Jiglu 11.3 release notes

For end users

Email address management

  • If you add a new alternative email address then you will now need to confirm you can receive email at that address before it will be accepted. When you add a new address you will be sent a confirmation email that you can action either by replying or by following a link in the message.
  • If your email has been deactivated because messages to you could not be successfully delivered then when you log on you will be given an alert directing you to a new page to help you reactivate. There you will be given a choice of whether to send a confirmation to the old address with a link to reactivate or whether to enter a new email address.
  • The email preferences page now lets you resend confirmation emails when you have changed an email address but not received the original confirmation message for some reason. Addresses that have not yet been confirmed are identified on the page.

Other changes

  • The daily summary newsletter now includes your topic alerts. Following customer feedback new users have been removed from the newsletter (these are now included in the new system administrators newsletter).
  • When confirming email requests, either by following a link in the confirmation email to a page on the site or by responding to it by email, the message given was not always clear and in some cases wrong about the action. Correct and more detailed information is now given about exactly what took place and what the next steps are.
  • A number of minor issues have been fixed.

For group administrators

Member management

  • If you are a user administrator and choose the Add users option from the user index then you will now be given a choice as to whether to send the user an invitation, so they can choose whether to join, or add them immediately with no choice. If you are not a user administrator then you will always have to send an invitation.
  • If you choose the Invite option from the member index then you will now always have to include an invitation message.

Invitations index

  • The invitations index has several changes in the information it presents:
    • There is now only one entry per email address invited rather than an entry each time it is invited.
    • More detail is shown of the status of an invitation, such as where it currently is in workflow.
    • The email address they were originally invited with no longer changes if they registered with a different address and both the original address and a link to the user are now included.
  • On the invitations index you can now cancel invitations as long as the user has not yet registered. Select the drop-down menu button next to the email address and choose the Cancel invitation button.
  • You can now resend an invitation from the invitations index when the user has not yet registered. Select the drop-down menu button next to the email address and choose the Resend invitation Note that in order to prevent abuse, unless you are a user administrator you cannot resend an invitation until the original invitation has timed out.
  • Previously when inviting someone, if a message was not included then the invitation did not appear in the invitations index. This has been resolved and the internal process standardised.

For system administrators

User invitations

  • When you invite someone, you can now preselect which groups to join them to when they register using the invitation. From the user index choose the Invite users by email address option in the sidebar. You can then enter the email addresses of the users to invite, change the invitation message if required and select which groups you wish them to join. Upon registering they will be joined to the specified groups as well as any groups set as defaults. Note that unlike invitations from within a group these are sent from a system email address rather than on behalf of the user who did the inviting.
  • You can now view all the invitations that have been sent, regardless of group. From the user index choose the View invitations option in the sidebar. This page functions the same as the group member invitations index and with the same ability to cancel or resend invitations when appropriate.
  • Some discrepancies in permissions checking of user invitations when registering and passing through workflow have been resolved. In particular, it should be noted that when a user is deactivated this now renders invalid any outstanding invitations they sent.

User administration

  • The bulk user import option has been removed as its functionality has now been superseded by the improvements to invitations, which offer a more secure alternative for bringing new users into the system.
  • The deactivate users in bulk option has been renamed to Deactivate users by email address.
  • Some inconsistencies in editing users and changing preferences to do with what is allowed to be editable when an LDAP user directory is in use have been resolved.

User workflow settings and notifications

  • There is a new setting for whether a change to a user’s main email address requires approval from an administrator before it is accepted.
  • There are now separate timeout settings for how long a user has to initially confirm their identity, how long they get to confirm a new address and how long they get to change their password when they have requested a link to do so. Because of their sensitivity the latter two settings have a default time of only four hours.
  • There are a number of additions to User notifications to support changes in functionality for email address confirmation and approval. You may wish to review these to ensure that they are suitable for your organisation:
    • New system invitation message when inviting a user to multiple groups and the default personal message to use.
    • Separate confirmations for new regular and new alternative email addresses.
    • New regular email address awaiting approval and change rejected notifications.
    • New confirmations for reactivating email and successfully reactivating.

Administrator newsletter

  • There is a new newsletter sent to system administrators. This provides a daily or weekly update covering changes to users, groups, settings and permissions. By default this is set to a weekly frequency, which can be changed on the new Administrator newsletter system settings page. You can also choose an alternate role if you want to have it sent to users other than those who are system administrators.

Auditing

  • A number of actions are now logged in the application log that previously were not:
    • Changes to users’ email addresses with the previous and new address.
    • Changes to system and group permissions with the permissions added and removed.
    • Changes to system, group and group default settings with the new value.
    • Confirmation messages that have been sent, such as for changing password or confirming a new email address.
    • Sent or cancelled invitations.

Security

  • You can now specify which hosts JavaScript is accepted from on the Page elements settings page. This will affect the Content Security Policy sent with each page and can be used to allow, for example, Google Analytics’ JavaScript but no other sites.

Other changes

  • New task and other notifications are now sent from the ‘noreply’ address for the system or group rather than the ‘admin’ address for the system or group. If a user does reply they will get a response with information about how to get help or contact the administrators.

Vulnerabilities

  • A denial of service attack vector in a third-party library used to extract the text from XML documents which could result in memory exhaustion has been resolved. This was also fixed in a later build of 11.2.
  • A loophole has been closed in the Java API that allowed users to force activation or deactivation of resources subject to workflow with edit instead of activate or deactivate permission. This was not exploitable through the web application.