Blog

Product news and other information from the developers of Portfolio.
Showing 11 - 15 of 117
  • Remove inactive users feature and more GDPR privacy improvements

    Posted by: Robin Smidsrød 26. Jun 2018 17:02

    Today's update (bc6c820) brings with it the following changes:

    Security issues

    • Removed debugging code which accidentally revealed a secret key for interaction between Portfolio and e-Portal in server logs.

    Performance improvements

    • Added ability to better inspect database performance.

    New features

    • User accounts which have been inactive for a long time are now automatically deleted.
      • Users that have never logged in are removed after 1 month.
      • Users that have logged in, but never created any content, are removed after 6 months.
      • Users that have logged in and created content are removed after 26 months.
      • Users that have content will be notified 14 days before they are removed. If they log in again within those 14 days they will not be removed.
      • Users with content that have an auto-generated e-Portal or empty email address will not be notified, but they will be automatically removed after 26 months and 14 days.
      • The job that notifies users about deletion will notify 400 new users every hour instead of all inactive user at once. This is to avoid overloading email systems and accidentally put our servers on spam blacklists. This should ensure all users are notified in approx. 3 weeks.
      • The job that performs the deletions will not be activated until August 15th. This is to avoid that teachers and students that are on summer holiday accidentally get removed while they're not checking their email.

    Enhancements

    • IP addresses gathered by Google Analytics are now properly anonymized. This should ensure we are compliant with GDPR regulations.
    You must be logged in to read or post comments
  • Template cookie access and improved email templates

    Posted by: Robin Smidsrød 12. Jun 2018 11:36

    Today's hotpatch (bd3294e) brings with it these minor changes:

    Enhancements

    • The self-registration email now contains a sentence describing that you need to use the forgotten password feature to set your password if you don't know it.
    • Improved the PIN code registration email text similar to the self-registration email.
    • Added more Norwegian nynorsk translations.

    Bugfixes

    • Re-enabled the ability to use CGI.cookie() template plugin method. It was mistakenly removed when the CGI template plugin was rewritten from scratch.
    You must be logged in to read or post comments
  • Users are not deleted when ePortal message is received

    Posted by: Robin Smidsrød 7. Jun 2018 12:07

    Today's hotpatch (2aedfdc) brings with it the following changes:

    Bugfixes

    • In the update deployed on Tuesday, users were automatically removed when the ePortal sent a remove user message. This was not the intended behavior. When a user is removed in the ePortal it should be in quarantine for some time before it is removed. Disabled automatic deletion of users until ePortal sends the correct messages at the correct time. That is, the old behavior we had before the update on Tuesday is reinstated as-is.
    • The confirmation message shown when an account is tried deleted is more expressive about what will happen. Hopefully this should cause less confusion.
    • Quiz observations were collected, but wasn't mentioned in our privacy policy. This data collection has now been disabled.
    You must be logged in to read or post comments
  • Minor bugfix fixing user deletion issue

    Posted by: Robin Smidsrød 6. Jun 2018 16:02
    In certain situations a user might not be deleted when they asked for it because their home container wasn't properly removed first. This issue should be resolved in this release, 9799ad3.
    You must be logged in to read or post comments
  • Security fix, ability to delete user account and more

    Posted by: Robin Smidsrød 5. Jun 2018 18:06

    Today's update (94c74a7) brings with it the following changes:

    Security issues

    • It was possible to change a user's password without their consent by sending specially crafted HTML which would be activated automatically using a CSRF/XSS attack when the user reads the message.
      • This vulnerability was fixed by asking for the user's existing password before setting a new password or changing their email address.
      • Users with access to the impersonate feature (special support staff) are allowed to change another user's email address without needing to enter the user's password.

    Performance improvements

    • The list_quota request handler now only shows the first 1000 users ordered by used storage size. This should ensure it never times out.

    New features

    • It is now possible to delete your user account. Only global administrators are allowed to delete accounts other than their own. If an account that owns course content (or other content outside their home folder) is deleted, that content is transferred to the orphan user. All remaining objects and containers, object quiz assignments, scores and account activity are deleted. It is not possible to login as this orphan user.
    • Added privacy policy link to standard footer template. When logged in, the link is moved to the top help menu. The link is only shown if the configuration variable privacy_policy contains an object identifer.

    Enhancements

    • When an ePortal push message with the remove user action is received, the user is now permanently removed in Portfolio. If the user is a global administrator or has institutions associated with it the user is not deleted, only institution and course relationships are removed.
    • All links in the standard footer now uses HTTPS and have been updated. The HTML markup has also been improved.

    Bugfixes

    • Fixed some CSS bugs in the standard stylesheet. Should have no user impact.
    • Added a wrapper class for the template plugin CGI. Only the param() method is implemented, allowing for template code to easily use query string parameters.
    • When users register themselves using the selfreg request handler, the group they're registered into is now properly logged.

    Feature removals / deprecations

    • The course progress limit feature was never used. It has now been removed.
    • The event log action account_delete was removed. It didn't contain any usable metadata. All event log entries with this action have been removed.
    • The event log column container_id was never used. It has now been removed.
    • The object attributes cost and copyright wasn't used anywhere. They have now been removed.
    You must be logged in to read or post comments
Showing 11-15 of 117
First Previous Next Last

Login