Today's update (94c74a7) brings with it the following changes:
- It was possible to change a user's password without their consent by sending specially crafted HTML which would be activated automatically using a CSRF/XSS attack when the user reads the message.
- This vulnerability was fixed by asking for the user's existing password before setting a new password or changing their email address.
- Users with access to the impersonate feature (special support staff) are allowed to change another user's email address without needing to enter the user's password.
list_quota request handler now only shows the first 1000 users ordered by used storage size. This should ensure it never times out.
- It is now possible to delete your user account. Only global administrators are allowed to delete accounts other than their own. If an account that owns course content (or other content outside their home folder) is deleted, that content is transferred to the orphan user. All remaining objects and containers, object quiz assignments, scores and account activity are deleted. It is not possible to login as this orphan user.
privacy_policy contains an object identifer.
- When an ePortal push message with the
remove user action is received, the user is now permanently removed in Portfolio. If the user is a global administrator or has institutions associated with it the user is not deleted, only institution and course relationships are removed.
- All links in the standard footer now uses HTTPS and have been updated. The HTML markup has also been improved.
- Fixed some CSS bugs in the standard stylesheet. Should have no user impact.
- Added a wrapper class for the template plugin
CGI. Only the
param() method is implemented, allowing for template code to easily use query string parameters.
- When users register themselves using the
selfreg request handler, the group they're registered into is now properly logged.
Feature removals / deprecations
- The course progress limit feature was never used. It has now been removed.
- The event log action
account_delete was removed. It didn't contain any usable metadata. All event log entries with this action have been removed.
- The event log column container_id was never used. It has now been removed.
- The object attributes
copyright wasn't used anywhere. They have now been removed.