In certain situations a user might not be deleted when they asked for it because their home container wasn't properly removed first. This issue should be resolved in this release, 9799ad3.

Today's update (94c74a7) brings with it the following changes:

Security issues

• It was possible to change a user's password without their consent by sending specially crafted HTML which would be activated automatically using a CSRF/XSS attack when the user reads the message.
  • This vulnerability was fixed by asking for the user's existing password before setting a new password or changing their email address.
  • Users with access to the impersonate feature (special support staff) are allowed to change another user's email address without needing to enter the user's password.

Performance improvements

• The list_quota request handler now only shows the first 1000 users ordered by used storage size. This should ensure it never times out.

New features

• It is now possible to delete your user account. Only global administrators are allowed to delete accounts other than their own. If an account that owns course content (or other content outside their home folder) is deleted, that content is transferred to the orphan user. All remaining objects and containers, object quiz assignments, scores and account activity are deleted. It is not possible to login as this orphan user.
• Added privacy policy link to standard footer template. When logged in, the link is moved to the top help menu. The link is only shown if the configuration variable privacy_policy contains an object identifer.

Enhancements

• When an ePortal push message with the remove user action is received, the user is now permanently removed in Portfolio. If the user is a global administrator or has institutions associated with it the user is not deleted, only institution and course relationships are removed.
• All links in the standard footer now uses HTTPS and have been updated. The HTML markup has also been improved.

Bugfixes

• Fixed some CSS bugs in the standard stylesheet. Should have no user impact.
• Added a wrapper class for the template plugin CGI. Only the param() method is implemented, allowing for template code to easily use query string parameters.
• When users register themselves using the selfreg request handler, the group they're registered into is now properly logged.

Feature removals / deprecations

• The course progress limit feature was never used. It has now been removed.
• The event log action account_delete was removed. It didn't contain any usable metadata. All event log entries with this action have been removed.
• The event log column container_id was never used. It has now been removed.
• The object attributes cost and copyright wasn't used anywhere. They have now been removed.

Today's update (3648106) brings with it the following changes:

Security issues

• Passwords are now hashed with the Bcrypt algorithm. If you need to recover your password this is now done by sending a time-limited password reset link by email.
• The forgotten password form is now protected by a honeypot security feature that should stop most spambots. This should reduce the possibility that the form is used in a DDoS amplification attack against a third party.

Performance improvements

• Search features should now be much faster, as they use trigram database indexes. Searches for containers, objects, courses, institutions, users and mailbox messages should be significantly faster. The user search feature supports substring matching again, making it easier to search for partial user names.

New features

• When the sound recorder is used an event is sent to our metrics aggregation service (InfluxDB). This enables us to measure sound recorder usage on different platforms and browsers.
• Ownership of any container or object can now be transferred to a predefined user by global administrators. This should make it possible to clean up ownership on all of our existing course content. When an administrator use the feature a status message is sent to them when the job is completed.
• Select support staff can now impersonate another user. When this feature is used it is logged in a way that can't be removed by support staff. The feature was added to make it easier for support staff to help end-users without needing to know their password.

Enhancements

• Modernized HTTP/CGI request parsing. This moves us one step closer to not being dependent on the FastCGI protocol for communication between our web workers and the reverse proxy. Should have no end-user impact.
• Google Chrome Headless is now used instead of unmaintained PhantomJS to perform browser-based testing.

Bugfixes

• Successive empty URL path parameters are now normalized away.

Feature removals / deprecations

• Completely removed PhantomJS support code.
• Removed various database columns, indexes and sequences related to local file storage that are no longer in use.

Today's update (6ac882b) fixes a timeout issue with the contact manager.

Be aware that members of self registration groups you are a member of are no longer listed in the contact manager.

Today's update (a8632bd) brings with it the following changes:

Performance improvements

• The database system has been updated to PostgreSQL 10. This should give numerous performance improvements.
• Persistent database connections feature has been implemented. This should lower load on the database system during high-traffic situations.
• Certain features that would require database locking, like updating user's last activity timestamp and object last read timestamp is now done in a single atomic database call, getting rid potential race conditions and locking issues.
• Improved performance when listing contents of inbox/outbox.

New features

• The CodeMirror and TinyMCE editors now have a word counter.
• It's now possible to edit metadata for all containers and objects in a container in a simple user-interface. You can access this feature in the Edit menu when viewing a container. You can use Ctrl-Up/Down/Home/End to more quickly navigate the input fields in the table.

Enhancements

• When adding users to institutions using the table or text user interface, our standard CSV parser is now used.
• It is now possible to not inform the supervisor when an assignment is delivered. You can enable this feature by setting the custom_init variable dont_inform_supervisor=1 on the hand-in object.
• Exception handling has been completely reimplemented, which should give more sane error handling.
• Some database queries have been moved out into external files to make it easier to develop them further. Some of them now use newer PostgreSQL 10 features.