New macro feature, hardened security settings and lots of reference documentation
Today's update (fc0b9c4) brings with it the following changes:
Security improvements
- An extensive review of HTTP security headers has been performed and several improvements to the security of the system has been implemented. This can, in some situations, cause behavior that previously worked to not work anymore, especially those involving cross-site requests involving authentication and iframes.
- How the session identifier is stored has been hardened to protect against malicious behavior. It is no longer possible to read it using JavaScript code.
- Cross-origin HTTP request validation now supports specific URIs, not just
the
*value. - HTTP headers to enable reporting of client errors were added.
- Code was hardened by avoiding code conventions that can lead to security issues.
Performance improvements
- Improved performance in file manager and object/container selector by consolidating database queries.
- A small optimization to how we populate system groups was implemented. This should give a minor speed increase to anonymous requests.
New features
- It is now possible to create macros that can be used everywhere template markup can be used. Macros are named units of behavior that support required and optional parameters. The parameters are validated when the macro is called, to avoid the need for the implementing template to perform this validation. See the
macrotemplate function documentation for more details. - A script for exporting contents of an XML dump/export into files was added. It is useful when e.g. binary content needs to be exported into another CMS.
- DuckDuckGo was added as a search engine provider.
Enhancements
- It's now possible to return JSON responses from the
readrequest handler. - System groups and users where previously always shown with an English name. Now the name can be localized to the user interface language.
- The
labeltemplate function now supports model instance as first parameter. - Simplified the user event log user interface a bit.
- Now all search providers use HTTPS URLs. The addresses of several search providers have been updated to match current APIs.
- Added logging of e-portal session validation URL when failing to improve ability to troubleshoot issues.
Documentation improvements
- Improved rendering and layout of reference documentation.
- Unrestricted methods in classes are now shown in reference documentation.
- Added reference documentation for:
- Client-side app behavior
- Appointments and calendar availability
- Configuration variables and sets
- Model class attributes
- Eportal behavior
- Asynchronous jobs, job notifications and job queue manager behavior
- Main configuration and search provider configuration
- Container model class
- Added reference documentation for the following HTTP request handlers:
- history
- impersonate
- leseweb
- list
- list_class_permission
- list_log
- read_container
- read_glossary
- read_institution
- read_message
- rebuild_course
- remove_institution_course
- remove_student
- reorder_course_element
- score
- selector
- selfreg
- send_message
- set_assignment_score
- set_course_supervisor
- set_ownership
- start_exam
- stop_exam
- tag_message
- tts
- unlink_access_key
- unpack
- update
- update_config_set
- update_container
- update_course
- update_course_element_order_list
- update_institution
- update_institution_course
- write_class
- write_class_membership
- write_config
- write_config_set
- write_container
- write_course
Feature removals / deprecations
- The filters for containers and groups have been removed in the event log user interface. They were not used anywhere.
- The object type
scriptis now deprecated. It's not been in use for a long time. - The request handler
delete_account_membershipis now deprecated. Use the collection managerremove_from_groupaction instead. - Some search providers that are no longer valid have been removed (most notably ordboka.net). The category religious scriptures was removed because there are no more entries.
-
Portfolio
-
Blog
-
Fix e-mail and user name conflicts during e-portal login
-
Fixed e-portal login edge case and other bugs
-
Bugfix for broken reset password feature
-
Auditing of security events and lots of infrastructure changes
-
Fixed high severity security issue
-
Content parser, bugfixes and lots of feature removals
-
Enabled e-portal OIDC-based login method
-
New e-portal OIDC-based login and various bugfixes
-
Another hotpatch to fix recipient issue when forwarding message
-
Hotpatch: Fix invisible recipient in message system
-
Contact manager is now used in more places and more documentation available
-
Improved documentation and code quality
-
Improved email validation and other bugfixes
-
Improved message reading experience and other accessibility improvements
-
Improved object editor workflow and fixed user membership issues
-
Improve messaging and Google Chrome cookie behavior fixes
-
Migration from Rackspace to Azure data center
-
More user behavior reports and improved report performance
-
Improved documentation and page navigation
-
Fixed issue with client-side cookies on some sites
-
New macro feature, hardened security settings and lots of reference documentation
-
Voice message menu item, additional documentation and various bug fixes
-
Email notifications, better spam protection and improved documentation
-
Bugfixes, tracing identifers, improved metrics and more
-
Operating system upgrade
-
Improved database backup solution
-
Fixed server errors on delete_quiz and increased thumbnail timeouts
-
Fixed thumbnail generation issues, accessibility issues and more
-
Fix password-changing issue and other bugs
-
Fix issue with application error page being shown more than usual
-
Another hotpatch: PIN codes can be validated again
-
Hotpatch: Object comments can now be saved again
-
Improved self-registration workflow, increased performance and more
-
Remove inactive users feature and more GDPR privacy improvements
-
Template cookie access and improved email templates
-
Users are not deleted when ePortal message is received
-
Minor bugfix fixing user deletion issue
-
Security fix, ability to delete user account and more
-
Hashed passwords, faster search and more
-
Fix for contact manager timeout issue
-
Database upgrade, persistent connections and bulk metadata editor
-
Fixing regressions with new quiz() XHR submit feature
-
User session limit introduced, Flash rendering bugfixes and more
-
Fixed issues after yesterday's update
-
Reimplemented selector and quiz editor, lots of bugfixes and more
-
Fixed issue with formatting of timestamps from database
-
Timestamps now show in correct time zone and more lists are sorted correctly
-
New image measurement handler, Heap Analytics user tracking added and default permissions warning removed
-
Default permissions, CodeMirror editor improvements and bugfixes
-
Rewritten create_response() feature and various other improvements
-
Unexpected downtime because of hardware issue
-
Improved performance, WAV to MP3 transcoding and lots of other improvements
-
More powerful database server and some bugfixes
-
Migration to cloud environment, removal of cookie warning and chat feature
-
File uploading now fixed!
