stylesheets
      • Text files
      • XML files
    • Java apps don't support history viewing at all (because they use resolve_path which doesn't support history).
    • Zip files can't be unpacked from history, they must be restored first. You can download them, though.
  • The embed template function now supports render_mode => "source" on JavaScript and CSS.

Enhancements

  • It is now possible to restore a deleted object or container into the correct parent container. The parent container must exist, or you'll get a database error during restore. Be aware that the parent container must be restored before the child object or container, or you'll get a database error about missing parent. This is most likely to occur when trying to restore a recursive delete.
  • Some flash info messages are now considered redundant and are not shown during normal usage.

Bugfixes

  • Small change in behavior. If embed template function is called with an odd number of options the options variable is now empty instead of cut at the last missing key/value pair. This should make the error in API usage more obvious. This could potentially trigger some regressions in content that was previously working.
  • The user search feature wasn't able to search for firstname lastname after a recent update. This has now been fixed.
  • A regression was found in the matchbox quiz type, which could return invalid data from the database when used together with the history-aware feature.
  • The links to Bokmålsordboka and Nynorskordboka have been updated.
  • Whitespace is now trimmed when using the history request handler.
  • Backend importing of content was not possible because the cost and copyright boolean object attributes where not sent properly to the database. This has now been fixed.

Blob storage, history feature and performance improvements

Today's update (0b662f0) brings with it the following changes:

Performance improvements

  • Object content is now stored in an external service called BlobMachine, making it possible to scale to multiple web servers.
  • All objects are stored named by the digest checksum of the content, improving caching because identical files only need to be read once. This feature also improves the transactional behavior during object modification.

New features

  • Whenever objects are modified the old version of content and metadata is stored, allowing quick restoration of content back to a previous version. Use the history button in the toolbar to access this feature. The history is kept for 6 weeks.
  • It's also possible to restore deleted containers and objects, but because of a bug they are restored to the root instead of their proper location. When restoring content on an existing object or container the parent is maintained. This issue will be fixed in a future update.

Enhancements

  • Cache files are now properly named after the digest checksum, which allows them to be created only once, becaues they never change without the name also changing.
  • The cache directory is regularly cleaned of old files, recovering disk space more efficiently.
  • The timeout in thumbnail(r) was increased to account for the increased time it takes to fetch videos from the blob service.

Bugfixes

  • The thumbnail request handler was unable to generate thumbnails for SVG images. Changed to return the SVG image directly when asked for a thumbnail of it. It should be able to scale to the needed size because it's a vector image.

IP address session protection changed and multiple bugfixes

Today's update (ce51eda) brings with it the following changes:

Security issues

  • Session hijacking was previously mitigated by ensuring the IP address always matched. When you're using HTTPS this is no longer needed, so it's no longer verified. Roaming between different networks (e.g. with a laptop or tablet) should now work without being logged out.

Bugfixes

  • The CEFR final report could in some situations include voice recordings for competence levels other than the one the student self-evaluated as. This has been fixed.
  • Using the back browser button and answering a CEFR document again would skip over a document in the workflow. This should now be fixed.
  • The page activity timer is no longer restarted if you use the back/forward browser buttons to navigate to a page.
  • The wav2mp3 request handler had a race condition when dealing with ADPCM WAV files from the Java-based voice recorder. This should now be fixed.
  • Some broken HTML markup in my configuration and other reports was fixed.

SASS stylesheet rendering, page timeout, timers and more improvements

Today's update (7601a42) brings with it the following changes:

Security issues

  • A new template function called explain() was added, used to dump the contents of variables used in templates with proper color and indentation. The use of Dumper.dump() caused sensitive data to be made available. The old Dumper.dump() method will still work, but restricted attribute values will be trimmed, just like explain() does.

Performance improvements

  • All HTTP request handlers and backend cron jobs now has a timeout value. The default timeout for a request handlers is now 2 minutes. The developer resource that lists request handlers now also includes information about the timeout for each handler. This should ensure that runaway processes no longer cause worker process resource starvation.
  • When PORTFOLIO.create_search_form() is executed, it will no longer perform the XmlHttpRequest call if the DOM element it should be rendered into is not present.

New features

  • It's now possible to compile SASS stylesheets into CSS on the fly. A new menu item for creating a SASS stylesheet has been added. Text files with the extension .sass or .scss will be detected as SASS/SCSS stylesheets during upload. The libsass C++ engine is used for the compilation. @import statements are supported, and resolve relative to the object that is being rendered. The prefix _ and the extension (.sass/.scss) is automatically appended if not specified to support the same behavior as the Ruby implementation.
  • The resolve_path() template function is finally available. It works just like the resolve_path request handler, and must start with a container identifier. They both just verify permission on the final object/container in the path, just like before.
  • The current_site template function can now be used. Some of the other site_XXX template variables are now redundant. Using current_site.container_data.resolve_path("path/to/file") is a good way of getting access to content below the site root without resorting to hard-coded container identifiers.
  • It's now possible to start and stop timers during template rendering. This allows more detailed timing information about page rendering to be displayed as an HTML comment at the end of the page if the enable_timing_report configuration variable is set. The report will also include how much time is spent in each template function, each template and the total time spent on generating the HTML.

Enhancements

  • Added new parameter render_mode to the embed() template function. You can set the value to either inline, raw or the default empty value. Inline mode will render the JavaScript and CSS inside the HTML instead of linking to external file (which is the default). Using the raw response mode is practical if you want to use a page object to bundle all CSS or JavaScript into a single HTTP request.
  • When a stylesheet is viewed directly instead of embedded, the actual CSS text is now rendered, so it is easier to know what you're working with.
  • Stylesheet objects are no longer forced to text/css mimetype regardless of which mimetype was set. It is now only used as a default.
  • The e-portal single-sign-on and push message handling now use the standard timeout feature, giving more consistency.
  • Improved code layout in read request handler, enabling proper filename when downloading content in more situations.
  • The generic error pages which are shown when the application doesn't respond properly have been improved. The language should be more user-friendly.

Bugfixes

  • Fix an internal server error when trying to upload a zero-length file. Now it shows the correct error message.
  • An unhandled exception when generating thumbnails is now handled, returning a proper error message instead.
  • Browsers have changed behavior with how they handle strong ETag cache validation tokens. Browsers now return a weak validator token even though we send a strong one. Ignore the weak ETag classifier so HTTP 304 NOT MODIFIED responses are generated when they should.
  • The word occured was consistently mistyped. Now it has been changed to the correct occurred in all strings.

Feature removals / deprecations

  • The page_timer template function no longer returns the timer value for the entire page. It now returns a timer instance you can use to start, stop and report timing information. This changes the API, so documentation has been updated to match the new behavior.
  • The request.filename local template variable was not used anywhere and was removed.

Fixed regressions in MP3 audio player

Today's hotpatch (5806a47) fixes the following regressions:

Bugfixes

  • The MP3 audio player was eating DOM elements, causing lots of different kinds of errors. This should now be fixed.

Enabled sending links to any objects and some bugfixes

Today's hotpatch (08fd291) has the following changes:

Enhancements

  • It's now possible to send links to objects you don't have access to, making it possible for teachers to easily send a link to a student asking them for permissions.

Bugfixes

  • The recipient in the To column in the outbox was not shown. The sender's name was shown instead. This has now been fixed.
  • It was previously possible to iterate through containers forever by specifying an ever-increasing list_start value to the read_container request handler. This should now emit an error.

Hotpatch to address bugs since last update

Today's hotpatch (3e3544b) brings with it the following changes:

Performance improvements

  • The poor performance of the My students report since last update has been fixed. It should now render in less than a second for most users.
  • The My contacts sidebar should render somewhat faster.

Improved performance for several reports and several other enhancements

Today's update (1234623) brings with it the following changes:

Security issues

  • All request handlers that support search queries now need a minimum of three characters to be valid. The search syntax is now consistently validated before it is passed on to the database.

Performance improvements

  • The My students report has been improved. It should now render faster.
  • The group members report has been optimized quite a lot and should no longer cause timeouts for groups with excessively large member count. If more than 100 table rows are shown then icons are skipped to improve speed. If more than a 1000 users are shown then they are not collectable.
  • The inbox/outbox should now be much more performant. The local template variables are also much more consistent. The HTTP API has been slightly changed (related to pagination).
  • Automatically-generated messages older than a year will now be automatically deleted.

Enhancements

  • The Course result report now shows the total time used in the course.
  • The continous summary table in Page views report has been hidden behind the enable_page_views_live_report user configuration variable. It is off by default.
  • The synthetic speech client now allow text and text selections in iframes to be read. The code has also been improved so it doesn't try to read JavaScript code out loud. Be aware that content in cross-origin frames or non-HTTPS frames will not be read from an HTTPS-enabled page. The starting DOM element can also be specified in the init method.
  • The MP3 audio player can now be configured to place the label, slider and buttons in whatever order you want it. The currently-playing audio player is now targetable with a CSS class.
  • Global and system groups are now shown in the user profile, if the user is a member of them.
  • The following request handlers now support ignorable path parameters before the UUID: read, read_container, data, download

Feature removals / deprecations

  • The java-settings and flash-settings object types were removed. Existing objects have been changed to type app-input.
  • The java-data and flash-data object types were removed. Existing objects have been changed to type app-output.

HTTPS security fixes, institution blog and object locking performance fixes and much more

Today's update (1b977e1) brings with it the following changes:

Security issues

  • Internet Explorer 11 on Windows 7-8.1 is not able to connect to HTTPS servers which use large Diffie-Hellmann primes. Changed to smaller primes which are compatible with Windows 7-8.1. Windows 10 was not impacted by this issue.
  • LeseWeb (synthetic speech) is now accessed via HTTPS URLs to mitigate a mixed-content warning.
  • HTTPS SSLv3 protocol was disabled to mitigate the POODLE attack.

Performance improvements

  • The list_institution_blog_items(r) and get_institution_blog(t) handlers caused timeout whenever they were used. This was one of the main reasons why the system has been slow the last few weeks. This should now be fixed.
  • Storage container size is no longer calculated when objects are modified. This was the cause of a massive locking issue on the entire object table each time an object was modified. This should radically improve performance and concurrency when working with long transactions which modify objects (e.g. recursive deletions).

New features

  • Added a button to copy identifier directly to the clipboard. Enable it with the boolean user configuration variable enable_copy_id_button.
  • When you're editing an object it is now possible to see which course the object belongs to on the permissions tab. You will only see courses you're an editor for.

Enhancements

  • The wav2mp3(r) handler now uses proper caching, allowing HTTP 304 NOT MODIFIED responses. This should improve rendering speed of playback of voice recordings. It is no longer possible to specify multiple objects or a WAV file URL to this handler. The object identifier can now also be specified as part of the URL path.
  • The thumbnail(r) and watermark(r) handlers have also been refactored to be more performant. A backend common cache directory is used instead of storing the cached representation together with the primary file.

