This release fixes CVE-2022-39367, a critical vulnerability in the handling of uploaded ZIP files.
(This release also includes a further security update to the Logback library. This was committed to the master branch back in January but not made into a formal release.)
Maintenance release in light of the recent Log4J 2 vulnerability. We're not using that here - we're using Logback & SLF4J instead - but I thought this would be a good time to update key dependencies.
Note also that the minimum Java version supported by QTIWorks is now 8.
Tiny wee fix release. This merges in the fixes to issues 76 & 77, and updates the intro page to reflect the fact that the project is now essentially dormant.
Minor update release for the GDPR. This adds in new functionality to automatically delete old candidate sessions, plus a configurable (but mandatory) installation-specific link to a page describing how privacy, security and cookies are handled.
If you have an existing QTIWorks installation then no database changes
are required. But you must configure a default retention period for
candidate sessions and add in a link to a suitable privacy, security
and cookies policy for your QTIWorks instance. Both of these are
specified within your qtiworks-deployment.properties file.
You may use the privacy policy for the Edinburgh instance of
QTIWorks as a guide, but please don't blindly copy or link to it.
Minor update release. This adds in some improved functionality for deleting data from the system, and updates some software dependencies to newer versions. It also defines some new database indexes to improve performance of some queries.
schemaUpdate QTIWorks Engine Manager action for performing
(some) updates to the database schema.
If you have an existing QTIWorks installation then note that a database schema change will be required. Please do the following:
qtiworks-engine/support/schema-migrations/beta10-to-beta11.sql
to perform some preparatory updates to the database schema.
updateSchema action in the QTIWorks Engine Manager
to complete the schema changes.
This release rolls up some minor improvements and fixes made since the last beta.
It also updates the URL of the MathJax CDN following the announcement of the
closure of cdn.mathjax.org.
There are no new features or functionality included here. Full details:
cdnjs.cloudflare.com content delivery
network (CDN) to load the MathJax libraries used to render MathML.
This is a response to the recent announcement of the imminent closure of the
CDN at cdn.mathjax.org.
This release rolls up some minor improvements and fixes made during 2015. There are no new features or functionality included here.
@index attribute of
a printedVariable is a variable reference.
(This missing functionality is still be to be implemented.)
This release incorporates minor bug fixes and some minor tidying.
<param/> in rendering.
label attribute in BodyElement.
stringInteractions when bound
to record cardinality variables.
responseDeclaration and outcomeDeclaration
now checks baseType and cardinality. (There was a missing superclass class here.)
Security release. This fixes potential cross-site scripting (XSS) vulnerabilities caused by a failure to escape user input in some instructor-facing JSP pages, including the system user login page.
The public demo of QTIWorks has been upgraded in conjunction with this release. All people running their own QTIWorks installations are strongly encouraged to upgrade as soon as possible.
This is hoped to be the final beta before a RC or final 1.0.0 release.
If you have an existing QTIWorks installation then note that a database
schema change will be required. Please run
qtiworks-engine/support/schema-migrations/beta5-to-beta6.sql
to upgrade your database if you have been running your own QTIWorks
1.0-beta5 installation. Please follow instructions in earlier release notes
to upgrade incrementally from earlier beta releases.
There are some additions to default.qtiworks-deployment.properties.
Please merge into your qtiworks-deployment.properties as required.
timeLimit class in JQTI+. This
now has the correct name, and recognises the allowLateSubmission attribute.
qtiworks-deployment.properties if you want
to use these features.
Further bug fixes and minor feature enhancements, some done to support the pilot use of QTIWorks for delivering a diagnostic test at the University of Edinburgh.
SimpleJqtiFacade) for JQTI+, making it a bit easier to perform basic functions.
Bug-fix release addressing problems reported since beta3, as well as including a few minor features and tweaks.
A small database schema change is required. Please run qtiworks-engine/support/schema-migrations/beta3-to-beta4.sql
to upgrade your database if you have been running your own QTIWorks 1.0-beta3 installation.
StringValues now correctly compare with NULL. Fixing this bug
identified some issues with the handling of whitespace when building the JQTI
object model (typically from XML), which have been dealt with in an acceptable
fashion.
Bug-fix release addressing problems reported since beta2. Issues fixed:
identifier of an itemResult was not being computed
in the manner defined by the specification for items within tests. This is fixed here.
A small database schema change is required. Please run qtiworks-engine/support/schema-migrations/beta2-to-beta3.sql
to upgrade your database if you have been running your own QTIWorks 1.0-beta2 installation.
This fixes a few bugs noted by people testing the production instance of QTIWorks:
Fixes a couple of bugs discovered after beta1 went live:
This first beta release brings the production branch back in line with the master (development) branch. It is essentially the same as 1.0-DEV33, but contains a few final bug fixes made during final testing on the production data hosted at Edinburgh.
