Skip to main content

Moodle 4.1.2

Unsupported Moodle Version
This version of Moodle is no longer supported for general bug fixes.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 13 March 2023

Here is the full list of fixed issues in 4.1.2.

General fixes and improvements

  • MDL-69690 - Require Assessment Grade for Workshop Activity Completion Blocked
  • MDL-66221 - Deleted activities cannot be restored from recycle bin when backup_auto_activities setting is disabled
  • MDL-70586 - Feedback: the preview icon shouldn't be displayed for students
  • MDL-74756 - Previous activity with completion not working if activity completion is disabled
  • MDL-76525 - mod_data: Missing validation of image width and height
  • MDL-76947 - Dropdown menus are narrower and unnecessarily wrap
  • MDL-73847 - LTI 1.3: Keyset fetch does not use the HTTP proxy
  • MDL-75719 - Wrong completion status for hidden grade items
  • MDL-77003 - Template string helper does not render complex language strings
  • MDL-58945 - Showing rendered question text can break JS: disable filtering on quiz edit page and make optional in the question bank
  • MDL-74905 - Decide Moodle 4.2 requirements and push them to environment.xml (due date: 2022-12-26)
  • MDL-74698 - Course backups from versions earlier than 3.11.7 lose format options on restore
  • MDL-77014 - Single activity course format should support multilang course titles
  • MDL-75012 - Bump nodejs from lts/gallium to stable (>=v18.x.x, now lts/hydrogen)
  • MDL-77140 - LTI Custom Parameter not set from Content-Item Message
  • MDL-77230 - The preview of questions for feedback is still possible via WebServices
  • MDL-76620 - BigBlueButton external guests not possible when "forcelogin" setting is turned on
  • MDL-77322 - Authenticate token requests via HTTP headers cannot be turned off
  • MDL-76314 - Add missing form validation when combining single discussion and separate group
  • MDL-77057 - Module override forms are not correctly formatting group names
  • MDL-77210 - Quiz 'Try another question like this one' breaks regrading
  • MDL-76904 - Question bank: Question highlight is missing after we go back and forth between pages
  • MDL-76298 - Drag drop questions don't validate that drop zones have been defined (causing division by zero errors in the statistics)
  • MDL-77241 - Javascript console errors opening section/activity menus when editing course
  • MDL-77290 - Editing audio/video elements in TinyMCE produce a new element
  • MDL-76791 - Cache: Locking does not work when store supports multiple identifiers
  • MDL-76878 - Prohibiting editownprofile capability breaks functionality of blocks/content bank
  • MDL-63608 - Access order when manually grading quizzes
  • MDL-76948 - Description of submission_unlocked event says "locked" instead of "unlocked"
  • MDL-76066 - Deleting a field when applying a preset doesn't raise 'field deleted' event
  • MDL-76602 - Cannot add LTI 1.3 LTI service without modifying locallib
  • MDL-77024 - Quiz editing log events have the wrong edulevel
  • MDL-76967 - Question bank question last used column line height
  • MDL-77018 - Error loading question bank statistics if the context no longer exists
  • MDL-76447 - Tiny editor menu doesn't follow editor when scrolling the page on Boost theme
  • MDL-77365 - Inaccurate word count

Accessibility improvements

  • MDL-76672 - block_myoverview: aria-label attribute is not well supported on a div without role attribute
  • MDL-77052 - block_recentlyaccesseditems: Element with role="list" must have children with role="listitem"
  • MDL-76569 - When you set a table heading in TinyMCE it does not present as bold text like Atto does
  • MDL-76825 - Accessibility issues reported by Axe in TinyMCE media plugin
  • MDL-77318 - core / user_menu: aria-label attribute is not well supported on a div without role attribute
  • MDL-76313 - improve accessibility on subscribers page
  • MDL-76562 - Atto removed the justify text button. TinyMCE should too to aid accessibility

Security improvements

  • MDL-76478 - Browsers auto-completing the user's password into inappropriate password unmask form fields
  • MDL-76370 - Public / private paths security report is inaccurate when using HTTP proxy
  • MDL-75454 - sesskey included in URL in cache administration adding and editing stores

Security fixes

  • MSA-23-0004 - Authenticated SQL injection via availability check
  • MSA-23-0005 - Authenticated arbitrary file read through malformed backup file
  • MSA-23-0006 - XSS risk when outputting database activity filter data
  • MSA-23-0007 - Algebra filter XSS when filter is misconfigured
  • MSA-23-0008 - Pix helper potential Mustache code injection risk
  • MSA-23-0009 - Users' name enumeration possible via IDOR on learning plans page
  • MSA-23-0010 - CSRF risk in resetting all templates of a database activity
  • MSA-23-0011 - Teacher can access names of users they do not have permission to access
  • MSA-23-0012 - Course participation report shows roles the user should not see
  • MSA-23-0013 - XSS risk in TinyMCE alerts (upstream)