Bugfixes

  • When you try to delete users that have delivered quiz assignments, it should no longer trigger a database exception.
  • The ar_SY locale now has right-to-left text direction properly defined.
  • UTF8/16/32 BOM text encoding detection was partially broken. This should now be fixed.
  • Fixed a bug where content was not saved properly when creating new spreadsheet objects.
  • Updated jxcell.jar and pfxcell.jar to conform to new security model in Oracle Java version 7u45 regarding Java applet method access from JavaScript.

HTTPS support, quiz radio inline mode, Google Chrome voice recorder bugfix and more

Today's update (76c9f3d) brings with it the following changes:

Security issues

  • Implement HTTPS support, allowing wildcard certificates and automatically generated certificates using letsencrypt.org.
    • A redirect from HTTP to HTTPS is automatically performed if a certificate is available for the domain.
    • The web server configuration should give an SSL Labs A rating for all domains.
    • Certificates acquired using Let's Encrypt are automatically renewed 30 days before they expire.
    • The default certificate name (for clients that don't support TLS SNI) is portfolio.
    • Domains that we explicitly don't want HTTPS for can be excluded.
    • A wildcard certificate for portfolio.no and fagbokforlaget.no will arrive shortly.

New features

  • Added Arabic Syria (ar_SY) content language code.

Enhancements

  • Implement inline display mode for quiz type radio. Unfortunately, because of an excessive use of the previous default block display mode, the default is block (when all other types default to inline). If you want inline display mode for type radio you need to explicitly set display_mode => 'inline'.
  • Improve icon for set default search method.

Bugfixes

  • Adding HTTPS support should fix the microphone access issue in Google Chrome when using the voice recorder.
  • Fix broken select user UI in object/container edit permissions tab.
  • Cleanup CSS selectors in request_read_account template.

New exam feature, filesystem(t) skip_custom_init feature and several bugfixes

Today's update (9e9d0c2) brings with it the following changes:

Performance improvements

  • Improve web server buffering, which should improve latency when a lot of users are requesting large multimedia content, or lots of users with low bandwidth are using the site.

New features

  • It is now possible to give time-limited access to a course, similar to a traditional classroom exam. The exam is automatically delivered after the time limit and supervisors are automatically assigned so that they can assess the exam once it's done. Supervisors are notified using the internal messaging system that a new exam is available for assessment. While the exam is active an infobar is added at the top of the page informing you how far you've come and how much time is left. When the exam is started, current_course and current_institution is set. When the exam is delivered (either manually or automatically) all exam documents are automatically delivered.
  • A new template function, human_duration, was added, making it easy to convert a duration instance into something easily understandable for end-users.
  • The template function, current_exam_participant, was added and is used by the template element_exam_status.

Enhancements

  • Extend filesystem template function to allow skipping of containers and objects based on a custom_init flag.
  • The container get_child_objects() and get_child_containers() methods were also extended to support this new filesystem behavior.
  • Finally the filesystem and read_container request handlers got the skip_custom_init query parameter and behavior.
  • Improve backend search script so it can match against multiple regular expressions like a filter chain.
  • Population of instances in model classes has been vastly improved and refactored to be simpler.

Bugfixes

  • When results for a course was deleted, progress was not reset to first document in course. This has now been fixed.
  • The width of the comment field when assessing assignments was too narrow. This has now been fixed.

EU cookie warning, changed e-portal login procedure and more

Today's update (0e8ab70) brings with it the following changes:

New features

  • A legal warning about cookie usage is now shown on top of each page with a link to more extensive documentation. If a site uses custom cookies, the template request_cookies should be extended to document their use.

Enhancements

  • When logging in using the e-portal, only the user that is logging in is now created or linked up (previously associated supervisors or students where also created). This means that only student/supervisor-relationships where both students and supervisors have logged in at least once will be created. It is recommended that teachers log in at least once to one of their products in the e-portal before students log in to ensure connections are set up before students start to use the products.
  • The CEFR placement test algorithm has been modified to allow skipping missing documents in the initial categories. This enables use-cases where we only want to test speech-related categories.
  • Android, iOS and Microsoft Edge browsers and mobile platforms should now be properly detected, allowing content to be customized for these devices and browsers. Internet Explorer is now detected as ie instead of msie. Templates should use the client_browser.is_ie check instead of the exact name, so content should not be impacted. The same applies to the Windows platform. It now returns the name windows instead of explicit names for each version of Windows. The check client_browser.on_windows should always be used in templates.
  • Several request handlers now show page titles with the name of the item being edited.

Bugfixes

  • Increased line-height for code examples in reference documentation to avoid underscores not being rendered.
  • Fixed PIN code case-sensitivity bug reported on revisor.portfolio.no.

HTTP range request support, CORS header support and improved API documentation

Today's update (146d133) brings with it the follow changes:

Security issues

  • Allow site administrators to set the CORS Access-Control-Allow-Origin HTTP header, allowing JavaScript applications on other sites access to data in Portfolio. The site configuration variable in question is named http_access_control_allow_origin. This was requested by the d-bok project.

Performance improvements

  • The implementation of HTTP range requests for binary content allow the video and audio player to skip ahead in the stream, saving some bandwidth when users are only interested in a specific portion of the stream.

New features

  • Support for HTTP range requests (RFC 7233) was added to all binary content served by Portfolio. The thumbnail, watermark and wav2mp3 HTTP request handlers have ranged requests disabled, because the content is dynamically generated. This also means that normal voice recordings performed in the WAV format does not support range requests during playback, because it internally uses the wav2mp3 request handler. This is because some browsers don't support playback of WAV files using HTML5.
  • Additional API documentation. All template handlers should now be documented. A significant portion of the HTTP request handlers have also been documented.

Enhancements

  • Binary HTTP responses from Portfolio was refactored, which should give more consistent response in terms of caching behavior.
  • Improved the readability of the legend text in the CEFR placement test usage report.

Bugfixes

  • Google Chrome users were unable to seek in MP4 video files before the entire video file was cached locally and the page was reloaded. This should now work as expected.

CEFR placement test usage report, JSON response bugfix, updated video player, and more

Today's update (2ef4099) brings with it the following changes:

New features

  • A report showing how many CEFR placement tests have been completed has been added. The report is only available to global administrators and owners of the specified groups. The groups included in the report is specified in the global configuration value placement_test_usage_report_groups.
  • Added back-end tool take_ownership. With this tool ownership on institutions, groups, courses, containers and objects can be quickly changed recursively.
  • Added region-agnostic Arabic user-interface language with locale code ar_001 to replace the region-specific code ar_001. The code ar_001 has been demoted to a content language. When rendered in HTML markup, the new code ar_001 will show up as a lang="ar" attribute. As this locale has no region associated with it, a white flag is used where required.

Enhancements

  • Updated video player to mediaelement.js 2.18.1 for better compatibility with newer browsers.
  • Extended database to handle locale codes longer than 5 characters. This was required by the Arabic change mentioned above.

Bugfixes

  • Fixed issue where JSON response text sometimes would return garbled Unicode text (Mojibake) and the wrong content length. Returning the wrong Content-Length HTTP header would cause all sorts of hard-to-debug issues, usually related to keep-alive connections and invalid byte boundaries. All use-cases where encode_json() was used have been reviewed and fixed.
  • When a user was removed from an institution, they might not have their student/supervisor relationship revoked. This bug should now be fixed.

Feature removals / deprecations

  • The user-interface language ar_001 has been demoted into a content language. You should use the locale code ar_001 instead for setting UI language.

Hotpatch to fix broken file uploader and more

A small hotpatch (c0e693f) was applied today to fix a few issues from yesterday's update.

Several sites had issues because the page wrapper for all request handlers wasn't named properly, causing several styles and scripts to misbehave. The sites were issues were reported were Klart det and Los geht's. The file uploader and the move feature in the file manager were also reported as broken. All of these issues were solved by naming the page wrapper properly.

It was noticed that localized titles were broken in many places, because of invalid XML LOM data. The error handling was improved to show a flash error message to the end-user instead of just logging in the server log. This should enable us to fix the issue more quickly in the future.

New PDF watermark feature, rewritten text output handling and several bugfixes

Today's update (631f59d) brings with it the following changes:

New features

  • A new feature was added, making it possible to add a unique text to each downloaded PDF file. This feature is enabled by adding add_watermark=1 to an object's custom_init variables. PDFs available to anonymous users will never have a watermark added.

Enhancements

  • Completely refactor code used to generate HTTP responses for text content because of inconsistent text encoding semantics.
  • Centralize the generation of the Content-Disposition HTTP header to ensure standard compliance.
  • Improved the error message if no content was generated from a request handler.
  • Added flash error message if script objects throw exceptions. Also removed old method of conveying errors.
  • Default content type used by textual content in read request handler changed to be text/plain instead of application/octet-stream.

Bugfixes

  • The thumbnail request handler would sometimes return the wrong Content-Length if client had already cached content.
  • Fixed internal server error if SVG with broken XML markup was displayed. Now the correct error message is shown.
  • Fixed several situations where we could be causing mojibake (garbled text) because of broken text encoding:
    • Object type link with non-ASCII text in URL.
    • Objects with use_resolve_path=1 in custom_init and a non-ASCII file name.

Feature removals / deprecations

  • Several XSL files not used in built-in code were removed.

New HTML5-based voice recorder, more API documentation and bugfixes

Today's update (0b2075d) brings with it the following changes:

New features

  • The voice recorder now utilizes HTML5 Web Audio support if your browser is capable. If you use a browser with HTML5 Web Audio support you're also able to pause and resume your recording.
  • A new template function, gen_uuid(), was added to generate unique identifiers inside templates.

Enhancements

  • It's now possible to debug how the Flash/HTML5-based voice recorder is behaving. Set the configuration variable debug_app_recorder to a true value if you need it. It is disabled by default. It can be used on all configuration levels.
  • More API documentation for template functions were added. Also slightly improved layout of code snippets.

Bugfixes

  • Some SVG files were not detected properly. This has now been fixed. SVG dimension detection has also been improved.
  • If your user-interface language was set to Danish, all enhanced tables didn't render properly. This has been fixed.
  • Native Portfolio popups didn't disable default click behavior (bubbling). It should now.
  • If multiple voice recorder instances with different configurations were present on a single page, then the on-upload-behavior would always come from the last instance's configuration. This has now been fixed.

New feature to upload profile photo, improved access key form, developer documentation and several bugfixes

This update (775d824) brings with it the following changes:

New features

  • The access key form will now automatically log you in if you specify an existing email address and password. It will also redirect back to the front page or to a user-specified URL properly.
  • Added new feature that makes it simple for a user to upload their photo and set their avatar.
  • Frontend developer reference documentation framework has been created and some reference documentation has been added. Some backend documentation is also available to global administrators. More documentation will come in a future update.
  • New template function get_system_group_id.
  • Some request handlers can now skip rendering the main page title (H1 element), but still show the page title. The user profile request handler and documentation handler uses this new feature.