If you have been hosting your own instance of QTIWorks 1.0-M4, then you need to schedule and execute the upgrade to 1.0-beta1 quite carefully as there were many changes to the data model, requiring all candidate data to be deleted when applying this upgrade. You should upgrade as follows:
purgeAnonymousData engine manager action (on M4 binaries).qtiworks-engine/support/schema-migrations/m4-to-beta1.sql on your QTIWorks database to upgrade its schema
and delete the candidate data stored in the DB.git fetch and git merge origin/production to bring your code up to beta1, then do a clean rebuild.update engine action to complete deleting candidate data from the QTIWorks database and file store.qtiworks-deployment.properties against the newly-updated default version in the git tree.Minor bug-fix release ahead of next release, which is currently scheduled to be BETA1. No changes are needed to the database schema.
This final planned development snapshot brings the project to feature freeze in the context of its current funding.
This development snapshot mainly includes some reorganisation and tidying of the MVC layer, in particular the new domain-level LTI instructor interface and the existing instructor interface. The latter has been simplified a bit and tidied up visually.
Additionally, there are a number of fixes to the recent LTI functionality,
including a fix to the LTI outcomes reporting service to handle issues with
the computation of body hashes. Oddly, this was working fine in the free
Blackboard coursesites.com site, but not on any Learn VLEs that I had tried.
There is also a minor fix to the rendering system to tell it what to do with
HTML th elements.
Note: If you are following these development releases,
then you will need to run the schema migration script
qtiworks-engine/support/schema-migrations/dev31-to-dev32.sql
after compiling this version of the webapp. There is no need to delete
candidate data if upgrading from DEV31.
Patch release that cherry-picks the new MathJax SSL CDN URL from the master branch. (The old SSN CDN appears to have gone offline recently!)
This development snapshot includes a working implementation of LTI instructor role functionality (via domain-level launches). It also completes and makes available the LTI result returning functionality sketched out earlier.
A further snapshot will tidy the way this looks a bit, before we move to a beta/RC release if there are no major issues reported.
Note: If you are following these development releases,
then you will need to run the schema migration script
qtiworks-engine/support/schema-migrations/dev30-to-dev31.sql
after compiling this version of the webapp. There is no need to delete
candidate data if upgrading from DEV30.
Patch release that cherry-picks the new Content Package handling code from the development branch. QTIWorks will no longer complain about the odd MIME types sent by some browsers when uploading ZIP files.
This work-in-progress release adds in enough functionality for testing out the new domain-level LTI launches. I've released it now so that partners can start setting up their VLEs to use the new LTI instructor role functionality, which should appear in the next developer snapshot.
Note: If you are following these development releases,
then you will need to run the schema migration script
qtiworks-engine/support/schema-migrations/dev29-to-dev30.sql
after compiling this version of the webapp. Then you must run the
update action in the QTIWorks Engine Manager. (Note that all
candidate session data needs to be deleted here.)
This continues the work of the last 2 development snapshots, adding in a new author view which finally covers tests as well as items. It is now also possible to launch assessment containing validation errors or warnings.
The rendering process now also records whether an assessment "explodes" while being delivered to candidates, and this information can be seen by instructors. Candidates experiencing an exploding assessment will be provided with a non-scary error page. (Explosions are generally unlikely, but the relaxation on when assessments can be run may cause some unplanned explosions to happen now.)
Test handling now allows EXIT_TEST to be used anywhere. This will be treated the same way as EXIT_TESTPART in tests containing a single testPart, so that the candidate can still access feedback for individual items. In tests with multiple testParts, this will end the test and show only the test feedback. Support for branchRule has improved in that any sectionParts jumped by a branchRule are now recorded as such. The rendering process now excludes any jumped sectionParts.
The handling of ZIP Content Packages has been relaxed so that silly MIME types sent by browsers no longer cause the import process to refuse to proceed. (See bug #28.)
Note: If you are following these development releases, then you will need to run the schema migration script
qtiworks-engine/support/schema-migrations/dev28-to-dev29.sql
after compiling this version of the webapp. Then you must run the
update action in the QTIWorks Engine Manager. (Note that all
candidate session data needs to be deleted here.)
This release consolidates on DEV27, fixing some bugs and refining features added in DEV27. This includes some
changes to the rendering of items and tests, including some improvements to the rendering of mathEntryInteractions.
The bundled set of MathAssess examples have been tidied up slightly, with the addition of some basic CSS to make their feedback stand out a bit more clearly. One of the items (MAB01) has been deprecated.
There is a small database schema fix required here. See qtiworks-engine/support/schema-migrations/dev27-to-dev28.sql.
