Blog

Product news and other information from the developers of Portfolio.
Showing 1 - 5 of 140
  • Fix e-mail and user name conflicts during e-portal login

    Posted by: Robin Smidsrød 24. Nov 2022 09:55

    Today's update (a557bed) brings with it the following changes:

    Enhancements

    • If an email or user name was in conflict with an existing user in Portfolio during e-portal login, it would generate a generic error message and synchronization would be aborted. Now the error message will contain either the user name or email in conflict, making it easier to figure out which user must be modified to fix the conflict.
    • If a user name from e-portal is in conflict with an existing user name in Portfolio, an error during synchronization would occur. With this change a new user name will be generated during login based on the conflicting user's full name.
    You must be logged in to read or post comments
  • Fixed e-portal login edge case and other bugs

    Posted by: Robin Smidsrød 27. Oct 2022 17:07

    Today's update (ba9f819) brings with it the following changes:

    Security issues

    • Set a limit on how large HTTP uploads are allowed to be, to avoid a potential denial-of-service situation.

    Bugfixes

    • When logging in directly by clicking on a product in e-portal that uses the OIDC-based login method, a session cookie was not generated before redirecting to e-portal login system. This caused a Portfolio login prompt to be shown when returning from e-portal and trying to synchronize permissions. This issue should now be fixed.
    • Fixed issue where HTTP uploads larger than 1MB might not work properly.

    Feature removals / deprecations

    • Removed unused Portfolio::Course->student_progress() method.
    You must be logged in to read or post comments
  • Bugfix for broken reset password feature

    Posted by: Robin Smidsrød 30. May 2022 16:37

    Today's update (58269faf3) brings with it the following changes:

    Bugfixes

    • The last update caused a regression in the "reset password" feature. If one reset token was requested, another could not be requested before a successful account reset was performed. If this took more than 24 hours to perform, the password reset feature would be completely blocked.
    You must be logged in to read or post comments
  • Auditing of security events and lots of infrastructure changes

    Posted by: Robin Smidsrød 24. May 2022 17:43

    Today's update (b36b08a) brings with it the following changes:

    Security issues

    • Added audit messages for the following security events:
      • Login success/failure
      • E-portal authentication callback
      • User impersonation
      • User created/modified/deleted
      • User accessed (profile page viewed)
      • Credential modified
      • Credential recovery
      • Group membership modified
      • Institution membership modified
      • Role modified
    • A programming error in the reset_pw request handler made it possible to modify the password of any user without knowning the correct reset token. This issue has been improved further since the hotfix.
    • Changed behavior to not remove existing reset tokens when creating a new one. This avoids a potential denial-of-service attack vector in the reset password feature.
    • When logging in as a new user while already logged in, a login failure will now log out the existing session.
    • Upgraded to Perl 5.34.1 to fix security issues in Archive::Tar and Compress::Raw::Zlib.
    • Updated to cpanm 1.7045 to address the issue with CHECKSUMS file validation during CPAN package installation.

    Performance improvements

    • Started using the new e-portal health check endpoint to determine if API is available.

    New features

    • Changed Nginx web server from FastCGI to HTTP protocol for reverse-proxying to web application server. The web application server now uses standard PSGI/Plack runtime. Static file serving is now also supported directly in the web application server.
    • Added test infrastructure to run NATS server and fully validate audit events.

    Enhancements

    • Changed CPAN dependency manager from Pinto to Carton.
    • Now uses upstream versions of perlbrew and cpanm directly, allowing for easier upgrades.
    • Simplified the code to support the explain template function.

    Bugfixes

    Feature removals / deprecations

    • Removed support for FastCGI protocol for reverse-proxying. We use plain HTTP now, via PSGI.
    • Removed Pinto and all CPAN packages directly from upstream.
    • Stopped using Module::Build for running test suite.
    You must be logged in to read or post comments
  • Fixed high severity security issue

    Posted by: Robin Smidsrød 1. Apr 2022 15:04

    Today's hotfix (12964b5) brings with it the following change:

    Security improvements

    • Fixed a high severity issue in the reset_pw request handler.
    You must be logged in to read or post comments
Showing 1-5 of 140
Next Last

Login