Enhancements

  • The tables used to list the developer documentation now has improved usability. You can now quickly filter using incremental search.
  • The file uploader is now more flexible. You can specify extension filter, file permission and callback function.
  • Completely redesigned the visual layout of the Message of the Day page section. Should look more modern now. This style is always included in page, so sites using no_default_design override don't need to worry about designing it.
  • The MOTD will no longer show for a brief moment and then be hidden if the user has decided to hide it.
  • Improved anchor button style. Should look more like a button now.

Bugfixes

  • Fixed bug which could cause loss of information in manage site containers request handler.
  • The event tracking of sound files didn't create a usable label in the Google Analytics report. This should now be fixed.
  • The width of the title field in the content editor and the text box in the score feedback handlers have been fixed.
  • The left margin on paragraph and header text wasn't consistent because we were using EM units. This has been fixed by changing to pixel units.
  • If both the description and body content had broken HTML in the content editor, it was impossible to toggle code view for body content. This bug has been fixed.
  • Fixed several bugs related to avatar display in user profile.
  • The configuration edit feature in the user profile was broken if an administrator was looking at a user profile. Only the user itself can edit their configuration. Links that allowed this broken behavior was removed.
  • The MOTD will no longer be styled wrong in print view.

Major design overhaul, new file uploader and lots, lots more

The update performed yesterday (d1f718e) took a lot of effort, and I'd like to give thanks to everyone that helped out with fixing the issues that showed up after it was deployed. All sites should be back to operational status. If you do notice anything that worked a few days ago but has now stopped working, please report it.

Performance improvements

  • The read/unread state of an object is now fetched in a much faster way, improving rendering speed overall, but especially in container views.
  • Combined YUI (Yahoo User Interface) CSS components into a single 'normalize.css' stylesheet. This should improve performance slightly, especially for older browsers. All other stylesheets have also been combined into a single stylesheet named 'design.css' for the same reason.

New features

  • Sound playback events like play, pause and stop, are now automatically logged to Google Analytics, enabling us to better understand how people interact with sounds.
  • Statistics about how many members are inside groups can now be fetched in templates with the get_group_member_count() template function.
  • The file uploader has been completely rewritten to use modern HTML5 browser capabilities, enabling drag-and-drop uploading.
  • The following user interface languages have been added: Arabic, German, Greek, Romanian and Turkish. These translations are not complete, and only the strings used by CEFR test framework have been translated.
  • A new jQuery plugin named fs2tree has been added to make it possible to render a file system tree in any template. This is used by the new minimalistic layout.
  • It is now possible to remove most of the default design, making it possible for designers to setup their own layouts without first needing to remove a lot of the default styles and features. This is enabled by adding a site-config boolean variable named no_default_design. When the default design is disabled, the following features are removed:
    • Default 'design.css' stylesheet is not loaded.
    • Global config variable 'stylesheet' is ignored.
    • Global config variable 'include' is ignored.
    • The PORTFOLIO.layout_fix_height() event handler is disabled.
    • The wrapper_page element in the core page template is not rendered.
  • A new set of minimalistic templates have been added for designers, enabling them to quickly create flexible designs with grouping.
  • The custom_init field previously only available on objects have been introduced for containers. Their usage is identical.
  • Introduced new mandatory stylesheet 'behavior.css' and moved all bundled styles into a single 'design.css' file which can be disabled. This should also improve performance slightly, especially on older browsers.
  • Pagination in container views can now be disabled on a site-by-site basis. Use the no_pagination site-config boolean variable to disable. Be aware that this also impact blog containers.
  • Added a standard way of preloading translations in JavaScript apps without using extra AJAX requests. The HTML for the app user interface can also included in a similar way. The translation file should be named <appname>.messages.json and the HTML UI should be named <appname>.html. These dependencies will only be loaded if you declare them with the std: prefix in your .app.js file. See the client-side app documentation for more details.

Enhancements

  • Placeholder images for more object types has been added in the TinyMCE WYSIWYG editor.
  • The object read/unread indicator in container views has been changed from bold to just a discrete black vertical bar. This is to avoid confusion with the bold indicator used in the folder menu to highlight the active container/object. The institution blog view has been modified in the same way.
  • Flash warning/error messages are now emitted in the following situations (these messages were previously only available to backend administrators):
    • During a recursive delete in the file manager.
    • When a CSV parser could not be constructed in the parse_csv() template function.
    • When invalid JSON data is encountered in the encode_json()/decode_json() template functions.
    • When a message to a supervisor could not be sent or permissions couldn't be granted during save in the object editor.
  • The administrative user interface for adding and removing courses to institutions now has a toggle all checkboxes feature.
  • Upgraded to version 1.11.3/2.1.3 of jQuery. Internet Explorer version 9 or older will use version 1.11.3, while all other browsers will use version 2.1.3. This should also give a slight performance improvement on modern browsers. Candy Chat was upgraded to 1.7.1 and jQuery UI was upgraded to 1.11.3 because of this upgrade. The optional jQuery Migrate plugin has been enabled to compensate for code that has not yet been upgraded to work without it.
  • The 'layout.css' stylesheet was previously only loaded in framework mode. It is now always included. A CSS class has been added to the html root DOM element so it is easy to target framework and no-framework mode. This changed a lot of CSS selectors, which impacted site designs. We have fixed everything we've found, but there might be some we haven't found that could cause usability issues.
  • The element_meta template was previously used to declare the page character set, which made it mandatory. This caused issues for sites that wanted to customize their meta information for improved search engine optimization (SEO) or better mobile user experience. This character set declaration has now been moved to the core page template.
  • Creating new containers opened up the UI with full framework. It is now opened without the surrounding framework.
  • All request handlers (except for read) now include the class wrapper_request_handler, making it easier to target content inside the main page block.
  • Ordered and unordered lists (OL/UL) previously didn't display numbers and bullets, and tables were missing borders. These have been put back to avoid the need for custom style by default.
  • A lot of style declared directly in the HTML markup has been removed in the user menu template.
  • The course navigator is now rendered semantically as part of the page footer instead of the header. This should minimize the amount of content for navigation that is rendered before the main content. This should improve usability, especially for blind people.
  • Made the left-most margin in the folder tree thinner.
  • Changed the spacer in the folder tree to be a SPAN, to improve HTML semantics.
  • All stylesheets are now included without a specific media type set. This makes it possible to use @media declarations without ambiguity.
  • All bundled stylesheets now explicitly declare their character set as UTF-8.
  • The CSS normalize we use from YUI (Yahoo User Interface) has been upgraded to version 3.18.1. It consist of the Reset, Fonts and Base components. This should improve browser rendering consistency.

Bugfixes

  • The 3rd party library MathJax was upgraded to version 2.4 to solve a rendering issue with MathML in Internet Explorer 10 and older versions.
  • The placeholder images used in the TinyMCE WYSIWYG object editor wasn't always showing up. This should now be fixed.
  • Fixed a WebFX-related JavaScript error emitted sometimes when using the permission panel in the object editor or the file browser.
  • LEXIN changed their API making our dictionary lookups fail. Some dictionary lookups didn't work properly because of character set issues. All these issues have now been fixed.
  • The synthetic speech option provided by LeseWeb was broken because our 3rd party provider changed their character set encoding without informing us. This should now be fixed.
  • Scrollbars were rendered in the file browser. These have been removed.
  • Fixed a bug with character set encoding of content specified in object/container custom-init variables. Custom-init keys only support ASCII, but values support full Unicode defined in UTF8 via URL escaping.
  • The visual design for the folder tree was declared twice. The redundant declaration has been removed.
  • Fixed a bug with infinite JavaScript loop triggering when not using the default design.
  • The jQuery plugin disableTextSelection was removed and use-cases rewritten, as it was not compatible with the current jQuery version.
  • Improper use of the jQuery .attr() method was rewritten to use .prop().
  • The new version of the jQuery UI plugin dialog changed behavior with regards to the destroy action. Previously the DIV DOM element that contained the dialog content was removed when you called destroy. It does not do that anymore. Code has been modified to compensate for this change in behavior.
  • Fixed JavaScript error encountered when viewing an empty inbox.

Feature removals / deprecations

  • The object custom_init_hash attribute is deprecated. New code should use the get_custom_init() method instead. The key custom_init_hash has changed name to custom_init during JSON serialization. This also applies to container instances.
  • The template element_tidy_messages was removed because it is no longer in use.
  • The unused 'dhtmlwindow.css' stylesheet was removed.
  • The CSS rules defined in 'content.css' was moved into 'design.css'. This stylesheet was used inside the TinyMCE WYSIWYG editor to allow custom rules to be declared. This was very rarely used, so this feature was removed to simplify the features available in the editor.
  • Removed IE6 bgiframe hack in popup feature. We have long since stopped supporting IE6.
  • Removed IE8 kludge for width calculation in TinyMCE WYSIWYG editor. No longer required.
  • Removed JavaScript functions PORTFOLIO.setCookie/getCookie/deleteCookie(), as they are no longer used by any code. Custom sites that need to store client-side information can use either the jQuery plugin 'cookie' or the session storage feature.
  • Removed IE7 kludge PORTFOLIO.fix_rtl() for properly handling right-to-left text. No longer required.
  • Completely removed the 3rd party Java-based file uploader JUpload. We now have a modern HTML5-based file uploader to take its place. The response mode jupload and the support features in the write request handler was also removed.

Flash embedding has changed to support latest Flash runtime

This update (4a74d29) brings with it the following changes:

Bugfixes

  • Changed how Flash content is embedded on Internet Explorer because the most recent Flash runtime changed what it accepted. You might need to upgrade your Flash runtime to the latest version to view Flash content.

Improved folder menu rendering, simplified language selection and more

This update (c10cb3d) brings with it the following changes:

New features

  • Added new template function called filesystem(). This function can be used to render the entire tree for a root container. The first parameter is the root container, the second is the container to show objects in. If the second parameter is not specified, all objects will be shown.
  • Rewritten the element_menu (folder menu) template to use this new filesystem() template function. The HTML has been changed a little bit, but it is mostly compatible with the old one. Some CSS classes have been removed and some changed. All items in the menu now use the translated title (if available).
  • The filesystem HTTP request handler now uses the same filesystem() template function. The path parameters dispatch directly to the template function. It is now also available to anonymous users.
  • Added ability to use emoticons in the WYSIWYG editor.

Enhancements

  • Change the language selector manage_language() to only show completely translated languages by default. You can specify the show_all boolean parameter if you need to see all supported user-interface languages.
  • Changed quiz assignment view so that the student is able to see which answers are correct or wrong after the supervisor has corrected the assignment. Previously the answers were just shown in bold.