This development snapshot fills in the remaining parts of the test specification that we plan to implement, namely
preCondition, branchRule and the recording of duration at all required levels within
the test. The low-level test and item running logic has been significantly refactored, and split into new classes
called TestSessionController and ItemSessionController within JQTI+, which should be easier
to reuse for other purposes. A large number of units tests have been created to test these new classes. This API can now
be considered stable.
This snapshot also includes significant refactorings to the higher-level code for running assessments, including the rendering packages. Assessment result XMLs are now generated and stored after each interaction a candidate makes with an assessment, so instructors can see and download partial results much earlier if they need to. A few further changes will be needed, but the API should now be considered stable.
Finally, the snapshot includes a couple of bits of very basic "proctoring" functionality, allowing instructors to forcibly terminate candidate sessions if required.
This snapshot requires a fairly large set of fixes to the database schema. See qtiworks-engine/support/schema-migrations/dev26-to-dev27.sql.
You must also wipe all candidate session data as the internal XML state files have changed significantly.
This development snapshot adds support for delivering tests containing multiple testParts, and now
evaluations any preConditions declared at testPart level. It also completes
the implementation of testFeedback to support both during and atEnd
feedback, at both test and test part level.
Note: This snapshot fixes a bug in the setting of default values for outcome variables in tests. As a result,
the showHide attribute would not have been working correctly when referencing outcome variables
defined to have a fixed default value. You may therefore need to check existing assessments to ensure they now
behave correctly.
This is basically 1.0-DEV25 with some further behind-the-scenes changes added since then. There is no noticeable change in functionality between M3 and M4, though we have dropped some obscure features that were never really used that much (such as the "playback" feature when running single items).
This development snapshot includes a large number of behind-the-scenes changes to make QTIWorks easier to install and manage. It also includes a number of minor fixes, but no real functional changes.
Third production milestone, equivalent to the 1.0-DEV24 development snapshot.
Minor update including mainly low-level code refactoring and documentation improvements. Visible changes are:
Minor update that finally includes front-end functionality for deleting Assessments and Deliverables. (There is more back-end deletion functionality included too.)
This development snapshot continues with the implementation of the test specification, refining and slightly extending what was added in DEV21, as well as adding some improved test samples.
We now support testPart feedback (albeit still only with single testParts), the
showing of item solutions and the display of section/rubric information within test item rendering.
This development snapshot continues with the implementation of the test specification. It now supports all 4 combinations
of navigation and submission modes, though linear navigation is currently a bit rough and needs feedback.
It also shows the assessmentSection structure and rubrics when presenting the
navigation (in nonlinear mode); something similar will need done for linear navigation mode.
This snapshot also changes the default values of maxChoices for choiceInteraction,
hotspotInteraction, hottextInteraction, positionObjectInteraction
and selectPointInteraction. The default is now 0 instead of 1, reflecting a poorly-advertised
changed in the information model.
This second Milestone release is based on the 1.0-DEV20 development snapshot (see below), which was used to pilot some of the (partial) test implementation included in this snapshot.
This milestone includes a partial implementation of the QTI assessmentTest,
handling test containing one testPart using the NONLINEAR navigation mode and
INDIVIDUAL submission mode. It does not yet support branchRule or preCondition,
or similar advanced features. If you are interested in tests, please use the development snapshots for the
time being. However, bear in mind that these will be subject to change at short notice so should not be used
for "real" testing with students.
Minor update before Sue Milne's test pilot. This adds support for
printedVariable/@index, as well as a change to
CandidateSessionStarter's logic. We now attempt to
reconnect to an existing non-terminated session if available, rather
than always starting a new one.
Filled in initial sketch of support for allowReview and
showFeedback in the test delivery. Fixed issue with mixed
namespaces when serializing assessmentResult XML. Added
basic functionality for getting at candidate data (summary table, CSV summary,
ZIP bundle containing all assessmentResult files).
This development snapshot tidies up implementation of tests added in DEV17, and adds in initial functionality within the webapp for viewing and downloading result data for candidate sessions on a given delivery.
This development snapshot continues with the implementation of tests. A first sketch of the full delivery of NONLINEAR/INDIVIDUAL tests is now in place, ready for discussion with project partners.
This development snapshot continues with the implementation of tests. The basic logic for handling tests with one NONLINEAR/INDIVIDUAL part are now in place, and much of the supporting data model is now ready. You can now upload and start one of these tests, but you'll just end up seeing a dump of the resulting test state (after template processing has run on each item).
This development snapshot includes a lot of the groundwork required for the test implementation, with significant refactoring to the session state and controller classes. It also includes another final QTI 2.1 schema.
ValidationContext callback API has been improved and many validators have been
updated to use the new convenience methods in this.
ProcessingContext callback API now extends ValidationContext and
is richer and easier to use.
VariableReferenceIdentifier
class has been removed and JQTI+ now accepts identifiers with dots in them. The behaviour or how
variable dereferencing works in the case of ambiguities has been clarified and documented.
