Blog

Product news and other information from the developers of Portfolio.
Showing 1 - 5 of 138
  • Bugfix for broken reset password feature

    Posted by: Robin Smidsrød 30. May 2022 16:37

    Today's update (58269faf3) brings with it the following changes:

    Bugfixes

    • The last update caused a regression in the "reset password" feature. If one reset token was requested, another could not be requested before a successful account reset was performed. If this took more than 24 hours to perform, the password reset feature would be completely blocked.
    You must be logged in to read or post comments
  • Auditing of security events and lots of infrastructure changes

    Posted by: Robin Smidsrød 24. May 2022 17:43

    Today's update (b36b08a) brings with it the following changes:

    Security issues

    • Added audit messages for the following security events:
      • Login success/failure
      • E-portal authentication callback
      • User impersonation
      • User created/modified/deleted
      • User accessed (profile page viewed)
      • Credential modified
      • Credential recovery
      • Group membership modified
      • Institution membership modified
      • Role modified
    • A programming error in the reset_pw request handler made it possible to modify the password of any user without knowning the correct reset token. This issue has been improved further since the hotfix.
    • Changed behavior to not remove existing reset tokens when creating a new one. This avoids a potential denial-of-service attack vector in the reset password feature.
    • When logging in as a new user while already logged in, a login failure will now log out the existing session.
    • Upgraded to Perl 5.34.1 to fix security issues in Archive::Tar and Compress::Raw::Zlib.
    • Updated to cpanm 1.7045 to address the issue with CHECKSUMS file validation during CPAN package installation.

    Performance improvements

    • Started using the new e-portal health check endpoint to determine if API is available.

    New features

    • Changed Nginx web server from FastCGI to HTTP protocol for reverse-proxying to web application server. The web application server now uses standard PSGI/Plack runtime. Static file serving is now also supported directly in the web application server.
    • Added test infrastructure to run NATS server and fully validate audit events.

    Enhancements

    • Changed CPAN dependency manager from Pinto to Carton.
    • Now uses upstream versions of perlbrew and cpanm directly, allowing for easier upgrades.
    • Simplified the code to support the explain template function.

    Bugfixes

    Feature removals / deprecations

    • Removed support for FastCGI protocol for reverse-proxying. We use plain HTTP now, via PSGI.
    • Removed Pinto and all CPAN packages directly from upstream.
    • Stopped using Module::Build for running test suite.
    You must be logged in to read or post comments
  • Fixed high severity security issue

    Posted by: Robin Smidsrød 1. Apr 2022 15:04

    Today's hotfix (12964b5) brings with it the following change:

    Security improvements

    • Fixed a high severity issue in the reset_pw request handler.
    You must be logged in to read or post comments
  • Content parser, bugfixes and lots of feature removals

    Posted by: Robin Smidsrød 14. Dec 2021 19:14

    Today's update (472a4b4) brings with it the following changes:

    Performance improvements

    • Stop robots/spiders from trying to index login/logout links.

    New features

    • Added plaintext dependency and cross-reference parser, enabling extensive analysis of authored content and making it easier to understand how content is dependent on each other. Also indexes content for template and JavaScript function usage, so it is easier to figure out if deprecated features are in use or not.
    • The referenced identifiers, template functions and JavaScript functions are now possible to view in the object editor. This should simplify finding content in complex documents. It should also make it very easy to find broken internal links.
    • Added identifier references tab to object and container editor.

    Enhancements

    • The user course progress report now shows number of read objects instead of course element index reached. The percent is also calculated based on read objects, making it more in line with actual course progress. The index reached is now shown on the object tooltip.
    • Extensive layout/behavior cleanup in object/container editor.
      • Moved container additional fields from main tab over to advanced tab.
      • Added a container metadata tab and moved LOM field over to it.
      • Added LOM generator button to container editor

    Bugfixes

    • Fixed an issue where student/supervisor relationships are not properly removed when a member is removed from an institution.
    • Fixed issue where non-ASCII characters in user name would cause the student or supervisor to not show up in relationship lists.
    • Fixed issue with object comment content overflowing when TTS HTML content is copied into the comment editor.
    • Now reports proper error message when configuration variable is deleted, but name of variable is not specified.

    Feature removals / deprecations

    • Removed all workarounds and special features targeting the legacy Internet Explorer (MSIE) browser.
    • Removed all features that requires web browser plugins. They are no longer supported by modern browsers.
    • The following features have been removed:
      • Java applets and Java client-side apps
      • Flash video and Flash client-side apps and applications
      • Windows Media Player video/audio playback
      • Realplayer video playback
      • QuickTime video playback
      • ListenUp Java-based voice recorder
      • Web-based spreadsheet editing (using Java applet)
      • Spreadsheet object type (now uses binary)
      • Stylesheet workarounds for MSIE
      • Removed jQuery 1.11.2, which was needed by MSIE
      • Removed Content-Disposition HTTP header workarounds for MSIE
    • SVG images are now always rendered as inline HTML5.
    • Self-registration feature has been removed. If you need to register for access to a site, use the self-registration feature in e-portal instead.
    • Removed the CEFR / placement-test feature completely because it has some GDPR compliance issues.
    • Also removed the csv request handler which was only used for sending CEFR email reports.
    • The PIN-code self-registration feature has been completely removed. Registration using PIN-code or other automated registration is now handled by e-portal.
    • The feature to store quiz observations has been removed, as it is no longer in use.
    • The interactive chat feature that was developed for CampusOnline has been removed, as it was not used by anyone.
    • The Skype appointment/calendar feature implemented for CampusOnline has been removed as it is no longer used.
    • Removed unused Heap Analytics tracking implementation and AddThis social media integration.
    • Removed the deprecated description_alias kludge for Internet Explorer. Now the DOM element is just named description, as it always should've been named.
    • Removed various unused DOM identifiers and styling in object/container editor.
    You must be logged in to read or post comments
  • Enabled e-portal OIDC-based login method

    Posted by: Robin Smidsrød 9. Aug 2021 17:03

    Today's update (568f91c) brings with it the following changes:

    Bugfixes

    • Fixed issue related to e-portal external identifier during e-portal OIDC login.
    You must be logged in to read or post comments
Showing 1-5 of 138
Next Last

Login