Product news and other information from the developers of Portfolio.
Showing 1 - 5 of 140
Fix e-mail and user name conflicts during e-portal login
Today's update (a557bed) brings with it the following changes:
- If an email or user name was in conflict with an existing user in Portfolio
during e-portal login, it would generate a generic error message and
synchronization would be aborted. Now the error message will contain either
the user name or email in conflict, making it easier to figure out which
user must be modified to fix the conflict.
- If a user name from e-portal is in conflict with an existing user name in
Portfolio, an error during synchronization would occur. With this change
a new user name will be generated during login based on the conflicting
user's full name.
Fixed e-portal login edge case and other bugs
Today's update (ba9f819) brings with it the following changes:
- Set a limit on how large HTTP uploads are allowed to be, to avoid a potential denial-of-service situation.
- When logging in directly by clicking on a product in e-portal that uses
the OIDC-based login method, a session cookie was not generated before
redirecting to e-portal login system. This caused a Portfolio login prompt
to be shown when returning from e-portal and trying to synchronize
permissions. This issue should now be fixed.
- Fixed issue where HTTP uploads larger than 1MB might not work properly.
Feature removals / deprecations
- Removed unused Portfolio::Course->student_progress() method.
Bugfix for broken reset password feature
Today's update (58269faf3) brings with it the following changes:
- The last update caused a regression in the "reset password" feature. If one
reset token was requested, another could not be requested before a
successful account reset was performed. If this took more than 24 hours to
perform, the password reset feature would be completely blocked.
Auditing of security events and lots of infrastructure changes
Today's update (b36b08a) brings with it the following changes:
- Added audit messages for the following security events:
- Login success/failure
- E-portal authentication callback
- User impersonation
- User created/modified/deleted
- User accessed (profile page viewed)
- Credential modified
- Credential recovery
- Group membership modified
- Institution membership modified
- Role modified
- A programming error in the
reset_pw request handler made it possible to modify the password of any user without knowning the correct reset token. This issue has been improved further since the hotfix.
- Changed behavior to not remove existing reset tokens when creating a new one. This avoids a potential denial-of-service attack vector in the reset password feature.
- When logging in as a new user while already logged in, a login failure will now log out the existing session.
- Upgraded to Perl 5.34.1 to fix security issues in
- Updated to
cpanm 1.7045 to address the issue with
CHECKSUMS file validation
during CPAN package installation.
- Started using the new e-portal health check endpoint to determine if API is available.
- Changed Nginx web server from FastCGI to HTTP protocol for reverse-proxying to web application server. The web application server now uses standard PSGI/Plack runtime. Static file serving is now also supported directly in the web application server.
- Added test infrastructure to run NATS server and fully validate audit events.
- Changed CPAN dependency manager from Pinto to Carton.
- Now uses upstream versions of
cpanm directly, allowing for easier upgrades.
- Simplified the code to support the
explain template function.
Feature removals / deprecations
- Removed support for FastCGI protocol for reverse-proxying. We use plain HTTP now, via PSGI.
- Removed Pinto and all CPAN packages directly from upstream.
- Stopped using
Module::Build for running test suite.
Fixed high severity security issue
Today's hotfix (12964b5) brings with it the following change:
- Fixed a high severity issue in the reset_pw request handler.
Showing 1-5 of 140