ItemProcessingMap and TestProcessingMap helper classes to contain
information about items/tests useful at runtime.
TestPlan class to represent the test structure as visible to a candidate once
selection and ordering have been performed.
branchRule and preCondition.)
EqualRounded and Rounded.
This is the first development snapshot following the temporarily split into production and development instances. This snapshot does not contain any visible new features but includes a lot of changes and code refactoring to consolidate the work of the last few iterations and help prepare for the work on tests. Key changes are:
integerOrVariableRef and friends in the many corner cases not discussed by
the QTI spec has been refined (using the new notification API) and documented (in the wiki).
Value hierarchy for container values has been refactored and simplified. These values
are now immutable, and factory constructors now return explicit the NullValue in place of
empty containers, which should make life easier for using the JQTI+ API.
Signature concept, which combines BaseType and Cardinality
and makes code using this easier to read. Methods have been added to the
validation API to use this, which should be used in all new code in favour of the old cumbersome checks.
This "Milestone 1" snapshot is the first of a set of stable, less frequent releases so that people using QTIWorks for "real" stuff don't have to worry too much about things suddenly changing. Functionally, this is the same as 1.0-DEV13 but includes a few improvements you won't notice.
The next milestone snapshot will be released once we have some of the test functionality implemented.
This development snapshot finally adds in support for the integerOrVariableRef,
floatOrVariableRef and stringOrVariableRef types.
Most expressions that use these have been updated, though the behaviour when things
veer off the "happy path" is still not consistent and will require a bit more refactoring.
This snapshot also includes the latest (final?) version of the QTI 2.1 schema.
However, it does not support the new namespace for assessmentResult (and its
descendant elements), so results will still be reported in the original (and now wrong)
namespace. This will require a bit of refactoring to change.
This development snapshot fills in more of the Instructor functionality, such as the management of "deliveries" of an assessment. It also includes a first cut of the LTI launch for assessments, as well as a number of less noticeable improvements.
This development snapshot fixes a number of minor bugs found after the release of 1.0-DEV10, including a couple of regressions in the display of validation results. The item rendering now handles overridden correct response values correctly, and the "show solution" button is only shown if there is something to show, which should cut down the number of delivery settings that people need to manage.
This consolidates the work in the last snapshot by making it look a bit nicer and easier to use. More details can be found in the accompanying blog post about this release.
This development snapshot adds a standalone "upload and run" feature that can be run without requiring a login, allowing candidates to choose from a number of pre-defined "delivery settings". (This is similar but more flexible than existing functionality in MathAssessEngine.)
This snapshot also adds a "run" feature for logged in users, as well as filling in more functionality for logged-in users. It's just about usable for storing, debugging and trying out your own assessment items now.
The next snapshot will consolidate on this work and improve the user experience somewhat...
This adds further enhancements to the rendering process for single items. I have written a blog post for this release, so it's probably more useful to link to it than try to paraphrase it badly here.
This snapshot finally includes all of the internal logic for successfully delivering - and recording the delivery of - a single assessment item to a candidate, as well as much of the logic for managing assessments within the system. However, not much of this is yet visible to end users, apart from a revised version of the "play sample items" functionality that uses the new implementation. There's a little bit of the assessment management functionality visible, as well as the login form that people will use to access this, but not enough to be truly usable yet.
The only real visible change in this snapshot is the addition of Graham Smith's sample questions on languages. However, this release includes some of the new foundations and pipework that will support the webapp as development continues, including a first cut of the DB schema, some of the service layer, and some of the authentication modules. Note also that from now on, the public demo of QTIWorks will be accessed via HTTPS instead of HTTP. (Users will be automatically switched to the correct protocol if they come in via HTTP.)
Further tweaks to logic determining whether submit button should appear in item rendering, in light of discussion with Sue. Removed automated feedback styling added in DEV4 as it can't determine between real feedback and selective content. I've also hidden the RESET button to see if anyone misses it...
Fixed bug introduced when refactoring endAttemptInteraction, which prevented it from working correctly. Also added some experimental styling on feedback elements, which will need further work. Further significant refactoring work has been done on JQTI+, in particular the API for extensions (customOperator/customInteraction). I have also started laying the ORM pipework for the webapp domain model.
This development snapshot adds in the MathAssess examples, as well as the "get source" and "get item result" functions in the item delivery. Significant further refactorings and improvements have also been made within JQTI+.
Demonstrates the newly-refactored assessmentItem state & logic code in JQTI+, joining it back in with the rendering components from MathAssessEngine-dev. This demo only lets you play around with some pre-loaded sample items as I haven't started work on the CRUD API for getting your items into the system.
Demonstrates the newly-refactored validation functionality in JQTI+, with more general JQTI -> JQTI+ refactoring work continuing apace.