Bugfixes

  • The quiz type check correct/wrong icon sometimes overlapped the checkbox. This is now fixed.
  • Translation languages were missing for the jQuery DataTables plugin, which caused the search feature to be missing if an unsupported language was used. This has been fixed.
  • Fixed a bug with the quiz types check, select, text and matchbox where they didn't honor score set to 0 when displaying correct/wrong status in supervisor/student view.
  • The element_menu_loading DOM element was kept in the DOM after element_menu was loaded. Now it is removed from the DOM instead of just hidden.

Feature removals

  • The element_menu template is no longer in need of any local variables, so the template is now rendered with a call to process_template('element_menu'). The previously used template function element_menu() has been removed.
  • All overridden page_footer templates must be changed to call process_template('element_menu') instead of element_menu().
  • The filesystem HTTP request handler could previously render the tree for the entire database. This feature has been removed.

Session security and language improvements

This update (65f3052) brings with it the following changes:

Security issues

  • If a user is logged out because their IP address changed, inform them about it.
  • Disable use of the X-Forwarded-For HTTP header as the source of the client IP address. It can be forged. Only approved reverse proxy servers are now allowed.

Enhancements

  • Added Burmese, Sorani (Central Kurdish) and Kurmanji (Northern Kurdish) translation languages.
  • Added new user interface languages Greek and Romanian. If a user selects this language the messages will come in English, as the language has not yet been translated.
  • Upgraded the languages Arabic, German and Turkish to user interface languages. Same note as above applies.
  • Improved the names of both Norwegian languages and Pashto.

Session variables, flash messages, performance improvements and more

This update (c47d0e4) brings with it the following improvements:

New features

  • Session variables can now be used to store information for anonymous users. Only pre-approved variables can be used, and they have very limited size.
  • Whenever you perform an activity that stores some kind of information, you will now get a flash message about what happened when the page redirects. This message was not displayed earlier. Flash messages can have three severities: info, warning and error.
  • Anonymous users can now set their language preference using the manage_language() template function. This is not available in the default template, but sites can choose to use this feature as required. All three language settings can be set.

Performance improvements

  • Session authentication and information is now stored in a Redis database that should allow much higher concurrency than our old solution.
  • Avoid logging a lot of event information that is never displayed anywhere. Also removed 34 million old events which are no longer needed.

Security improvements

  • The session ID is no longer logged with the login event, which could be used by certain privileged users to hijack sessions. This is no longer possible.
  • The online request handler now shows the IP addresses associated with the sessions if you're logged in as a global administrator. Guests are also displayed in the table.

Enhancements

  • Whenever you hide or show the left/right panels or the message of the day, this is now stored in a session variable instead of a cookie.
  • The user panel (right side of the screen) now stores in a session variable which section is open on page refresh.
  • When you close the file browser, the last folder you were in is stored in a session variable and the next time you open it without a specific location you should be back where you were.
  • Whenever the message of the day is added or changed the users that have hidden it will see it again.
  • Flash messages are now used on CEFR sites to inform about report sent. This allows users to return to the report after sending it.
  • When storing an object using JSON response mode, the serialized object is now returned to the caller.

Bugfixes

  • Fix a partially hidden logout button issue in Google Chrome.
  • Fix a bug where the value 0 is not considered a valid label.
  • Make multi-select in the inbox and outbox more consistent with normal UI behavior.

Removals

  • The old time log request handler which was replaced with the page views report has now finally been removed. It's not been usable since February 2014.

Update to Google Universal Analytics and fix multiple character encoding issues

This update (0e904af) brings with it the following changes:

Bugfixes:

  • Fix character encoding issues when doing the following:
    • adding configuration set values
    • modifying configuration values
    • modifying site names
    • storing assignment scores
    • creating message box tags
    • creating objects
    • creating containers
    • modifying glossary entries
  • Avoid a database error if an invalid number is specified when storing or updating an object or container.

Enhancements:

  • Updated to Google Universal Analytics for better user behavior insight.

Bugfix for missing send button on Java-based voice recorder

This update (d89c9f5) brings with it the following changes:

Bugfixes:

  • Fix problem with character set encoding when editing course name.
  • Ensure the send button on the Java-base voice recorder is available.

Server upgrades, feature additions and lots of improvements

This update (a8682bc) brings with it the following changes:

Terminology changes:

  • What was earlier known as a PIN code is now called an access key.
  • PIN code series are now known as access key collections.

New features:

  • The access keys associated with a user is displayed on the user profile page.
    • Administrative buttons to remove access keys have been added in case confusing privileges have been assigned.
    • Access keys can now be invalidated, which is done when they are removed from a user on their profile page.
  • Access given by access keys are now validated during login, which should ensure they are always current.
    • If a user logs in via e-Portal, but they have an expired access key that has not been invalidated, they will be given access via e-Portal, but immediately lose access because of the expired access key. By logging in again the privileges associated with the e-Portal login should be enabled, as the access key expiration will not be performed multiple times.
    • If a user loses access and is immediately given new access, their role in the institution and course will be reset to student. Because of this behavior, access keys with expiration dates should not be used to give supervisors access.
  • Allow the recorder() template function to set soft and hard time limits. This can be used to specify the maximum length of a recording. Only the Flash-based recorder implements this feature.
  • Voice comments can be directly recorded from the commenting user interface.
  • A new template function called quiz_aggregate() has been made available, which is used to perform aggregate calculations on the quiz score of multiple objects for the current user. This should make it possible to create quiz summary documents more easily.
  • It is now possible to parse CSV files directly in templates using the parse_csv() function. It returns an iterator object that can be used in different ways.
    • The CSV column separator should be specified in the object custom_init variable csv_sep_char. If it is not specified it defaults to a comma. You can only use a single character as the separator.
    • You can also specify a flag to indicate that the CSV file has a header in the first line. If csv_has_header=1 is specified in the object's custom_init, the first line will be used as the column names. This will also make the iterator return hashes instead of arrays.
  • A new generic CSV request handler was implemented, with one action that sends email to a recipient specified in the CSV file using a custom email template. When using this feature the current user will always receive a copy of the email.
  • A generic decode_json() template function that can be used to convert e.g. config variables in JSON format to a data structure usable by templates.
  • A template function called inflate_users_by_config() has been added that allow users to be fetched that have a specific config variable set.

Performance improvements:

  • Upgraded web server to Ubuntu 14.04 LTS.
  • Upgraded database server to PostgreSQL 9.3.
  • Upgraded Perl to 5.18.
  • Improved object accessor method performance. This should give an all-round speed boost.
  • Significantly improved the speed of the institution user overview report. Now it should be able to display a list of 7000 users in about 5-10 seconds.
  • Only load JavaScript-based translations for the active language instead of all languages. Should increase page
  • rendering/parsing time.

Enhancements:

  • The read_account (user profile) request handler has been rewritten. Some variables have been renamed: manage_account => can_manage, config => user_config_map.
  • When activating an access key a user is automatically logged in again to ensure the access the key gives is activated.
  • The recorder() template function now has a recipient parameter which allows sending the recording to a user.
  • The config() template function can now fetch information about other users, but only if you're part of a group that has a particular permission. Not even global administrators have this permission by default. If you've got this permission you can only view information on users that are part of the same institution as the group that gave you the permission.

Security issues:

  • Remove access to a user's password in the element_comments template.
  • Ensure sensitive user details are not logged backend.

Bugfixes:

  • Ensure login panel is always visible for anonymous users, regardless of browser session preference.
  • Institution roles on user profile pages belonged to the logged-in user, not the user being viewed.
  • Fix usability issue in comment editing user interface.
  • Ensure two ping requests being sent at the same time do not generate database error but a normal error message instead.
  • Avoid database error (race condition) when storing quiz score and scoring hand-in assignments.
  • Fix margin issue on radio quiz types when used with right-to-left languages.
  • Add a polyfill for missing Function.prototype.bind JavaScript feature in IE8.

Feature removals / deprecations:

  • It is no longer possible to limit a user from login in using date ranges. This feature caused a lot of support issues and has been rewritten to only affect permissions and membership instead of the ability to login.
  • The message_system() template function is now completely redundant, now that we have the new recorder. It is still functional and works as it did previously, but it is now using the new recorder instead of a popup window.
    • message_system() will also check if the current supervisor is actually set to something and give you an error if it isn't, to avoid some unexpected behavior if a user is not in a course or doesn't have a supervisor.

Small update for better protection against latency during e-portal login

It was noticed that the most recent update to better protect against service hangs impacted too many users, causing a bit too much latency for unrelated users during e-portal logins. A small modification has been performed to lessen the impact on users not related to the e-portal access group.

The server is now running release 2547292.

E-portal deadlock login issue fixed + JSON response mode

This update (a884aed) brings with it the following changes:

New features

  • It is now possible to fetch most of the variable information available to templates by prefixing the URL path with json/. Be aware that errors will be reported in a JSON key named response, and you should always verify that the response code is valid before using the data returned.
  • Front page information is now available in JSON response mode.

Enhancements

  • Minmize the amount of user modifications made during e-portal syncronization. Should speed up e-portal single-sign-on quite a lot.
  • Speed up login, logout and e-portal single-sign-on by avoiding session refresh.
  • Speed up page views somewhat by not refreshing session information when fetching search providers.
  • All database statements now time out after 1m45sec. This should ensure you always see a human-understandable error message instead of the generic "application server is unavailable" message. It should also ensure that requests that take too much time stop executing when the user receives an error.
  • The encode_json() template function is now able to serialize instances of all the model classes, which should make it much easier for template authors to gain access to template variable information in JavaScript code.
  • Any file uploaded with the extension .json (or mime type explicitly set to application/json) is now returned with character set to UTF-8.

Bugfixes

  • They online request handler leaked session identifiers. This security issue has been fixed.
  • Lock user database table during e-portal single-sign-on to avoid concurrent updates to user table. Should avoid deadlocks.
  • Normal folders were supposed to be ordered by sort number first, then alphabetical by default, but the index number was ignored. This should now work as expected.
  • When using an embed() template function, the arguments passed did not show up as variables if the object contained references to it. This should now be fixed.

Fix character encoding issue with quiz assignments

It was reported to us that when students submitted quiz assignments, the text they entered was displayed with broken character set when the teacher performed their assessment. This problem has now been corrected.

The server is now running release 66e5705.

Minor correction to user activity report

It has come to our attention that the total user activity number had a slight irregularity. It turned out that the day that was exactly 4 weeks old was not included in the total activity number. This error has now been corrected.

The server is now running release 66469e5.

D-bok web reader working again

It turns out the HTTP status code change introduced in the previous update caused the d-bok web reader to not work properly for new users (and some existing users as well).

We've changed the HTTP status code when using XML response mode back to the previous behavior. The d-bok web reader should again work for all users.

The server is now running release ee40f5a.

