Moodle 4.1.2
Release date: 13 March 2023
Here is the full list of fixed issues in 4.1.2.
General fixes and improvements
- MDL-69690 - Require Assessment Grade for Workshop Activity Completion Blocked
- MDL-66221 - Deleted activities cannot be restored from recycle bin when backup_auto_activities setting is disabled
- MDL-70586 - Feedback: the preview icon shouldn't be displayed for students
- MDL-74756 - Previous activity with completion not working if activity completion is disabled
- MDL-76525 - mod_data: Missing validation of image width and height
- MDL-76947 - Dropdown menus are narrower and unnecessarily wrap
- MDL-73847 - LTI 1.3: Keyset fetch does not use the HTTP proxy
- MDL-75719 - Wrong completion status for hidden grade items
- MDL-77003 - Template string helper does not render complex language strings
- MDL-58945 - Showing rendered question text can break JS: disable filtering on quiz edit page and make optional in the question bank
- MDL-74905 - Decide Moodle 4.2 requirements and push them to environment.xml (due date: 2022-12-26)
- MDL-74698 - Course backups from versions earlier than 3.11.7 lose format options on restore
- MDL-77014 - Single activity course format should support multilang course titles
- MDL-75012 - Bump nodejs from lts/gallium to stable (>=v18.x.x, now lts/hydrogen)
- MDL-77140 - LTI Custom Parameter not set from Content-Item Message
- MDL-77230 - The preview of questions for feedback is still possible via WebServices
- MDL-76620 - BigBlueButton external guests not possible when "forcelogin" setting is turned on
- MDL-77322 - Authenticate token requests via HTTP headers cannot be turned off
- MDL-76314 - Add missing form validation when combining single discussion and separate group
- MDL-77057 - Module override forms are not correctly formatting group names
- MDL-77210 - Quiz 'Try another question like this one' breaks regrading
- MDL-76904 - Question bank: Question highlight is missing after we go back and forth between pages
- MDL-76298 - Drag drop questions don't validate that drop zones have been defined (causing division by zero errors in the statistics)
- MDL-77241 - Javascript console errors opening section/activity menus when editing course
- MDL-77290 - Editing audio/video elements in TinyMCE produce a new element
- MDL-76791 - Cache: Locking does not work when store supports multiple identifiers
- MDL-76878 - Prohibiting editownprofile capability breaks functionality of blocks/content bank
- MDL-63608 - Access order when manually grading quizzes
- MDL-76948 - Description of submission_unlocked event says "locked" instead of "unlocked"
- MDL-76066 - Deleting a field when applying a preset doesn't raise 'field deleted' event
- MDL-76602 - Cannot add LTI 1.3 LTI service without modifying locallib
- MDL-77024 - Quiz editing log events have the wrong edulevel
- MDL-76967 - Question bank question last used column line height
- MDL-77018 - Error loading question bank statistics if the context no longer exists
- MDL-76447 - Tiny editor menu doesn't follow editor when scrolling the page on Boost theme
- MDL-77365 - Inaccurate word count
Accessibility improvements
- MDL-76672 - block_myoverview: aria-label attribute is not well supported on a div without role attribute
- MDL-77052 - block_recentlyaccesseditems: Element with role="list" must have children with role="listitem"
- MDL-76569 - When you set a table heading in TinyMCE it does not present as bold text like Atto does
- MDL-76825 - Accessibility issues reported by Axe in TinyMCE media plugin
- MDL-77318 - core / user_menu: aria-label attribute is not well supported on a div without role attribute
- MDL-76313 - improve accessibility on subscribers page
- MDL-76562 - Atto removed the justify text button. TinyMCE should too to aid accessibility
Security improvements
- MDL-76478 - Browsers auto-completing the user's password into inappropriate password unmask form fields
- MDL-76370 - Public / private paths security report is inaccurate when using HTTP proxy
- MDL-75454 - sesskey included in URL in cache administration adding and editing stores
Security fixes
- MSA-23-0004 - Authenticated SQL injection via availability check
- MSA-23-0005 - Authenticated arbitrary file read through malformed backup file
- MSA-23-0006 - XSS risk when outputting database activity filter data
- MSA-23-0007 - Algebra filter XSS when filter is misconfigured
- MSA-23-0008 - Pix helper potential Mustache code injection risk
- MSA-23-0009 - Users' name enumeration possible via IDOR on learning plans page
- MSA-23-0010 - CSRF risk in resetting all templates of a database activity
- MSA-23-0011 - Teacher can access names of users they do not have permission to access
- MSA-23-0012 - Course participation report shows roles the user should not see
- MSA-23-0013 - XSS risk in TinyMCE alerts (upstream)