Today's update (d2fd5d2) brings with it the following changes:
Security issues
- The
online
request handler is now only accessible by global administrators. This is to avoid leaking personal information from online users to all other users, according to GDPR regulations.
Performance improvements
- Rendering container breadcrumbs in templates should now be much faster, as multiple database calls to check permissions are avoided.
- The
get_child_containers()
and get_child_objects()
container methods should be much faster, because permission checking is now done in a single database query.
- The
count_children()
container method is now faster because it calculates the number of objects and containers in a single database query.
- The
has_role()
user method should be about four times faster because of improved database query syntax.
Enhancements
- The self-registration workflow on CEFR sites required two emails sent to the newly registered user, when one would technically suffice. Now only a single email is sent that includes the reset password URL and the URL you should use to login once the password is set.
- The help text in the user self-registration form has been improved to mention the set password URL instead of password. The same form now also mentions that you need to answer the security question to prove you're not a robot.
- The inactive users removal process is now more randomized, to avoid users with undeletable data blocking removal of other users for an extended time.
- The
render_link()
method now supports a show_path
boolean argument which turns on breadcrumb rendering.
- When the send to supervisor object editor feature is used, the link which is sent is now rendered with a breadcrumb, so it is easier to figure out where it is located in the folder structure.
- The TinyMCE/WYSIWYG HTML editor rectangle can now be resized.
- The extra toolbars in the advanced TinyMCE layout can now be toggled on/off using a button.
- A lot of the database queries have been refactored, which should make them more robust. This has been a very large task, which might trigger some regressions. Please inform us as soon as possible if you notice something not working properly.
Bugfixes
- The template plugin
CGI
can now be used with a lower-case name. Previously it silently did nothing.
- Bullets in unordered lists in message content was not shown. They are now shown, as expected.
- Fixed a bug causing JavaScript syntax error if
PORTFOLIO.page_url
contains single quotes.
- Fixed an issue with users being notified again about deletion of account because of slow deletion process. When users that have been notified about account deletion was not deleted within 2 weeks, a new message was sent to them, delaying deletion even further. Now the re-notification won't happen until after 4 weeks of their first notification, giving the system 2 weeks to actually delete the user after their notification limit has expired.
- Personal groups are now removed during the delete user process. They previously caused an error during user removal.
- Institution groups associated with a user is now turned into an institution group without an owner during the delete user process. They previously caused an error during user removal.
Feature removals / deprecations
- The
get_parent()
container method is no longer available. If you previously used it, use parent_data()
instead.