Improved voice recorder, file manager and much more

Today's update (f26f6ff) brings the following changes:

New features

  • It is now possible to use voice recording exercises in CEFR speech and conversation categories.
  • In the CEFR test, it's now possible to attach the voice recordings in the final report that is sent by email.
  • The recorder() template function now supports saving as well. It is also possible to specify title, description, and if the recording should be accessible for all users. It is also possible to specify which document the recording originated from and where to redirect on success. You can also hide specific form fields if wanted.
  • Added boolean config variable hide_supervisor_info. If set to a true value, the error message about missing supervisor should no longer display.
  • When uploading JSON files, they should be detected as application/json and set to UTF8 encoding.

Enhancements

  • Cleaned up and modernized the file manager user interface significantly.
  • The Flash-based voice recorder has been almost completely rewritten, and should be much more robust now. It should also have slightly better audio quality.
  • The large audio player used when playing back WAV and MP3 files now shows time elapsed and has a slider you can use to move around during playback.
  • When errors occur, the resulting page was usually returned with HTTP status 200 and some error message. The HTTP status code used is now the same as the error message's error code. This could impact JavaScripts and apps, so make sure you carefully test them to ensure they still work.
  • Group search now allows searching for just a single letter.
  • It is now possible to see all of the icons in all of the themes available in the icon list.
  • Made use of the Java-based voice recorder ListenUp slightly more robust.

Performance improvements

  • Improved the speed of the file manager by using an AJAX request for the group search.
  • The Site folders user interface should be significantly faster.
  • Icon rendering should be substantially faster, as all icon information is preloaded when the server is started.
  • Code improvements should generally improve data access slightly everywhere, making especially large lists and tables faster.

Bugfixes

  • Ensure UTF8 content is handled properly when updating object content.
  • Serialized XML and HTML in configuration variables should now output correctly in XML response mode.
  • Use locale-dependent title of containers and objects everywhere if specified. In some situations the primary title was used instead of the localized one.
  • Image thumbnails should now render with the proper aspect in object edit view.
  • Fixed a problem that occurred if a template had an error, the line number shown in the error message was off-by-one.

Signed Java applets and improved page view logging

Today's update (ead4274) brings with it the following changes:

Bugfixes

  • All Java applets (JUpload, ListenUp and PFXcell) are now signed and should work without security exceptions on Java 7u51.
  • The last page view before an explicit logout was not being stored properly. Should now be fixed.
  • If an action caused an error, a page view registration was tried, but caused errors. The page view registration should no longer occur.
  • Quiz type radio was not rendering consistently in inline mode in all states. Should now be fixed.
  • When supervisors scored a student assignment, the comment was not included in the message to the student. This should now be fixed.

Enhancements

  • It is now possible to choose which version of the sound recorder (Flash/Java) to use on all configuration levels. The boolean variable is named use_app_recorder.
  • The interactivity number used in page view calculation should now always be 1 or higher under normal circumstances. If it is registered as 0 it means that the user has a JavaScript or networking issue on their computer.
  • Registration of page views now have better diagnostics, which should make it easier to debug issues.
  • Upgraded to JUpload 5.1.0.

Performance improvements

  • The robots.txt and favicon.ico files are now static, which should ensure search engines are less likely to cause denial-of-service attacks if they are a bit aggressive.

Switch to Nginx and e-portal push message support

Today's update (dbcd9f2) brings with it the following changes:

New features:

  • User permissions can now be removed in Portfolio automatically via push messages when e-portal information is modified.
  • It is now possible to perform automated user-interface testing against a test database.

Enhancements:

  • Web server changed from Apache 2 to Nginx. This should improve performance because we can enable HTTP keep-alive.
  • Session ID now includes port number if non-default. This is to differentiate between production and test on the same server.
  • Beanstalk queues for production and testing are now separate.
  • Let web server handle which HTTP methods are allowed (only GET and POST). This should make server a bit more robust against attacks.
  • Improved legend text in user activity request handler.

Bugfixes:

  • Ensure cached responses (HTTP 304) uses correct headers, which should fix a HTTP keep-alive issue with Google Chrome and possibly other browsers.
  • If an e-portal user was disabled and/or merged with another one, you would sometimes get a database error during login via e-portal. This should now be fixed.
  • A user without an email address registered in e-portal would be unable to login to Portfolio again after a removal/re-addition. This should now be fixed.
  • Fix a database error on page view ping which caused time accounting to stop prematurely if the same ping was reported more than once.

E-portal provisioning and multimedia playback revamp

Today's update (f631b63) brings with it the following changes:

New features:

  • Logging on to Portfolio using e-portal will now include course access permissions and supervisor relationships. In addition the user is added to the specified groups at the institution and the active course is set to the one the user clicked on in the e-portal. If a student logs in only the supervisor(s) for that particular student is created, but if a supervisor logs in, all of their students are automatically created. This is to ensure a supervisor can send messages to all students immediately after logging in. If students need to communicate with each other they need to both log in before they can find each other. Users in both e-portal and Portfolio with matching email addresses will be merged instead of creating new ones.
  • Whenever a course is rebuilt by the editor, who and when that did it is now stored and displayed in the administrative course list.
  • Mind the Gap PIN codes for 2013 and 2014 have been added.
  • The following translation languages have been added:
    • Sorani Kurdish (Iraq)
    • Punjabi (India)
    • Dari (Afghanistan)
    • Pashto (Afghanistan)
    • Tamil (India)
    • Turkish
    • Vietnamese

Enhancements:

  • Video playback has been changed from using FlowPlayer to MediaElementJS. This should ensure video playback specifically on Apple-based devices work better, and other HTML5-capable browsers should also work better. If Flash or Silverlight is installed, it will also utilize these as a fallback. The following formats should now play back with a consistent user interface: MP4, FLV, WebM and WMV.
  • SoundManager has been upgraded to version 2.97a.20130512. This should ensure better compatibility with HTML5 audio support in newer browsers when playing back MP3 files.
  • The synthetic speech option now uses the third-party generated MP3 files directly, which should lower latency until playback is started slightly because no transcoding is required anymore.
  • If you submit a quiz on a page without framework, the resulting page will also be without framework. This should make it cleaner to include quiz inside iframes.
  • The institution course license list will no longer show excessively long decimal numbers.
  • Quiz observations were kept forever earlier. Observations older than 6 months are now deleted to conserve space and make reports faster.
  • The chat server (Prosody) has been upgraded to version 0.9.1.
  • A few HTTP cookies that were never actually being used was removed.

Bugfixes:

  • Portfolio client-side applications that used the app custom_init variable (instead of the deprecated player variable) got the wrong icon if a custom icon was assigned. This affected DrillPro exercises. This has been fixed.

Minor update: Added group quick-search box in my students report

This update (6a2c217) brings with it the following changes:

Enhancements:

  • The previous updated made it harder for supervisors to find just a group of their students. A new dropdown box now makes it easy to quick-search for a specific group of students.
  • Tagalog and Lithuanian translation languages was added, in preparation for some new dictionaries to come.

New Flash-based sound recorder available

Today's update (444a0e43) contains these changes:

New features:

  • If a recorder app is available, all of the internal sound recording features in Portfolio will use this app instead of the existing Java-based applet. The new sound recorder app uses a Flash-based approach instead, which should be more compatible. Future improvements might be to add WebRTC audio support to avoid Flash completely.
  • Added an app proxy request handler, which makes it possible to link directly to globally defined apps, like the d-book web reader.

Enhancements:

  • When login page is opened inside an iframe, text input focus is no longer changed.
  • The My students report has been changed into one big table with groups hidden, but expandable on click. Seeing just students for a specific group can be achieved by filtering manually on the group using the search box. This should make the report simpler to read and understand for most users.

Bugfixes:

  • Leading and trailing whitespace in config variables are now trimmed when saving and updating them.
  • Character encoding in title and description when creating and modifying objects should now work more consistently.
  • Fix horizontal scrollbar issue in My configuration report in Chrome.
  • Fix indentation issue in quiz type radio and check. The text should no longer wrap below the radio/checkbox.

ePortal and BookSync integration available

Today's update (c532951) brings with it the following changes:

New features

  • It is now possible to login to Portfolio using Fagbokforlaget's ePortal. This should solve the long-standing request of being able to login to Portfolio using FEIDE credentials. The ePortal is not available to the general public yet, but it is expected to go live around late-August 2013. Be aware that only authentication is provided at this stage. No permissions or memberships are created when you log in using this method.
  • It is now possible to authenticate Portfolio with the new BookSync service, which gives access to your dbooks, notes and other stored information.

Enhancements

  • Rewritten the resolve_path handler, which is responsible for simulating a traditional filesystem, required by many other features, e.g. apps. This is both a bugfix and a performance improvement. Overall it should be more robust. It was possible to start the resolve_path URL with something that was not a UUID. This feature has been removed, as it could cause confusion and bad behavior. Double slashes and single dots should now be properly optimized away. Double dots to traverse up to parent is still not supported, primarily because browsers tend to strip the URL part before the double dots as part of URL canonicalization rules. This in most cases causes the base UUID to be lost and path resolving to fail.
  • CSS stylesheets now use the above resolve_path method during load, which makes it possible to reference images and other CSS files using relative paths, as long as they don't use back-references.
  • Simplified the text and layout of the error screen. The technical reasons for the error are now less prominent.

Bugfixes

  • It is again possible to create a group without adding users using the institution management page.
  • In some cases the page URL could be reported wrongfully to templates. This has now been fixed.
  • Fixed some slightly wrong HTTP error codes in data and download handlers.
  • The comment user interface is now hidden when printing a page.
  • CSS objects embedded in element_meta overridden template now correctly end up in element_head.
  • Flash and Java-based apps now properly use the app object's filename (or title) as a DOM class label.

Removals

  • The element_useragent template function was removed, as it was no longer in use.
  • The element_coursemenu template function was removed, as it was no longer in use.
  • The template variable document_owner was removed from the page_footer template. It was never initialized, and there are better ways to get hold of that information now.
  • The template variable quiz_present was removed from the page_footer template. It was no longer in use.
  • The template variable document_iconsize was removed from the page_header template. It was never initialized, and other alternatives exist now.
  • The template variable language was removed from the page_header template. It was only used once, and that usage was wrong. Other, better, alternatives exist now.

Big user database cleanup, performance improvements and various bugfixes

Because of some unexpected side-effects during the user cleanup work, Portfolio was unavailable Thursday afternoon and evening. We're very sorry about extended downtime.

Today's update (b2bba79) includes the following changes:

Performance improvements:

  • The My supervisors report should now be much faster.
  • The Students and supervisors report (accessible from institution menu) should be a great deal faster.
  • The User registration timestamps report (accessible via group view) should be more efficient.

