Today's hotfix (12964b5) brings with it the following change:

Security improvements

• Fixed a high severity issue in the reset_pw request handler.

Today's update (472a4b4) brings with it the following changes:

Performance improvements

• Stop robots/spiders from trying to index login/logout links.

New features

• Added plaintext dependency and cross-reference parser, enabling extensive analysis of authored content and making it easier to understand how content is dependent on each other. Also indexes content for template and JavaScript function usage, so it is easier to figure out if deprecated features are in use or not.
• The referenced identifiers, template functions and JavaScript functions are now possible to view in the object editor. This should simplify finding content in complex documents. It should also make it very easy to find broken internal links.
• Added identifier references tab to object and container editor.

Enhancements

• The user course progress report now shows number of read objects instead of course element index reached. The percent is also calculated based on read objects, making it more in line with actual course progress. The index reached is now shown on the object tooltip.
• Extensive layout/behavior cleanup in object/container editor.
  • Moved container additional fields from main tab over to advanced tab.
  • Added a container metadata tab and moved LOM field over to it.
  • Added LOM generator button to container editor

Bugfixes

• Fixed an issue where student/supervisor relationships are not properly removed when a member is removed from an institution.
• Fixed issue where non-ASCII characters in user name would cause the student or supervisor to not show up in relationship lists.
• Fixed issue with object comment content overflowing when TTS HTML content is copied into the comment editor.
• Now reports proper error message when configuration variable is deleted, but name of variable is not specified.

Feature removals / deprecations

• Removed all workarounds and special features targeting the legacy Internet Explorer (MSIE) browser.
• Removed all features that requires web browser plugins. They are no longer supported by modern browsers.
• The following features have been removed:
  • Java applets and Java client-side apps
  • Flash video and Flash client-side apps and applications
  • Windows Media Player video/audio playback
  • Realplayer video playback
  • QuickTime video playback
  • ListenUp Java-based voice recorder
  • Web-based spreadsheet editing (using Java applet)
  • Spreadsheet object type (now uses binary)
  • Stylesheet workarounds for MSIE
  • Removed jQuery 1.11.2, which was needed by MSIE
  • Removed Content-Disposition HTTP header workarounds for MSIE
• SVG images are now always rendered as inline HTML5.
• Self-registration feature has been removed. If you need to register for access to a site, use the self-registration feature in e-portal instead.
• Removed the CEFR / placement-test feature completely because it has some GDPR compliance issues.
• Also removed the csv request handler which was only used for sending CEFR email reports.
• The PIN-code self-registration feature has been completely removed. Registration using PIN-code or other automated registration is now handled by e-portal.
• The feature to store quiz observations has been removed, as it is no longer in use.
• The interactive chat feature that was developed for CampusOnline has been removed, as it was not used by anyone.
• The Skype appointment/calendar feature implemented for CampusOnline has been removed as it is no longer used.
• Removed unused Heap Analytics tracking implementation and AddThis social media integration.
• Removed the deprecated description_alias kludge for Internet Explorer. Now the DOM element is just named description, as it always should've been named.
• Removed various unused DOM identifiers and styling in object/container editor.

Today's update (568f91c) brings with it the following changes:

Bugfixes

• Fixed issue related to e-portal external identifier during e-portal OIDC login.

Today's update (29bf398) brings with it the following changes:

Security issues

• Secure application better against XML-based attack vectors.
• Explicitly use Samesite=Lax cookie policy on insecure cookies.

New features

• Added login and authorization feature against e-portal, based on OpenID Connect workflow. Disabled until e-portal is fully configured.
• Added Log in using e-portal-button to standard right hand side menu. Disabled until e-portal is fully configured.
• Added eportal template function, giving access to issuer, API and logout URLs, making it possible to use these variables in templates.
• User details, institution memberships, groups, roles, course access and student/supervisor relationships are automatically provisioned when logging in using e-portal.
• User identity token (claims collection) from e-portal is verified by signature using JWT semantics. Reduces attack surface. Verification only allows RSA, ECC and Ed algorithms. Decoded identity claims are available in a session variable for use by templates.
• During login using e-portal, the user is redirected to a common Portfolio site before being redirected back to the original site. This is normal and part of the e-portal login process.
• Users without any email registered in e-portal will get an auto-generated email address associated with their Portfolio account.
• If no username has been defined in e-portal, existing users will keep their existing Portfolio username when they login using e-portal.
• If an institution with no owner is imported using e-portal, the owner is set to the orphan user.
• Information from e-portal is cached for a short while to decrease load on e-portal API during login.
• When logging out a session authenticated using e-portal, e-portal session is also logged out.

Enhancements

• Set HTTP user-agent so that when Portfolio is operating as an HTTP client, it can be more easily identified in remote systems.
• Use contact manager UI for adding user in event log report.

Bugfixes

• Logout and redirect to front page when deleting your own account, to avoid a weird login issue.
• Changed the logout request handler to be available to anonymous, so that when you explicitly try to logout when your session is already expired, it doesn't show a login prompt followed by an immediate logout.
• Fixed issue with negative time intervals in time usage reports causing skewed reports.
• Fixed grammar inconsistency with regards to the phrase "login/logout" being used as a verb, when it should be phrased as "log in/log out".
• Ensure consistent phrasing of the word e-portal.

Today's hotpatch update (91deaac) brings with it the following changes:

Bugfixes

• Fixed issue with removing existing recipient when forwarding message.

Documentation

• Added or cleaned up reference documentation for the following modules: Portfolio::Context::Request, Portfolio::PlacementTest::CSVParser, Portfolio::Variable, placement_test(t)