This release clears the backlog of minor bug fixes that didn't make it in to the LORIS v18.0.0 release, or were discovered after release. Future bug fix releases will happen on an as-needed basis.

The full list of changes are as follows:

• [Core] Fix issues when user logs in by typing their username in a different case than is stored in the database (#3178)
• [Instruments] Fix saving of instruments where the column name is a number (#3179)
• [Instrument List] Fix the CenterID access check in the instrument list module. (#3182)
• [Instruments] Fix bug where "0" was refused as a value in required fields. (#3180)
• [Dashboard] Fix convert array to string error in dashboard (#3149)
• [DQT] Fixed a bug where the CouchDB MRI Import script was failing with strict MySQL settings (#3131)
• [Imaging Uploader] Prevent upload duplication when the same file is uploaded twice.
• [Heroku Install] Fixed Heroku postdeploy password generation (#3171)
• Update VERSION file

Known Issues:

• Running 18.0 Upgrade Process PHP scripts as well as other tools/* commandline scripts may generate notices/error messages; this NDB_Client issue is addressed in upcoming bugfixes (e.g. #3212)

This bugfix release fixes minor issues that weren't fixed in time for the LORIS v18.0.0 release, or that were discovered since.

The next bugfix release is scheduled for October 20, 2017.

The full list of fixes in v18.0.1 are as follows:

• Properly escape table and column names in upgrade script (#3168)
• The instrument setup() function now matches its parent, fixing PHP warnings (#2916)
• Post data is re-sent, rather than discarded after a redirect (#2941)
• The UI should say username, not email on the reset-password page (#3042)
• Improve entropy in temporary password generation (#3045)
• Fixed MRI Protocol Show/Hide links (#3057)
• Fixed Excel Dumps URL rewrites (#2978)
• Fixed empty result in getMaxThreadStatus for NDB_BVL_Feedback (#3141)
• Fixed "Please click here to go back" link RM13189 in imaging uploader
• Declare User::isPasswordStrong to be a static function, fixing some PHP warnings (#3169)
• Added slashes at the end of account links on login screen, which prevents an unnecessary redirect (#3176)

LORIS v18.0 is the next major release of LORIS. It adds the ability for users and examiners to be affiliated with multiple sites, as well as adding 433 other bug fixes and minor changes.

• Full list of changes

New Features

• [Core] Users and Examiners may be affiliated with more than one site. Note that a multi-site user will hold the same level of privilege on data across all affiliated sites, and cannot yet create new candidates/visits via API.
• [Imaging Browser] A new Config module setting called "tblScanTypes" defines which modalities should have quality control performed. In the Imaging Browser, the "T1 Done" and "T2 Done" columns are now customizable to any set of modalities using this Config setting, and the "New Data" column shows only new scans from these designated modalities.
• [LorisForm] Readonly elements and Radio button support added in PHP-coded instrument forms

Updates and Improvements

• [Media] File names that are uploaded must now be unique.
• [BrainBrowser] The version of BrainBrowser included in LORIS is upgraded, which should fix issues loading scans from certain scanners but be otherwise unnoticeable.
• [Login] Captchas are improved by changing them to use the google reCAPTCHA service rather than a custom implementation

Notes for Existing Projects

• [API] The v0.0.1 is now deprecated and will be removed in a future release. v0.0.1 is a proper subset of v0.0.2, so upgrading should be transparent and only require changing "1" to "2" in any calls to the API.
• [Security] The old (unused) Password_MD5 column is removed. LORIS has used PHP's more secure password API for a number of releases, but the column remained so that existing users could still login (and the password hash would be upgraded upon login). The insecure hashes are now completely removed. As a result, passwords can no longer be reset via the MySQL commandline -- instead, run the new tools/resetpassword.php script, or have the user click the "Forgot your password" link.
• [Radiological Review] The Final Radiological Review module was removed, as it was only used by a single LORIS project and not sufficiently generic to be used by others. If you were using it and need access to it, please contact the loris-dev mailing list for help on how to install it into your project/ directory.
• [Config] In the config.xml file, the <database> subtag of CouchDB was renamed to <dbName> to avoid conflicts with the MySQL database config setting. If you have CouchDB setup in your config.xml, you'll need to rename this tag.
• [Core] Caveat re multi-site User feature: users have the same level of privilege across all sites. E.g. a user who hold Edit/modify privileges (for the purpose of one site) will also be able to modify all affiliated sites' data.

Upgrade Process

Unfortunately, due to changes in constraints in the database schema upgrading this version of LORIS is a multistep process. After updating the code, you must:

1. Source the SQL file SQL/Release_patches/17.0_To_18.0_upgrade_A.sql
2. Run the script php tools/DB_date_zeros_removal.php to remove invalid dates in MySQL.
3. Run the script php tools/populate_examiners_psc_rel.php to populate the new multisite examiners table with existing examiners.
4. Source the SQL file SQL/Archive/18.0/2016-06-01-update_zero_fields_statements.sql to add constraints on the tables modified by the script in step 2.
5. Source the rest of the schema changes in the file SQL/Release_patches/17.0_To_18.0_upgrade_B.sql
6. Review the file SQL/Archive/18.0/clean-up/Clean_up_patch.sql which removes and cleans up various columns after backing up any data in those tables.
7. Run composer install --no-dev from the LORIS directory to update any LORIS PHP dependencies.

This release candidate fixes a variety of bugs on the user_accounts page, related to changes to examiners in 18.0 that were discovered in RC2.