Enhancements:

  • Wave files are now played back with on-the-fly conversion to MP3. This should make audio playback of recorded speech more compatible across devices.
  • Special user folders are now renamed using the user's framework language during login. The home folder will use the nickname of the logged-in user.
  • Error messages are now rendered more consistently, and technical details should be less prominent, increasing usability.
  • The CSV parsing of users in the Manage institution handler is more robust.
  • The login form and logic has been cleaned up and should be more user-friendly. It is now possible to login using non-HTML workflows (e.g. JSON or XML).
  • The link() TT function now allows specifying the size of the popup window. Fullscreen mode is also possible.
  • Users registered more than a year ago which have never logged-in have been removed.
  • Better explanation of interactivity number on user activity report.

Bugfixes:

  • Users with duplicate user names (because of case difference) have now been eliminated and it should no longer be possible to create them.
  • When word playback in TTS (used in Mot målet) crosses a line boundary (LF) the sound was previously not played back. This should now be fixed.
  • White-space before and after quiz answers (text type) are now trimmed.
  • Ensure an invalid avatar user config variable doesn't break user profile rendering.
  • Creation of large comments and message responses should now work as expected.
  • Config variables are only shown when editing a user's profile if it is your own profile.

Several minor problems fixed

This update (d64cd9a) brings with it the following changes:

New features:

  • It is now possible to force the language used on a specific site, regardless of user and/or browser settings.
  • A new button has been added on the user profile page that makes your avatar image available to everyone in one click.

Enhancements:

  • The course result report has been improved in several ways.
    • The rendering speed as been improved.
    • The hover feature to show more details was deemed to be a bit annoying, so it was changed to click to toggle instead.
    • Now results with a score of 0 should be properly displayed.
    • Pagination now includes numbered pages instead of just previous/next buttons.
  • Icon rendering is now more consistent. Tooltips should only be rendered if no visible label is present.
  • Your contact list now shows groups with a tooltip with the institution name, if present.

Security:

  • Email links in blog view has been removed. Author link now points to user's profile.
  • Search engines should no longer index links to /resolve_path/.

Completely new course activity report

With this update (884ec45) comes the following changes:

New features:

  • The course result/activity report has been completely rewritten and now includes more information than before. All columns are now sortable for easier navigation. The following information has been added to the report:
    • Recording responses and writing documents based on course objects.
    • Time spent on reading and answering quizzes.
    • Timestamps for last time read, answered, delivered, corrected and modified.
    • Full path to the course document.
    • Average score for all scores submitted.
  • Voice recordings now include information pointing back to the document they were created from. This makes it possible for them to show up in the course result report.

Improvements:

  • The Add user to group button in the group membership listing now points to the collection UI.
  • The group membership list now includes a button to see activity for selected users. Only the users that are your students will be visible in the activity report. Any non-student user will be silently ignored. This is a feature to protect user's privacy.

Bugfixes:

  • It is now possible to use the collection UI to add users to a non-institution group.

Time tracking issue in Internet Explorer 7 and 8 fixed!

A problem was discovered that caused time tracking to not work properly for users that use Internet Explorer versions older than 9. If you have a log that shows for the most part less than 5 seconds on every single page view, you've probably been bitten by the problem.

This issue should now be fixed. Time tracking from this moment on should be accurate also for Internet Explorer 7 and 8 users.

We apologize for any problems this might have caused our users.

Vastly improved user presence time tracking!

This update (cbdaf4d) contains these changes:

New features:

  • User activity is now tracked and regularely submitted to the server. It only includes how many seconds since you last touched the keyboard or moved/clicked the mouse (i.e., idle time). This activity tracker is usually hidden, but can be made visible by setting the configuration variable "show_interactivity" to a true value.
  • All of this tracked activity is reported in two new reports named User activity and Page views. They are made available from a user's profile page. You can also reach it via the My students report. Look for the new button named Show activity at the bottom of the page. You can only see information about yourself and your students.
  • Real-time user activity is kept for 2 weeks, daily summaries for 4 weeks, and weekly summaries are kept forever. This should make it much easier to figure out what a user has been doing. The report is also much more accurate than the old Usage log feature, which is now deprecated and will be removed at some point in the future.

Improvements:

  • Sites listed when managing institutions are now ordered by site title.
  • New template function called request_handler_name_map(), which is used to lookup the label of a request handler.
  • Most tables now use a consistent style and are both sortable and searchable.
  • Added template true/false functions, so it is now quite simple to embed literal JSON into templates.

Removals:

  • The jQuery metadata plugin was removed. Please use the built-in support for HTML5 data attributes instead.
  • The last read / last edited objects links in the user profile page have been removed. This information can now be found in the Page views report.

SOLVED: Problems to login with email

Unfortunately an error had snuck into the user name migration process that made it impossible for people that used to log in with their email to do so.

This error has now been resolved.

We apologize for any inconvenience this has caused you.

Improved report performance and email hidden everywhere

This update (e9c70bb3) brings these changes:

Enhancements:

  • Institution administrators can now choose from a list of URLs to include in the welcome email when they register new users. Global administrators should set the site configuration variable allow_site_publishing to a true value to enable the feature on a specific domain.
  • Improved the performance of the My students report considerably.
  • All new users that register will now get an auto-generated user name if they don't specify one during registration.
  • The no_framework template variable is now globally available.
  • Remove display of email in all reports.

Bugfixes:

  • A one-time process has been executed to clean up invalid email and user name on all users. It auto-generated a user name on all users that had their email set as their user name.

Object cycle (image of the week) feature

This update (ac2cf8f) brings with it the following changes:

New features:

  • Ability to change the content of a document based on intervals. You use it by embedding an object normally into a document, and then set the custom_init variable cycle_object to the objects identifier and specifying a timeout value for the cycle_interval. This will automatically cycle all the objects in the same folder as the initial object whenever the interval expires.

Enhancements:

  • The chat window will now open in a new window/tab by default.
  • When sending an audio recording to your supervisor, the message editing step is skipped and the message is sent directly.

Bugfixes:

  • Resizing of the chat window will no longer cause the content to disappear.
  • Removed use of HTML cleanup on document preview.
  • A blank entry that was present in the folder menu when using a header object is now gone.

Real-time chat available!

The update installed today (50d27a4) has these changes:

New features:

  • The real-time web-based chat feature is finally here! You can find it on the communication top menu.

Enhancements:

  • It should now be a bit more obvious how to start Skype appointments from the calendar.

A few bugfixes related to the new calendar feature

Todays update (840ab02) includes these changes:

Bugfixes:

  • Internet Explorer showed calendar events in the wrong time zone. This has been fixed.
  • Some buttons in the calendar was always shown in English. They are now properly showing in the user's language.

Forum comments in HTML and multiple bugfixes for IE7/8

The update performed today (e66da2a) contains the following improvements:

New features:

  • Templates can now easily include user thumbnails with the avatar() template function.
  • It is now possible to quite easily to list a configurable amount of blog posts from a specific institution in any template.

Enhancements:

  • Object/forum comment layout has been cleaned up and modernized. A user thumbnail has also been added. Comments can now also contain HTML and TT markup. They can be authored with the normal WYSIWYG editor.
  • Upgraded to TinyMCE 3.5.6. This should improve browser compatibility.

Bugfixes:

  • Ensure calendar events show up in Internet Explorer 7 and 8.
  • Fixed a bug that prevented the quiz editor from working in Internet Explorer 7.

Calendar with Skype integration

The system was updated to version e5a4d43 today. These are the changes:

New features

  • Calendar with simple Skype integration that makes it possible for students and supervisors to create appointments between themselves.

Enhancements

  • MathML embedding was made slightly stricter (TeX support removed) to avoid some potential browser bugs.
  • Portfolio now uses the more modern HTML5 doctype, which should make browser compatibility slightly better. This also removes all support for XHTML. HTML syntax is now the preferred markup. HTML is no longer cleaned on output, so the "invalid XHTML markup detected" message will no longer be seen.
  • JSON response mode is now available. All mutable request handlers should now automatically support JSON status feedback.

Bugfixes

  • Deleting groups or institutions associated with PIN code series will no longer give error message.
  • The previous update made it impossible for institution admins to collect courses. This update restores that functionality.
  • Collection now uses the same permissions as the other group management features.
  • Compression of dynamic content on Opera and Safari is disabled because it truncates the end of some JavaScript code.

Project groups, MathML embedding and multiple bugfixes and improvements

Today's update (76329b4) brings the following changes:

New features

  • It is now possible for supervisors at institutions to create and manage their own groups. This should allow a long-requested feature, namely project groups.
  • MathML embedding now uses native HTML5 method via MathJax 2.0 library. Browsers without native MathML support uses fallback method.

Enhancements

  • The list of groups associated with a user (my contacts) should now include all relevant groups.
  • The group management workflow has been rewritten and substantially cleaned up.
  • Invalid institution roles are no longer allowed in Manage institution page.
  • SVG rendering uses native HTML5 method if available. On Internet Explorer 8 or older traditional iframe embedding is used.
  • Upgraded to jQuery 1.7.2 and jQuery UI 1.8.18.

Bugfixes

  • JavaScript apps without filename set should now render properly.
  • Fix a possible javaScript error on Internet Explorer 9 because of gzip compression.
  • Institution administrator role now displays properly in user profile.
  • Courses can be deleted again.
  • The assign to course action in collection now lists institution administrator again.

New app API and lots of additional enhancements and bugfixes

Today's update (c018ee9) brings with it the following changes:

New features

  • API for making JavaScript, Java and Flash apps in Portfolio. It is extensible, and other languages like SilverLight and Dart could quite easily be supported as well.
    • The editor field has been completely removed from object custom_init.
    • The codebase field (used by Java applets) has been completely removed from object custom_init.
    • The flash-settings, flash-data, java-settings and java-data object types should no longer be used (deprecated). You should use the object types app-input and app-output instead. They can be used by any app, regardless of implementation language.
  • New course_enrollment_ui() template handler. This makes it possible to create documents that allow students to enroll themselves into courses without institution administrator involvement.

Enhancements

  • The search feature (top right in most templates) has been reimplemented, and now allows fairly easy addition of new search providers.
    • Translations for our supported languages are now also available.
    • Lexin search providers and others that use Latin1 encoding should now work with non-ASCII letters.
    • A good amount of Lexin nynorsk search providers have been added.
    • A lot of existing search providers have been updated with working URLs.
  • It is now possible to locate users in the new message dialog with autocomplete.
  • The course assignment to institution user-interface have been completely redesigned. It should now be much easier to assign course licenses to institutions, and also notice any excessive license usage.
  • Unlimited license count can now be accomplished by setting the license count to 0.
  • It is now possible to forcibly navigate to a course's root container when using nav_course request handler.

Bugfixes

  • Plain textareas should now use a monospace font again.
  • When a user navigates to a course, their course progress is always updated.
  • Tables that used the tablesorter system should now properly sort cells with HTML in them.
  • Institution administrator role should now be reported properly in all reports.
  • Creating new groups with non-ASCII characters in them should no longer cause encoding error.
  • Invert checkboxes toggle in file manager should now work in Internet Explorer 7 and 8.

