Today's update (94c74a7) brings with it the following changes:
Security issues
- It was possible to change a user's password without their consent by sending specially crafted HTML which would be activated automatically using a CSRF/XSS attack when the user reads the message.
- This vulnerability was fixed by asking for the user's existing password before setting a new password or changing their email address.
- Users with access to the impersonate feature (special support staff) are allowed to change another user's email address without needing to enter the user's password.
Performance improvements
- The
list_quota
request handler now only shows the first 1000 users ordered by used storage size. This should ensure it never times out.
New features
- It is now possible to delete your user account. Only global administrators are allowed to delete accounts other than their own. If an account that owns course content (or other content outside their home folder) is deleted, that content is transferred to the orphan user. All remaining objects and containers, object quiz assignments, scores and account activity are deleted. It is not possible to login as this orphan user.
- Added privacy policy link to standard footer template. When logged in, the link is moved to the top help menu. The link is only shown if the configuration variable
privacy_policy
contains an object identifer.
Enhancements
- When an ePortal push message with the
remove user
action is received, the user is now permanently removed in Portfolio. If the user is a global administrator or has institutions associated with it the user is not deleted, only institution and course relationships are removed.
- All links in the standard footer now uses HTTPS and have been updated. The HTML markup has also been improved.
Bugfixes
- Fixed some CSS bugs in the standard stylesheet. Should have no user impact.
- Added a wrapper class for the template plugin
CGI
. Only the param()
method is implemented, allowing for template code to easily use query string parameters.
- When users register themselves using the
selfreg
request handler, the group they're registered into is now properly logged.
Feature removals / deprecations
- The course progress limit feature was never used. It has now been removed.
- The event log action
account_delete
was removed. It didn't contain any usable metadata. All event log entries with this action have been removed.
- The event log column container_id was never used. It has now been removed.
- The object attributes
cost
and copyright
wasn't used anywhere. They have now been removed.