Today's hotpatch (66ebc45) brings with it the following changes:

Bugfixes

• A regression in the CGI.cookie() template plugin method was causing existing cookies to not be retrieved, even though they existed in the HTTP request. The old behavior has been restored and the issue should be fixed.

Today's update (fc0b9c4) brings with it the following changes:

Security improvements

• An extensive review of HTTP security headers has been performed and several improvements to the security of the system has been implemented. This can, in some situations, cause behavior that previously worked to not work anymore, especially those involving cross-site requests involving authentication and iframes.
• How the session identifier is stored has been hardened to protect against malicious behavior. It is no longer possible to read it using JavaScript code.
• Cross-origin HTTP request validation now supports specific URIs, not just the * value.
• HTTP headers to enable reporting of client errors were added.
• Code was hardened by avoiding code conventions that can lead to security issues.

Performance improvements

• Improved performance in file manager and object/container selector by consolidating database queries.
• A small optimization to how we populate system groups was implemented. This should give a minor speed increase to anonymous requests.

New features

• It is now possible to create macros that can be used everywhere template markup can be used. Macros are named units of behavior that support required and optional parameters. The parameters are validated when the macro is called, to avoid the need for the implementing template to perform this validation. See the macro template function documentation for more details.
• A script for exporting contents of an XML dump/export into files was added. It is useful when e.g. binary content needs to be exported into another CMS.
• DuckDuckGo was added as a search engine provider.

Enhancements

• It's now possible to return JSON responses from the read request handler.
• System groups and users where previously always shown with an English name. Now the name can be localized to the user interface language.
• The label template function now supports model instance as first parameter.
• Simplified the user event log user interface a bit.
• Now all search providers use HTTPS URLs. The addresses of several search providers have been updated to match current APIs.
• Added logging of e-portal session validation URL when failing to improve ability to troubleshoot issues.

Documentation improvements

• Improved rendering and layout of reference documentation.
• Unrestricted methods in classes are now shown in reference documentation.
• Added reference documentation for:
  • Client-side app behavior
  • Appointments and calendar availability
  • Configuration variables and sets
  • Model class attributes
  • Eportal behavior
  • Asynchronous jobs, job notifications and job queue manager behavior
  • Main configuration and search provider configuration
  • Container model class
• Added reference documentation for the following HTTP request handlers:
  • history
  • impersonate
  • leseweb
  • list
  • list_class_permission
  • list_log
  • read_container
  • read_glossary
  • read_institution
  • read_message
  • rebuild_course
  • remove_institution_course
  • remove_student
  • reorder_course_element
  • score
  • selector
  • selfreg
  • send_message
  • set_assignment_score
  • set_course_supervisor
  • set_ownership
  • start_exam
  • stop_exam
  • tag_message
  • tts
  • unlink_access_key
  • unpack
  • update
  • update_config_set
  • update_container
  • update_course
  • update_course_element_order_list
  • update_institution
  • update_institution_course
  • write_class
  • write_class_membership
  • write_config
  • write_config_set
  • write_container
  • write_course

Feature removals / deprecations

• The filters for containers and groups have been removed in the event log user interface. They were not used anywhere.
• The object type script is now deprecated. It's not been in use for a long time.
• The request handler delete_account_membership is now deprecated. Use the collection manager remove_from_group action instead.
• Some search providers that are no longer valid have been removed (most notably ordboka.net). The category religious scriptures was removed because there are no more entries.

Today's update (f1916f2) brings with it the following changes:

Performance improvements

• Container listings should be slightly faster to load because the amount of generated HTML code is smaller.
• The identifier (UUID) generator and validation methods were refactored, fixing some bugs and slightly improving performance.

New features

• The top menu has been extended with an option to send a new voice message directly to your supervisor.

Enhancements

• The new_message and add_recording request handlers now properly supports customized page redirection.
• Documentation for the following request handlers were added:
  • list_account
  • list_account_membership
  • list_account_registrations
  • list_autoreg
  • list_autoreg_detail
  • list_class
  • list_class_membership
  • list_config_set
  • list_course
  • list_course_users
  • list_icons
  • list_institution
  • list_institution_blog_items
  • list_institution_courses
  • list_institution_users
  • list_message
  • list_observation
  • list_quota
  • list_site
  • list_site_config
  • list_student
  • list_student_supervisor
  • list_stylesheets
  • list_supervisor
  • list_templates
  • manage_config_set
  • manage_course
  • manage_institution
  • manage_language
  • manage_site_containers
  • read_account
  • read_config
  • search
  • search_course
  • search_group
  • search_inside_container
  • search_inside_course
  • search_institution
  • search_site
  • search_user
  • update_account
  • update_account
  • user
• Documentation for Portfolio::UUID was added.

Bugfixes

• Comments are now always edited with the WYSIWYG editor (TinyMCE), which should ensure whitespace is maintained on display.
• Empty popups are no longer shown when you click on them.
• Added back support for talkbook lookups in popups using the legacy format lookup => "X_lyd" to indicate a letter phoneme.

Today's update (39c09ac) brings with it the follow changes:

Security issues

• Improved our HTML form spam protection mechanism. You'll now need to check a box to confirm you're a human when you want to recover your password or register an account.

New features

• You'll now be notified by email if you have unread messages in your inbox. You can choose to get these notifications immediately when a new message arrives, or once per day or week. You can also turn them off if you don't want them. The default is to get weekly notifications. You'll need to go to your user profile page to change this setting. Only the user itself can change this setting.

Enhancements

• It is now possible to preload videos by using the preload attribute in the embed template function. It is actually enough to just preload metadata to ensure the video object is cached properly by the backend. This is most likely only needed for somewhat large videos.
• Syndication feeds (RSS) are now handled by an external component instead of using XSLT. This should ensure we encode content much more standards-compliant. We also now support all RSS variants and Atom. The default feed format has changed from RSS 2.0 to Atom. If you have used feeds from Portfolio somewhere else you'll need to update the link to the new format.
• Additional reference documentation for template handlers have been added from our internal wiki. Especially the quiz and embed template functions have gotten much better documentation, including examples. Clarification on recommended and deprecated ways of calling them are now documented.
• All of the XML returned by the HTTP API is now generated in a more consistent way. This should not impact anyone.
• We're now using an automated method for gathering code coverage, which will help the developers to improve the quality of the service over time.
• The access key feature has been modified extensively in the backend. This means it has a higher risk of regressions. Be aware.

Feature removals / deprecations

• The XSLT feature was completely removed. That also means that the server_xsl query parameter to read_container request handler was removed.
• The PORTFOLIO.do_decoding() JavaScript function was removed. It was not in use.

Today's update (9899ece) brings with it the follow changes:

Security issues

• Updated third-party SSL/TLS modules to support OpenSSL 1.1 properly.

Performance improvements

• Diminished the number metrics emitted from the queue worker when new jobs are created.

New features

• A tracing identifier is now generated and added to all HTTP requests, allowing for more in-depth analysis when issues are encountered.

Enhancements

• Improved database restore script allowing for point-in-time recovery.

Bugfixes

• Fixed issue with accidental overwriting of config set entries, site config entries and user config entries.
• Fixed issue with course rebuilt timestamp not being updated when course is rebuilt.
• Previously plain text files created in Notepad with default encoding would be detected as UTF-8, which was wrong. They should now detect properly as ISO-8859-1 (Latin1).