New database server online

We've now upgraded our database server to a powerful Dell PowerEdge R710. This should give us quite a lot more of backend power, which should be apparent on the time it takes to render several types of reports.

If you're still having problems with timeouts we'd appreciate the feedback.

Better response time

We've just updated to version d635521, which should ensure the excessive response times we've been seeing lately to be a lot lower.

A small fix for grammar mistakes in the Swedish version of the CEFR placement test email report has also been included.

A new server will be added on Friday, which should further increase the response time. Pay attention to the message of the day, it will inform you when this new hardware will be installed. The system will be offline while we install this new hardware.

Improved performance and concurrency

We're still working on improving things, and more improvements will come in a short time.

This update (7088655) brings with it the following changes:

  • Performance enhancement: A secondary database connection (non-transactional) is now used to perform high-concurrency activities, to minimize waiting between clients.
  • Performance enhancement: Session refresh is also performed much less, which should allow increased concurrent activity.
  • Performance enhancement: We've decreased the amount of times the database is updated with information about when the last time a logged in user did something.
  • Performance enhancement: Logging of last access time on objects and containers has been disabled for anonymous users. For logged-in users it will now only happen if the object is considered "interactive".
  • Bugfix: Android browsers should now be able to see something more than just a blank page.
  • Enhancement: Album folder layout has been greatly improved.
  • CEFR HTML email reports and several bugfixes and improvements

    Today's update (11f60dac6b) brings with it the following changes:

    • New feature: The placement test (CEFR) report email now includes an HTML part in addition to plain text.
    • New feature: All emails can now have a header and footer overridden at the normal template levels.
    • Improvement: The delete button in the file manager now asks for confirmation.
    • Improvement: Cleaned up the layout and behavior of the file manager.
    • Bugfix: The radio quiz type now supports multiple correct answers correctly.
    • Bugfix: User list didn't sort correctly in all cases. This has now been fixed.
    • Bugfix: Group user list didn't sort correctly. This has now been fixed.
    • Bugfix: Fix inconsistent amount of vertical whitespace in object reading view (read request handler).
    • Bugfix: The list of templates didn't show all available templates recursively. The list should now be complete, and an encoding issue has been fixed as well.
    • Bugfix: Overridden text/plain email templates will no longer add excessive whitespace because of Windows newlines.
    • Bugfix: Removed HTML cleaning when template was being rendered on page. Also fixed a hard to find character encoding issue related to cleaning up extremely faulty documents.
    • Bugfix: Fixed recipient dropdown box width issue in placement test (CEFR) submission user interface.

    New update with group enrollment feature and various bugfixes

    The update applied today (1743821) brings with it the following changes:

    • New feature: It is now possible to create institution groups that students can enroll into without supervisor intervention. The new group_enrollment_ui template handler creates the necessary user interface.
    • New feature: User information can now be verified by using the new manage_user_info template handler inside any document. All sites that use self-registration or otherwise add users in bulk are encouraged to add it to a visible start page.
    • New feature: Any user config value can now be verified (or initially entered) via the new manage_user_config template handler. Only the date format has been implemented for now, but if you use it, you'll get a nice JavaScript-based date picker. All other formats will just get a basic text input box.
    • Bugfix: Missing icons are back in the object and container permissions editor.
    • Bugfix: Sites with PIN codes associated with them can now be deleted.
    • Bugfix: A workaround for rendering issues in KFN for Internet Explorer 9 users have been implemented.
    • Bugfix: Setting your initial avatar picture no longer gives error.

    Mostly bugfixes and minor improvements

    Today's update (bc4bf9c839) brings with it the following changes:

    • New feature: The CEFR placement test now allows location information to be submitted in the email report.
    • Performance improvement: The database is no longer consulted when anonymous request handlers are used.
    • Enhancement: Updated Swedish translations.
    • Enhancement: Request handlers now support dots and other characters in them.
    • Enhancement: Lots of code cleanup that should ensure more stable and consistent behavior, and slightly less memory usage.
    • Enhancement: All template handlers should now be listed in the developer resources.
    • Enhancement: Removed some unused template handlers: email_this, xml_namespace, account_online_count, str_handleEnter, institution_role_array, mediator_iframe_bug, xhtml_mimetype.
    • Bugfix: The total amount of users listed in the user list now matches the table contents.
    • Bugfix: Login redirection is now more consistent.
    • Bugfix: Long titles in blog folders now look better.
    • Bugfix: crossdomain.xml and robots.txt is now delivered properly.
    • Bugfix: Setting WYSIWYG editor mode no longer gives strange error message when already set.
    • Bugfix: Excel spreadsheets uploaded long ago could in some cases render incorrectly.
    • Bugfix: Fixed JavaScript error when quiz editor was loaded.

    New video player, video thumbnails, quiz editor bug fixes and more

    The update applied today (c2e12b89) brings with it the following changes.

    New features

    • Album folder view now supports video thumbnails.
    • Removed OSFLV and BitGravity FLV/MP4 video playback solutions. We now use FlowPlayer 3.2.7 for both features. This fixes the annoying loader animation at the center of videos.
    • The transcode video feature has been moved to the top menu "Edit", and a new option to remove a transcoded video is available.
    • Video transcoding now supports original resolution. Also fixed aspect ratio bug with 4:3 videos.
    • Page title can be forced to always use site title.
    • Arabic (Morocco) was added as a content and translation language.
    • Added robots.txt so that search engines won't index uninteresting content.

    Bugfixes

    • Updated base URL to Lexin because UDIR modified their service location.
    • The speech synthesis feature is now (again) available to anonymous users.
    • Fix problem with malformed HTML entities inside quiz markup when using TinyMCE/WYSIWYG editor.
    • Fixed various JavaScript regressions by upgrading to jQuery 1.7.0.
    • Upgraded SoundManager MP3 playback library to v297a-20111030, which fixes a playback issue on Internet Explorer 9.
    • Fixed character set encoding issue when unpacking zip file when archive had non-UTF8 filenames.
    • User lists now sort according to language definition.
    • Self-registration group now shows when editing a site not the same as the site being modified.

    Enhancements

    • Substantial code cleanup in quiz editor. Should make the code more robust.
    • Upgraded to version 5.0.7 of JUpload (our multiple file uploader). This new version uses UTF-8, so filenames should now be preserved correctly, even for non-Latin character sets.
    • Request handlers no longer hit the database to figure out if they should be available to anonymous users.

    New speech synthesis and matchbox code

    Today's update to version 7ccbd67 brings with it the following changes:

    • Improvement: Matchbox quiz code has been completely reimplemented, getting rid of several annoying bugs.
      • Bugfix: Documents that used the invalid en_UK (correct is en_GB) locale now works with the talkbook request handler again.
      • Bugfix: The default talkbook language for matchbox is now taken from the object's content language setting.
      • Bugfix: Matchbox with an odd number of cells now consistently display an even number of cells.
    • Improvement: The speech synthesis feature is now using our internal sound playback software instead of using Windows Media Player behind the scenes. It has been completely reimplemented to be more compatible and stable.
    • Improvement: Raw MPEG video files will now be detected as video, even though most software is unable to play it.
    • Improvement: ListenUp error messages now contain a reason for the error.
    • Improvement: Multivalued select quiz is now always rendered in block mode.
    • Improvement: Showing group members now use a better looking table layout.
    • Improvement: Upgraded to SoundManager v297a-20110918. Should ensure better stability of MP3 playback.
    • Bugfix: Changed ti_ET (Etiopia) locale to ti_ER (Erithrea) based on customer feedback.
    • Bugfix: Lexin Norwegian/Persian spelling mistake fixed.
    • Bugfix: All Lexin dictionary URLs have been updated to point to lexin.udir.no, and should work again.
    • Bugfix: MP3 playback button now includes alternative text that shows before image loads.
    • Bugfix: Internet Explorer 8 would sometimes show a double set of quiz icons. This should now be fixed.

    Lexin

    The Lexin dictionary has changed address from http://lexin.no to http://lexin.udir.no/lexin.html. The Portfolio lookup functionality will be updated with the new address Friday 28.10.11 at 6 p.m.

    Finally fixing the problematic IE7/8 crashes

    Today's update (b631845) brings with it only one change, namely the bugfix for the Internet Explorer 7 and 8 crash on Windows XP and Vista.

    The problems was caused by bugs in a third party library named jQuery. Upgrading jQuery to version 1.6.4 solved the problem, according to our testing.

    If you're still having problems after this upgrade we appreciate feedback through the normal support channels.

    New talkbook request handler and various bugfixes

    This update (5428e04) brings with it the following changes:

    • New feature: Talkbook MP3 URL request handler. Makes it almost trivial to link to a sound in the talkbook repository.
    • Improvement: Talkbook URLs now use locale en_GB instead of en_UK.
    • Improvement: HTTP response mode now includes a basic error message in the body.
    • Bugfix: Fixed an ordering and header object bug in our container duplication script.
    • Bugfix: Fixed an exception in configuration set manager.
    • Bugfix: Group dropdown box in collection now sorts by owner and group name, not just by group name.

    Features galore: Statistics on questions, job notification msg +

    Today's update (b863b8e4) brings with it the following changes:

    • New feature: Statistics on how questions are answered are now available to object owners. Have a look in the Edit menu at the top of the screen when you're looking at a specific object. There should be a new entry there called Observations. Currently you're only seeing the complete score of each user that delivered answers, but there is a whole lot more of details being saved. More detailed reports will be possible in an upcoming release.
    • New feature: Backend CEFR placement test report generator. Can be run on request to generate detailed information about the responses from CEFR test candidates.
    • New feature: Anyone related to an institution can now see basic information about the institution.
      New feature: The forgotten password URL can now be overidden on a site-by-site basis.
    • New feature: It is now possible to add a social media sharing button (AddThis) to any template.
    • New feature: Flash applications can now specify a config value in custom_init that can be used to specify the location of a configuration file.
    • New feature: Unpacking zip files and transcoding video now sends a message with status information to the user after completion.
    • New feature: Added the following new translation languages required by Mot Målet: Kurdish (Iran), Persian (Iran), Tigrinya (Ethiopia), Russian (Russia), Thai (Thailand).
    • Improvement: Upgraded to jQuery 1.6 and jQuery UI 1.8.13. This is a maintenance/stability upgrade.
    • Improvement: quiz_alert() now uses modern jQuery UI modal dialog instead of simple alert().
    • Improvement: Upgraded the icon set to IconExperience V-Collection 2.0. The overall look should be a little bit more modern. Several icons have also been changed to better represent their function.
    • Improvement: Quiz of type radio now emits error message if options parameter is missing.
    • Bugfix: Uploaded Java applets should now be detected properly.
    • Bugfix: TIFF images should now properly detect width and height.
    • Bugfix: Invalid quiz() type will now count as a non-scoring question.
    • Bugfix: Autogenerated messages should now be presented in the recipient's user interface language, not in the sender's language.
    • Bugfix: Fixed a NOT FOUND (404) error related to the search inside a course feature.
    • Bugfix: Going one level up in the file selector works again.
    • Bugfix: Quiz of type matchbox now plays audio after reshuffle.
    • Feature removal: The compatibility IE6 GIF icon set has been removed.

