Today's update (b33e7c9) brings with it the following changes:

Security issues

• An issue preventing users without impersonate permission (almost everyone) from changing their own password was fixed.

Performance improvements

• When trying to render a thumbnail for an unsupported file format or broken file, the web worker process generating that image would exit early because of a PIPE signal, potentially triggering overload on that web worker node. It could also happen when transcoding wave audio files to MP3. These error conditions should no longer cause unexpected web worker process exits.
• A lot of database refactoring has been done, some of it improving performance in certain situations.

Enhancements

• Improved language in messages related to password reset and user account deletion procedures.
• The amount of inactive users deleted is now increased from 5% to 40% each time the job is run. This should ensure inactive users are deleted faster.
• Improved automatic test coverage, giving better protection against regressions.
• Refactored a lot of request handlers to use newer coding style. This should allow us to remove unused, old code eventually.

Bugfixes

• In the My students report the dropdown group filter and the filter textbox wasn't always synchronized. Now, whenever one of them is used, the other is reset to avoid confusion. Only one of them can be used at the time. In addition, if you use the back browser button to navigate back to the page, the previous settings are put back. This information is stored in a cookie for 30 minutes.
• Fixed an issue in report_score template function, where passing an empty string where a UUID is needed would trigger an error.
• Fixed an issue in list_account_registrations request handler, where users with an unknown created timestamp wouldn't show up in reports. This should now be fixed.
• In the avatar template function, if it was called without a size value, a warning was emitted. This is now fixed.
• Avoid warning being emitted if object without created or updated timestamp is rendered.

A hotpatch (4dc3625) was deployed today to address the issue where users would see the "an application error occurred, try again later" page more often than usual.

Another hotpatch (3c27a9a) was deployed today. It contains the following changes:

Bugfixes

• Fixed issue with validation of PIN codes generating a database error.

A small hotpatch (4db6824) was deployed today.

Bugfixes

• It fixed the issue with saving object comments.
• It also fixed a minor issue with HTTP requests without User-Agent header causing errors.

Today's update (d2fd5d2) brings with it the following changes:

Security issues

• The online request handler is now only accessible by global administrators. This is to avoid leaking personal information from online users to all other users, according to GDPR regulations.

Performance improvements

• Rendering container breadcrumbs in templates should now be much faster, as multiple database calls to check permissions are avoided.
• The get_child_containers() and get_child_objects() container methods should be much faster, because permission checking is now done in a single database query.
• The count_children() container method is now faster because it calculates the number of objects and containers in a single database query.
• The has_role() user method should be about four times faster because of improved database query syntax.

Enhancements

• The self-registration workflow on CEFR sites required two emails sent to the newly registered user, when one would technically suffice. Now only a single email is sent that includes the reset password URL and the URL you should use to login once the password is set.
• The help text in the user self-registration form has been improved to mention the set password URL instead of password. The same form now also mentions that you need to answer the security question to prove you're not a robot.
• The inactive users removal process is now more randomized, to avoid users with undeletable data blocking removal of other users for an extended time.
• The render_link() method now supports a show_path boolean argument which turns on breadcrumb rendering.
• When the send to supervisor object editor feature is used, the link which is sent is now rendered with a breadcrumb, so it is easier to figure out where it is located in the folder structure.
• The TinyMCE/WYSIWYG HTML editor rectangle can now be resized.
• The extra toolbars in the advanced TinyMCE layout can now be toggled on/off using a button.
• A lot of the database queries have been refactored, which should make them more robust. This has been a very large task, which might trigger some regressions. Please inform us as soon as possible if you notice something not working properly.

Bugfixes

• The template plugin CGI can now be used with a lower-case name. Previously it silently did nothing.
• Bullets in unordered lists in message content was not shown. They are now shown, as expected.
• Fixed a bug causing JavaScript syntax error if PORTFOLIO.page_url contains single quotes.
• Fixed an issue with users being notified again about deletion of account because of slow deletion process. When users that have been notified about account deletion was not deleted within 2 weeks, a new message was sent to them, delaying deletion even further. Now the re-notification won't happen until after 4 weeks of their first notification, giving the system 2 weeks to actually delete the user after their notification limit has expired.
• Personal groups are now removed during the delete user process. They previously caused an error during user removal.
• Institution groups associated with a user is now turned into an institution group without an owner during the delete user process. They previously caused an error during user removal.

Feature removals / deprecations

• The get_parent() container method is no longer available. If you previously used it, use parent_data() instead.