This release candidate fixes a few issues found in LORIS 18.0.0rc1. In addition to the notes from RC1, it has the following changes:

• The SQL patch included some changes from a hardcoded database. These are fixed.
• The executable bit was set wrong on a number of files. These are fixed.
• The upgrade instructions for the examiner fix are clarified slightly (by removing some duplicate instructions which are done automatically in a later script.)
• If filters were set on a different page and then you accessed the imaging uploader, the imaging uploader would maintain the filters with no way to reset/remove them. The imaging uploader now automatically resets server-side filters when accessed.
• A CenterID column in the Reliability class which was updated to reflect the new multi-site changes (which was missed before the first RC)
• The Dashboard now shows the issue tracker widget if the user has only the issue_tracker_developer permission.

LORIS v18.0 is the next major release of LORIS. It adds the ability for users and examiners to be affiliated with multiple sites, as well as adding 433 other bug fixes and minor changes.

• Full list of changes

New Features

• [Core] Users and Examiners may be affiliated with more than one site.
• [Imaging Browser] A new Config module setting called "tblScanTypes" defines which modalities should have quality control performed. In the Imaging Browser, the "T1 Done" and "T2 Done" columns are now customizable to any set of modalities using this Config setting, and the "New Data" column shows only new scans from these designated modalities.
• [LorisForm] Readonly elements and Radio button support added in PHP-coded instrument forms

Updates and Improvements

• [Media] File names that are uploaded must now be unique.
• [BrainBrowser] The version of BrainBrowser included in LORIS is upgraded, which should fix issues loading scans from certain scanners but be otherwise unnoticeable.
• [Login] Captchas are improved by changing them to use the google reCAPTCHA service rather than a custom implementation

Notes for Existing Projects

• [API] The v0.0.1 is now deprecated and will be removed in a future release. v0.0.1 is a proper subset of v0.0.2, so upgrading should be transparent and only require changing "1" to "2" in any calls to the API.
• [Security] The old (unused) Password_MD5 column is removed. LORIS has used PHP's more secure password API for a number of releases, but the column remained so that existing users could still login (and the password hash would be upgraded upon login). The insecure hashes are now completely removed. As a result, passwords can no longer be reset via the MySQL commandline -- instead, run the new tools/resetpassword.php script, or have the user click the "Forgot your password" link.
• [Radiological Review] The Final Radiological Review module was removed, as it was only used by a single LORIS project and not sufficiently generic to be used by others. If you were using it and need access to it, please contact the loris-dev mailing list for help on how to install it into your project/ directory.
• [Config] In the config.xml file, the <database> subtag of CouchDB was renamed to <dbName> to avoid conflicts with the MySQL database config setting. If you have CouchDB setup in your config.xml, you'll need to rename this tag.

Upgrade Process

Unfortunately, due to changes in constraints in the database schema upgrading this version of LORIS is a multistep process. After updating the code, you must:

1. Source the SQL file SQL/Release_patches/17.0_To_18.0_upgrade_A.sql
2. Run the script php tools/DB_date_zeros_removal.php to remove invalid dates in MySQL.
3. Run the script php tools/populate_examiners_psc_rel.php to populate the new multisite examiners table with existing examiners.
4. Source the SQL file SQL/Archive/18.0/2016-06-01-update_zero_fields_statements.sql to add constraints on the tables modified by the script in step 2.
5. Source the rest of the schema changes in the file SQL/Release_patches/17.0_To_18.0_upgrade_B.sql
6. Review the file SQL/Archive/18.0/clean-up/Clean_up_patch.sql which removes and cleans up various columns after backing up any data in those tables.

Known Issues / Beta Features

This fixes some bugs found since the LORIS v17.0.5 release. In particular:

• "required" rules were not working on multiselect elements in LorisForm. This is fixed.
• 2 more security issues are now fixed
• the ability to create candidates using the API was fixed for projects which do not use EDC. (The API was previously requiring the EDC be submitted even for post-natal research projects.)
• the VERSION should now be correctly updated. (v17.0.5 incorrectly labeled itself v17.0.4.)

This release fixes bugs found since v17.0.4 was released. Users of LORIS v17.0.x are strongly encouraged to upgrade in order to receive the two security fixes (and 3 other minor bug fixes) described below.

LORIS instances which have a JWTKey setting which does not meet the new key strength requirement checks will need to change their JWTKey setting in the configuration module in order to use the API. (The new requirements are similar to the LORIS password requirements, except must also be at least 20 characters long since it's never directly entered by a user.)

Changes

• The check which verifies that a user is not downloading a file that they shouldn't have access to in get_file.php proved to be insufficient. It now performs an extra check.
• A check of key strength is added to the JWT tokens used for the API. (This JWT key is randomly generated by the LORIS installer, but older projects which upgraded LORIS may not have updated their keys to a secure key, so weak keys are ignored in order to ensure that upgraded LORIS instances don't have the default key.)
• A bug in an SQL query in the examiner module with MySQL 5.7 regarding the only_full_groupby setting has been fixed.
• A bug causing Date_taken to not be properly resolved in the conflict resolver has been fixed.
• The conflict resolver now shows Examiner's full name, rather than their ID, to make it easier to resolve data entry conflicts in examiner.

This fixes a few minor bugs found since the v17.0.3 release. In particular:

• Required fields were not working properly if a user submitted the value "0"
• A bug was fixed preventing visits from being created in the API as documented
• Some changes were made to the DQT import scripts which should prevent unnecessary rebuilds and speed up the import process of large data sets

This release fixes two security holes introduced in features added in the LORIS v17.0.0 including a remote code execution exploit in one of the brainbrowser ajax scripts. Some minor bug fixes found since v17.0.2 are also incorporated.

All users of the LORIS 17.0 branch are strongly urged to upgrade immediately.