    List of the most active bloggers available

    Today's update to version 5ede731 brings with it the following changes:

    • Improved performance: Most active/most read bloggers' list is now usable.
    • Bugfix: Institution list on welcome page and in user profile now sorts according to user interface language.

    WYSIWYG editor finally working with Internet Explorer 9

    Today's update (version 4358a94) brings with it the following changes:

    • API change: Template attribute course.root_container was removed, use root_data instead.
    • API change: Template attribute group.parent_container was removed, use parent_data instead.
    • Security change: Lesedilla TTS feature is now available to anonymous users.
    • Bugfix: Institutions, groups and users are now sorted according to user's language in most places.
    • Bugfix: Upgraded to TinyMCE 3.4.2. Should fix problems with Internet Explorer 9.
    • Performance improvement: Listing institutions should be much faster.
    • Layout improvement: Course membership display in user profile reimplemented. Should be easier to understand.
    • Information improvement: The group list now lists all related groups for the user, not just global groups.
    • New feature: It is now possible to list the 25 most active/popular bloggers for a given institution.
    • New feature: PIN code series (and shared PIN codes) can now be deactivated on a given date. Some other information can also be modified after creation.
    • New feature: New request handler for getting price information on books (by ISBN) from several websites.
    • New feature: Added generic Google Analytics code block. Activate on any site by setting the configuration variable google_analytics_id to the UA-XXX code from Google. Remember to remove any existing Google Analytics tracking code you might have been using in the site template.

    UPDATE 2011-04-29 19:45: The update has been completed successfully.

    Performance improvements finally coming!

    2011-03-25 21:00 CET: The update has now been completed.

    The software update being performed today (version b8b14e9) brings with it a lot of improvements. Administrators will specifically like this update, as it brings with it several performance improvements. Read below for more details.

    • New feature: Search for objects/folders within course content.
    • New feature: Search for objects/folders within a given folder.
    • New feature: Search for objects/folders within a given site (from site's root folder).
    • New feature: Search for objects/folders in the entire database.
    • New feature: Parent institution can now be specified.
    • New feature: Contact manager can now be used for selecting users, groups and institutions. It is also much easier to use from a template.
    • Performance improvement: Search responses with lots of hits now respond faster.
    • Performance improvement: Search within site should be much faster.
    • Performance improvement: Listing the contents of folders should be somewhat faster.
    • Performance improvement: Listing institutions should be quite a lot faster.
    • Performance improvement: Using the assign to group action inside collection should now respond in reasonable time.
    • Performance improvement: Listing course/student/teacher connections should be significantly faster.
    • Performance improvement: Listing courses should be faster.
    • Performance improvement: Managing site folders should be significantly faster.
    • Performance improvement: Managing course content should be quite faster.
    • Performance improvement: Internet Explorer 9 users now benefit from GZip compression on all content.
    • Performance improvement: Removed unnecessary GZip compression on static images and MP3 files.
    • Enhancement: When doing search within course or folder, the folder menu (usually on the left of the screen) is now populated with the currently searched folder.
    • Enhancement: When adding/editing an institution, searching for owner and institution now uses contact manager.
    • Enhancement: It is now possible to unpack zip archives with file names in either UTF8 or ISO-8859-1 (Latin1) encoding.
    • Enhancement: Bundled jQuery library updated to 1.5.1.
    • Enhancement: Bundled jQuery UI library updated to 1.8.9.
    • Enhancement: Bundled SoundManager2 library updated to 2.97.
    • Permission change: Search within folder is now available to anonymous users.
    • Bugfix: Disabled HTML5 audio with SoundManager on IE9. Should fix MP3 playback issue.
    • Bugfix: Fixed problem with playback of multiple sounds concurrently (Lesedilla).
    • Bugfix: Word audio playback feature now skips iframes and form elements (Lesedilla).
    • Bugfix: Fixed internal server error in configuration set management workflow.
    • Bugfix: TinyMCE (the WYSIWYG editor) should now be served with a versioned URL (should fix potential caching problems).
    • Bugfix: Thumbnail URL generation in file chooser now uses versioned URL (should fix potential caching problems).

    Details on today's software update

    Today's update to version 337b047 includes these changes:

    • New feature: Audio playback button images (MP3) can now be customized.
    • New feature: When using the send to supervisor feature of the object editor, primary and secondary supervisors are now given access to the submission object automatically. Old submission objects will have to be updated manually with new permissions.
    • Enhancement: Improved caching of permissions for current_object should give decent performance improvement and decrease load on database system.
    • Enhancement: Updated translations for Norwegian bokmål/nynorsk, Swedish and Danish.
    • Security bugfix: Listing folders would show all folders instead of no folders if user had access to 0 subfolders in a folder. Accessing the folders was never allowed, but it visually confused several layouts.
    • Bugfix: language_list.$client_language template code should work again.
    • Bugfix: Invalid HTML in list_templates handler fixed.
    • Bugfix: TTS system can now play back words with non-ASCII characters in it.

    Feilretting etter gårsdagens oppdatering

    Det hadde sneket seg inn noen feil som førte til at bl.a. Min Vei-kurset ikke virket som det skulle.

    Oppdatering til versjon f5762ee retter feilene. Vi beklager ulempene dette har medført.

    Software update completed!

    We have now updated to version 1d393e7. This update brings with it the following changes:

    • New feature: Playback of clicked words (Lesedilla).
    • Enhancement: Maximum registrations on a shared PIN code is now honored.
    • Enhancement: popup() and embed_glossary() TT code now uses SoundManager playback API.
    • Enhancement: manage_language() can now be instrumented to remove language region on display.
    • Bugfix: FLV Screenvideo codec duration was not detected properly.
    • Bugfix: OpenOffice documents were not detected properly.
    • Bugfix: crossdomain.xml never worked.

    Usage log functionality restored

    Yesterday's update made the usage log feature unavailable because of a programming error.

    Today's update (6208b83) restores that feature to a working state.

    Today's software update is completed

    This version (fbd24d1) brings with it the following changes:

    • New feature: PIN code registration for sites. Users can now register themselves based on a shared PIN code associated with a particular customer/site.
    • New feature: CEFR/PlacementTest email report now includes user's email address.
    • Bugfix: link() template code now works with fragment parameter.
    • Bugfix: GZip compression is disabled on Microsoft Internet Explorer 9. This should make the site work in IE9 beta.
    • Bugfix: Right-to-left languages should now render properly on Microsoft Internet Explorer 7.
    • Lots of improvements to the backend to increase consistency.
    • More robust user interface language changing.
    • Bugfix: Able to handle malformed Unicode (UTF8) better in filenames in zip archives.
    • Development changed to use Git (from Subversion). The only visible change is the different version number at the bottom of the screen.

    Software update today

    A minor update will be performed today at 18:00 CET to fix some issues reported to us by customers. We're expecting the downtime to be brief.

    Today's update (2368) brings with it the following changes:

    • If a site uses self registration, existing users that log on will automatically be added as members to that group.
    • Fixes broken email subject if it contained non-ASCII characters.
    • Improved design of the placement test email report.

    Update 2010-12-16 18:00 CET: Update completed successfully. Everything should be back to normal.

    Details on today's software update

    • File manager and folders sort according to rules of user interface language.
    • Folders in file manager is now ordered before objects.
    • Fixed several workflow bugs in the PlacementTest algorithm.
    • Institution membership in comments now refers to commenter's membership, not the logged in user.
    • Export/import content scripts now produce proper XML again.

    2012-12-13 18:10: Update 2360 now applied successfully!

    Software update details

    The update today (r2352) brings with it the following improvements and fixes:

    • Several lists now sort according to grammar rules in the user interface language.
    • Users can now delete all of their results on a course (feature must be administratively enabled on the course).
    • Improved WebM video detection.
    • New feature for web designers: Configuration sets
    • Site configuration can now be copied to another site.
    • FlashSetting objects now show error if player identifier doesn't exist.
    • List of institutions associated with a user now has a more discreet display in comments.
    • PIN code registrations allow definition of secondary supervisors.
    • Request handler 'get_icon' has a cleaner API.
    • PlacementTest workflow allows level 0 (fail) and level -1 (N/A).
    • Fixed confusing label in file manager (Include subfolders checkbox).

    Unexpected downtime / instability

    There was an unexpected downtime on one of our servers which caused Portfolio to be unavailable from approx. 4:00 CET today.

    We are working on getting the servers up and running again.

    Update 2010-11-20 12:00 CET: The servers should now be up and running again. We have identified the source of the problem, and are changing some pieces of code to avoid the problem in the future.

    Software update completed!

    The update from version 2203 to 2302 has been completed. Servers have been updated with latest software versions and everything should be up and running. Please notify us if something is not working as intended.

    Oppdatering av systemet 12.11.10

    En rekke grunnleggende forbedringer er blitt gjennomført i systemet ved denne oppdateringen.
    På brukernivå kan følgende nevnes:

    • Aktivt kurs blir satt også ved valg i resultatoversikten.
    • Ikoner for markering av ulike oppgavetyper i nettressursen DrillPro (for hhv. tekstreproduksjonsøvelser, spørsmål-/svarøvelser og utfyllingsøvelser).
    • Avspillingskontroll med tre knapper kan også vises uten tittel.
    • Cookie-kapasiteten er øket, til bruk for nettsteder med uvanlig store krav til bruk av cookies.
    • Originalobjekt slettes automatisk ved bruk av den nye videotranscoderen.
    • Også videoformatene matroska og webm html blir nå detektert automatisk.
    • Språkvalget urdu er tilgjengelig til bruk i tittel, ingress og innholdsfelt.
    • Feil ved rettighetstildeling til System: everyone er rettet.
    • Utskrift av liste med alle objektidentifikatorer (uuid-er) i en mappe er mulig.
    • Kommentarer viser nå brukerens institusjonstilhørighet.
    • Muligheter for friteksttagging av objekter i fanen Avansert.
    • Institusjonsblogg som viser alle blogger som er publisert innenfor en gitt institusjon.
    • Direkte tilgang til bloggfunksjonalitet i personlig panel.
    • Mulighet for å forhåndsdefinere rettigheter i f.eks. lenker i dokumenter.
    • Layoutmessig korrigering av wysiwyg-editoren i Internet Explorer < 9.
    • Muligheter for direkte visning av tidslogg fra valget "Mine studenter".
    • En rekke forbedringer i nettstedet for innplasseringstester (CEFR).