Today's update (7601a42) brings with it the following changes:

Security issues

• A new template function called explain() was added, used to dump the contents of variables used in templates with proper color and indentation. The use of Dumper.dump() caused sensitive data to be made available. The old Dumper.dump() method will still work, but restricted attribute values will be trimmed, just like explain() does.

Performance improvements

• All HTTP request handlers and backend cron jobs now has a timeout value. The default timeout for a request handlers is now 2 minutes. The developer resource that lists request handlers now also includes information about the timeout for each handler. This should ensure that runaway processes no longer cause worker process resource starvation.
• When PORTFOLIO.create_search_form() is executed, it will no longer perform the XmlHttpRequest call if the DOM element it should be rendered into is not present.

New features

• It's now possible to compile SASS stylesheets into CSS on the fly. A new menu item for creating a SASS stylesheet has been added. Text files with the extension .sass or .scss will be detected as SASS/SCSS stylesheets during upload. The libsass C++ engine is used for the compilation. @import statements are supported, and resolve relative to the object that is being rendered. The prefix _ and the extension (.sass/.scss) is automatically appended if not specified to support the same behavior as the Ruby implementation.
• The resolve_path() template function is finally available. It works just like the resolve_path request handler, and must start with a container identifier. They both just verify permission on the final object/container in the path, just like before.
• The current_site template function can now be used. Some of the other site_XXX template variables are now redundant. Using current_site.container_data.resolve_path("path/to/file") is a good way of getting access to content below the site root without resorting to hard-coded container identifiers.
• It's now possible to start and stop timers during template rendering. This allows more detailed timing information about page rendering to be displayed as an HTML comment at the end of the page if the enable_timing_report configuration variable is set. The report will also include how much time is spent in each template function, each template and the total time spent on generating the HTML.

Enhancements

• Added new parameter render_mode to the embed() template function. You can set the value to either inline, raw or the default empty value. Inline mode will render the JavaScript and CSS inside the HTML instead of linking to external file (which is the default). Using the raw response mode is practical if you want to use a page object to bundle all CSS or JavaScript into a single HTTP request.
• When a stylesheet is viewed directly instead of embedded, the actual CSS text is now rendered, so it is easier to know what you're working with.
• Stylesheet objects are no longer forced to text/css mimetype regardless of which mimetype was set. It is now only used as a default.
• The e-portal single-sign-on and push message handling now use the standard timeout feature, giving more consistency.
• Improved code layout in read request handler, enabling proper filename when downloading content in more situations.
• The generic error pages which are shown when the application doesn't respond properly have been improved. The language should be more user-friendly.

Bugfixes

• Fix an internal server error when trying to upload a zero-length file. Now it shows the correct error message.
• An unhandled exception when generating thumbnails is now handled, returning a proper error message instead.
• Browsers have changed behavior with how they handle strong ETag cache validation tokens. Browsers now return a weak validator token even though we send a strong one. Ignore the weak ETag classifier so HTTP 304 NOT MODIFIED responses are generated when they should.
• The word occured was consistently mistyped. Now it has been changed to the correct occurred in all strings.

Feature removals / deprecations

• The page_timer template function no longer returns the timer value for the entire page. It now returns a timer instance you can use to start, stop and report timing information. This changes the API, so documentation has been updated to match the new behavior.
• The request.filename local template variable was not used anywhere and was removed.

Today's hotpatch (5806a47) fixes the following regressions:

Bugfixes

• The MP3 audio player was eating DOM elements, causing lots of different kinds of errors. This should now be fixed.

Today's hotpatch (08fd291) has the following changes:

Enhancements

• It's now possible to send links to objects you don't have access to, making it possible for teachers to easily send a link to a student asking them for permissions.

Bugfixes

• The recipient in the To column in the outbox was not shown. The sender's name was shown instead. This has now been fixed.
• It was previously possible to iterate through containers forever by specifying an ever-increasing list_start value to the read_container request handler. This should now emit an error.

Today's hotpatch (3e3544b) brings with it the following changes:

Performance improvements

• The poor performance of the My students report since last update has been fixed. It should now render in less than a second for most users.
• The My contacts sidebar should render somewhat faster.

Today's update (1234623) brings with it the following changes:

Security issues

• All request handlers that support search queries now need a minimum of three characters to be valid. The search syntax is now consistently validated before it is passed on to the database.

Performance improvements

• The My students report has been improved. It should now render faster.
• The group members report has been optimized quite a lot and should no longer cause timeouts for groups with excessively large member count. If more than 100 table rows are shown then icons are skipped to improve speed. If more than a 1000 users are shown then they are not collectable.
• The inbox/outbox should now be much more performant. The local template variables are also much more consistent. The HTTP API has been slightly changed (related to pagination).
• Automatically-generated messages older than a year will now be automatically deleted.

Enhancements

• The Course result report now shows the total time used in the course.
• The continous summary table in Page views report has been hidden behind the enable_page_views_live_report user configuration variable. It is off by default.
• The synthetic speech client now allow text and text selections in iframes to be read. The code has also been improved so it doesn't try to read JavaScript code out loud. Be aware that content in cross-origin frames or non-HTTPS frames will not be read from an HTTPS-enabled page. The starting DOM element can also be specified in the init method.
• The MP3 audio player can now be configured to place the label, slider and buttons in whatever order you want it. The currently-playing audio player is now targetable with a CSS class.
• Global and system groups are now shown in the user profile, if the user is a member of them.
• The following request handlers now support ignorable path parameters before the UUID: read, read_container, data, download

Feature removals / deprecations

• The java-settings and flash-settings object types were removed. Existing objects have been changed to type app-input.
• The java-data and flash-data object types were removed. Existing objects have been changed to type app-output.