Today's update (d2fd5d2) brings with it the following changes:

Security issues

• The online request handler is now only accessible by global administrators. This is to avoid leaking personal information from online users to all other users, according to GDPR regulations.

Performance improvements

• Rendering container breadcrumbs in templates should now be much faster, as multiple database calls to check permissions are avoided.
• The get_child_containers() and get_child_objects() container methods should be much faster, because permission checking is now done in a single database query.
• The count_children() container method is now faster because it calculates the number of objects and containers in a single database query.
• The has_role() user method should be about four times faster because of improved database query syntax.

Enhancements

• The self-registration workflow on CEFR sites required two emails sent to the newly registered user, when one would technically suffice. Now only a single email is sent that includes the reset password URL and the URL you should use to login once the password is set.
• The help text in the user self-registration form has been improved to mention the set password URL instead of password. The same form now also mentions that you need to answer the security question to prove you're not a robot.
• The inactive users removal process is now more randomized, to avoid users with undeletable data blocking removal of other users for an extended time.
• The render_link() method now supports a show_path boolean argument which turns on breadcrumb rendering.
• When the send to supervisor object editor feature is used, the link which is sent is now rendered with a breadcrumb, so it is easier to figure out where it is located in the folder structure.
• The TinyMCE/WYSIWYG HTML editor rectangle can now be resized.
• The extra toolbars in the advanced TinyMCE layout can now be toggled on/off using a button.
• A lot of the database queries have been refactored, which should make them more robust. This has been a very large task, which might trigger some regressions. Please inform us as soon as possible if you notice something not working properly.

Bugfixes

• The template plugin CGI can now be used with a lower-case name. Previously it silently did nothing.
• Bullets in unordered lists in message content was not shown. They are now shown, as expected.
• Fixed a bug causing JavaScript syntax error if PORTFOLIO.page_url contains single quotes.
• Fixed an issue with users being notified again about deletion of account because of slow deletion process. When users that have been notified about account deletion was not deleted within 2 weeks, a new message was sent to them, delaying deletion even further. Now the re-notification won't happen until after 4 weeks of their first notification, giving the system 2 weeks to actually delete the user after their notification limit has expired.
• Personal groups are now removed during the delete user process. They previously caused an error during user removal.
• Institution groups associated with a user is now turned into an institution group without an owner during the delete user process. They previously caused an error during user removal.

Feature removals / deprecations

• The get_parent() container method is no longer available. If you previously used it, use parent_data() instead.

Today's update (bc6c820) brings with it the following changes:

Security issues

• Removed debugging code which accidentally revealed a secret key for interaction between Portfolio and e-Portal in server logs.

Performance improvements

• Added ability to better inspect database performance.

New features

• User accounts which have been inactive for a long time are now automatically deleted.
  • Users that have never logged in are removed after 1 month.
  • Users that have logged in, but never created any content, are removed after 6 months.
  • Users that have logged in and created content are removed after 26 months.
  • Users that have content will be notified 14 days before they are removed. If they log in again within those 14 days they will not be removed.
  • Users with content that have an auto-generated e-Portal or empty email address will not be notified, but they will be automatically removed after 26 months and 14 days.
  • The job that notifies users about deletion will notify 400 new users every hour instead of all inactive user at once. This is to avoid overloading email systems and accidentally put our servers on spam blacklists. This should ensure all users are notified in approx. 3 weeks.
  • The job that performs the deletions will not be activated until August 15th. This is to avoid that teachers and students that are on summer holiday accidentally get removed while they're not checking their email.

Enhancements

• IP addresses gathered by Google Analytics are now properly anonymized. This should ensure we are compliant with GDPR regulations.

Today's hotpatch (bd3294e) brings with it these minor changes:

Enhancements

• The self-registration email now contains a sentence describing that you need to use the forgotten password feature to set your password if you don't know it.
• Improved the PIN code registration email text similar to the self-registration email.
• Added more Norwegian nynorsk translations.

Bugfixes

• Re-enabled the ability to use CGI.cookie() template plugin method. It was mistakenly removed when the CGI template plugin was rewritten from scratch.

Today's hotpatch (2aedfdc) brings with it the following changes:

Bugfixes

• In the update deployed on Tuesday, users were automatically removed when the ePortal sent a remove user message. This was not the intended behavior. When a user is removed in the ePortal it should be in quarantine for some time before it is removed. Disabled automatic deletion of users until ePortal sends the correct messages at the correct time. That is, the old behavior we had before the update on Tuesday is reinstated as-is.
• The confirmation message shown when an account is tried deleted is more expressive about what will happen. Hopefully this should cause less confusion.
• Quiz observations were collected, but wasn't mentioned in our privacy policy. This data collection has now been disabled.

In certain situations a user might not be deleted when they asked for it because their home container wasn't properly removed first. This issue should be resolved in this release, 9799ad3.