PEN-test

During the last week of July and first week of August Curriculum has been PEN-tested by a specialised external company.

In total 9 findings where found, all considered minor impact. We decided, based on the fact we strive for optimum security, to immediately implement the relevant improvements and offer them for re-test.

In this release all findings have been fixed, retested and are considered solved by the PEN-tester.

For further details on the issues found and solved, please sent a request to the Service Desk.

‍

Improvements and bug fixes

CONFIGURATION, USABILITY - Extended functionality to manage Person additional fields - CUR-494

Earlier this year we added the option to define custom-fields at person level including a (rudimentary) management function.

This function is redefined and functionally and security wise improved.

• Segregation of duties (security)
  Admin users can add add, edit and expire users. Admin users can only change the basic person information (non-additional fields).
• Configuration support to define the 'edit popup' for users
  Additional person information can be changed by creating an edit workflow with a form page containing the additional fields.
  The edit workflow will be opened when you click on a person in the person report.
• Bonus: keep an audit trail of all changes applied

‍

Configuration

• The workflow must be configured as the edit workflow on the person custom type.
• The role / user needs EDIT_PERSONS right to edit the person additional information.

BUG - Calendar weeks are not created at year roll-over - CUR-891

During the year copy the calendar weeks, that allow to define the weektype (education, exam, ...) were not copied. This has been solved, so the year roll-over will now copy the calendar weeks again.

Recovery in case this already happened:

In case the year roll-over was already executed, there is no automatic recovery option, only a manual option is available. By modifying the start date of the period, save, and then change back to the correct value, the weeks will be generated. In a standard situation the dates has to be changed, so only correcting start and end date to match the first day of period (e.g. first Monday) will perform the change that will cause the regeneration.

‍

USABILITY, CONFIGURATION - Enable display of custom fields on Credits and Capacity on the general information page - CUR-862, CUR-885

The general page now also supports fields defined on capacity and credits. In order to make a field show up on the general page, an administrator should enable 'Display on general' for that field.
Furthermore a change is made that an 'empty' credits value is not shown with the value 0.

‍

USABILITY, CONFIGURATION - New feature: Manage teams on faculty - CUR-685

You can now manage teams by creating a new teams page and adding the page as tab on a faculty. The page displays all teams that belong to the faculty. Users with a EDIT_TEAMS right can add, edit and expire teams. Clicking on a team in the list will open the teams page. Members of a team can be managed on the members tab.

Admin users can still manage teams in administration. Only admin users can change the owner of a team.

‍

WORKLOAD PLANNING, BUG - Education tasks formula changes are effective immediately - CUR-907

A fix has been applied on calculation of educational tasks. In case an educational task formula is changed by an administrator the formula will be effective immediately recalculating the availability of an employee.

‍

IMPROVEMENT - Person availability proces must be able to run for all staff members - CUR-920

The persons shown in the process manager are no longer limited to staff members having a role in the active year, but supports also for all staff members, even without a relation to the active curriculum.

‍

ADMINISTRATION, BUG - Fixed an error when propagating a field 2 years or more in the future- CUR-916

Fixed an issue where editing forms with additional fields with at least one field having "Copy to future years" enabled. This caused an error if there were more than 2 (future) years to propagate values to. This has been fixed and propagating fields beyond 2 years now works correctly again.

‍

BUG - Method report can now handle empty types - CUR-921

Fixed a bug where the method report would show errors on methods with an empty type.

‍

INTEGRATION - OOAPI default mapping of start and enddate of programs is changed - CUR-882

The default mapping for programs sent to RIO, using the OOAPI v5 message format, was using the offering period start and end date. This caused published program to show only the current year as the active lifecycle of the program.

This has been changed, and now the start date of the program is used to display the start of the program and the value of end date (can be empty) will be used to define the end date.

‍

INTEGRATION, BUG - Fixed bug defining memberships sending data to CORE - CUR-906

The determination of memberships to higher hierarchy objects was not correct, e.g sending a module occurrence and determine the relation to a module-group.

This has been fixed so the membership determination is now correct both for sending higher hierarchy objects down to the lower hierarchy objects and vice-versa.

‍

INTEGRATION - Added option to compress API JSON message - CUR-875

An option is added to compress JSON message during transit, limiting the required band-with.
The configuration is a server configuration and can be requested by sending a request to the Service Desk.

‍

INTEGRATION - Group endpoint supports UID as id - CUR-904

The canonical Group endpoint also supports lookup based on UID as an extension to the already supported external ID and code.

‍

Security improvements

SECURITY - Implemented OWASP fixes
Addressed the OWASP security vulnerabilities:

• CVE-2024-38809
• CVE-2024-38810

Detailed information can be found at the central database of vulnerabilities.

‍

For more guidance on configuration and setup of Curriculum, use the relevant Curriculum manual.