-
New plain-text editor, updated third-party packages in backend and more
-
Show all children in containers, signup form spambot protection, synthetic speech configuration persistence and more
-
Network upgrade completed
-
Fix audio playback in popups and various other minor issues
-
Hardware upgrade improves response time
-
New fs2tree template function, iOS MP3 playback bugfix and more
-
Unexpected downtime because of network issue
-
Faster user search, improved history feature and more bugfixes
-
Blob storage, history feature and performance improvements
-
IP address session protection changed and multiple bugfixes
-
SASS stylesheet rendering, page timeout, timers and more improvements
-
Fixed regressions in MP3 audio player
-
Enabled sending links to any objects and some bugfixes
-
Hotpatch to address bugs since last update
-
Improved performance for several reports and several other enhancements
-
HTTPS security fixes, institution blog and object locking performance fixes and much more
-
HTTPS support, quiz radio inline mode, Google Chrome voice recorder bugfix and more
-
New exam feature, filesystem(t) skip_custom_init feature and several bugfixes
-
EU cookie warning, changed e-portal login procedure and more
-
HTTP range request support, CORS header support and improved API documentation
-
CEFR placement test usage report, JSON response bugfix, updated video player, and more
-
Hotpatch to fix broken file uploader and more
-
New PDF watermark feature, rewritten text output handling and several bugfixes
-
New HTML5-based voice recorder, more API documentation and bugfixes
-
New feature to upload profile photo, improved access key form, developer documentation and several bugfixes
-
Major design overhaul, new file uploader and lots, lots more
-
Flash embedding has changed to support latest Flash runtime
-
Improved folder menu rendering, simplified language selection and more
-
Session security and language improvements
-
Session variables, flash messages, performance improvements and more
-
Update to Google Universal Analytics and fix multiple character encoding issues
-
Bugfix for missing send button on Java-based voice recorder
-
Server upgrades, feature additions and lots of improvements
-
Small update for better protection against latency during e-portal login
-
E-portal deadlock login issue fixed + JSON response mode
-
Fix character encoding issue with quiz assignments
-
Minor correction to user activity report
-
D-bok web reader working again
-
Improved voice recorder, file manager and much more
-
Signed Java applets and improved page view logging
-
Switch to Nginx and e-portal push message support
-
E-portal provisioning and multimedia playback revamp
-
Minor update: Added group quick-search box in my students report
-
New Flash-based sound recorder available
-
ePortal and BookSync integration available
-
Big user database cleanup, performance improvements and various bugfixes
-
Several minor problems fixed
-
Completely new course activity report
-
Time tracking issue in Internet Explorer 7 and 8 fixed!
-
Vastly improved user presence time tracking!
-
SOLVED: Problems to login with email
-
Improved report performance and email hidden everywhere
-
Object cycle (image of the week) feature
-
Real-time chat available!
-
A few bugfixes related to the new calendar feature
-
Forum comments in HTML and multiple bugfixes for IE7/8
-
Calendar with Skype integration
-
Project groups, MathML embedding and multiple bugfixes and improvements
-
New app API and lots of additional enhancements and bugfixes
-
New database server online
-
Better response time
-
Improved performance and concurrency
-
CEFR HTML email reports and several bugfixes and improvements
-
New update with group enrollment feature and various bugfixes
-
Mostly bugfixes and minor improvements
-
New video player, video thumbnails, quiz editor bug fixes and more
-
New speech synthesis and matchbox code
-
Lexin
-
Finally fixing the problematic IE7/8 crashes
-
New talkbook request handler and various bugfixes
-
Features galore: Statistics on questions, job notification msg +
-
List of the most active bloggers available
-
WYSIWYG editor finally working with Internet Explorer 9
-
Performance improvements finally coming!
-
Details on today's software update
-
Feilretting etter gårsdagens oppdatering
-
Software update completed!
-
Usage log functionality restored
-
Today's software update is completed
-
Software update today
-
Details on today's software update
-
Software update details
-
Unexpected downtime / instability
-
Software update completed!
-
Oppdatering av systemet 12.11.10
-
-