Version 14.0.30 (released on 2024-05-30)
CHANGES IN THIS VERSION:
Medium security fix: Numerous REDCap endpoints that are called via AJAX on certain pages that are oriented around project design were mistakenly not enforcing the Project Design & Setup rights requirement. This could allow someone with access to the project that does not have Design rights to access information they should not, and in the worst cases, make specific design changes to the project (e.g., copy or delete a field) when they do not have the rights to do so. Note: In order to exploit this, the user would have to have access to the project and would have to know the specific endpoints/URLs to call (and also must know some specific parameters to use). Additionally, this only affects endpoints that require Project Design & Setup rights. Bug exists in all versions of REDCap.
Bug fix: When attempting to delete one or more scheduled survey invitations via the right-hand checkbox in the Survey Invitation Log table by clicking the "Delete all selected" button, the invitations would fail to be deleted if the record does not exist yet (i.e., participant was added to the Participant List manually, but the participant has not yet taken the survey). (Ticket #231754)
Bug fix: When executing Data Quality rules that return more than 10,000 discrepancies, in which one or more discrepancies have been previously "excluded" by a user, the total number of discrepancies displayed on the page would mistakenly be listed as 10000 minus the number of exclusions (which is incorrect) rather than the total discrepancies minus the number of exclusions. (Ticket #229449)
Bug fix: It might be possible for users/participants to bypass the @FORCE-MINMAX action tag’s requirement and enter an out-of-range value for a datetime field if they tab out of the field while the datetime picker is still visible. (Ticket #231611)
Bug fix: If a user is creating a new project and selects the option to "Upload a REDCap project XML file", then chooses a file, but then selects another option (i.e., Empty project, Use a template), the Project XML file might mistakenly still be used to create the project, and in some cases might result in a fatal PHP error. (Ticket #232084)
Bug fix: In REDCap generated PDFs that contain data for repeating instruments and/or repeating events, the repeating instance number was mistakenly not displayed in the PDF’s right header above the page number. The absence of the instance number added ambiguity and made the specific instances not easily discernible from each other in the PDF.
Version 14.0.29 (released on 2024-05-23)
CHANGES IN THIS VERSION:
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.
Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter's value that is used in the API File Import, File Export, and File Delete methods. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.
Minor security fix: An authenticated user could make a simple request to a very specific REDCap end-point, in which it would reset the REDCap Base URL and thus make the application temporarily unusable to users accessing REDCap in a web browser.
Bug fix: In the previous version, it was mistakenly thought that the variable name "calculate" needed to be added to the reserved variable name list, but that turned out not to be true. Because of some new underlying code fixes, that variable name is still allowed. (Ticket #231128b)
Bug fix: When exporting an instrument PDF, the word "Confidential" would fail to be displayed in the PDF's left header by default (this excludes participant-facing PDFs, which should not display this text).
Bug fix: When making a call to the Export Logging API method for a longitudinal project, the event name would mistakenly be omitted in the API response. (Ticket #210938)
Bug fix: Long choice labels for fields used in Smart Charts, specifically bar charts, might mistakenly appear as too wide on the chart and thus might overlap with other text, making it hard to read.
Bug fix: The survey queue was mistakenly not translated in MLM-enabled projects when it was displayed on the survey page itself (as opposed to when specifically viewing the survey queue page after completing the survey).
Version 14.0.28 (released on 2024-05-16)
CHANGES IN THIS VERSION:
Minor security fix: The Clinical Data Pull (CDP) feature in CDIS contained a vulnerability in which a malicious user could potentially re-use a URL utilized during the "launch from EHR" process when accessing the CDP "patient portal" page, in which it might potentially allow them to access unauthorized PHI. This vulnerability is only accessible if CDP is enabled on the REDCap server.
Major bug fix: When exporting data via the Export Records API method in EAV format with rawOrLabel="label", the value of "False" would mistakenly be returned as most of the multiple choice field values. Bug emerged in the previous release. (Ticket #230389)
Bug fix: When importing some instruments from the REDCap Shared Library that contain calc fields, line breaks existing in a calculation might mistakenly get converted to HTML "BR" tags when being imported into a project, thus causing the calculated field to throw an error when viewing it on a form/survey.
Bug fix: In a MyCap-enabled project, some minor issues could occur via the "Create/Edit MyCap Task" and "Fix warnings" popups when the project is in production and enters draft mode.
Bug fix: A missing LOINC code was added to the CDIS mapping features.
Bug fix: When viewing the API documentation or the Documentation for Plugins, Hooks, & External Modules, the main part of the page and its content would mistakenly appear invisible if the browser window is at a specific width range. (Ticket #231012)
Bug fix: When comparing two revisions/snapshots on the Project Revision History page, in which more than two columns in a given row of the comparison table display the "Preview Change" link, clicking the "Preview Change" link would only work for the left-most column that contains the link and not for any other columns. (Ticket #230991)
Bug fix: When a report has advanced filter logic that contains inline comments, and a user selects a Live Filter on the report page, it might cause the report page to crash with a fatal error, thus not displaying the report.
Bug fix: The variable name "calculate" has been added to the reserved variable name list because it could cause various unexpected issues on forms/surveys if a field has that variable name. (Ticket #231128)
Version 14.0.27 (released on 2024-05-09)
CHANGES IN THIS VERSION:
Major bug fix: When the system-level setting "Allow normal users to create new projects?" is set to "No", normal (non-admin) users would mistakenly get the error "You do not have Create Project privileges!" when submitting the Create New Project page. In that situation, all users should be able to view and submit that page (unless they are not allowed to create projects via the user-level setting). Bug emerged two releases ago. (Ticket #230244)
Major bug fix: The API Delete Users method was mistakenly not checking if a user had API Import/Update privileges in the project in addition to User Rights privileges in order to successfully make a call to the API method. This bug was supposedly fixed in REDCap 13.7.28/14.0.5 LTS and 14.0.4 Standard, but mistakenly it was not. (Ticket #230626)
Bug fix: A fatal PHP error might occur for PHP 8 when loading the Form Display Logic setup dialog. (Ticket #230223)
Bug fix: When exporting data via the Export Records API method in EAV format and providing the API parameter exportDataAccessGroups=true, the DAG designations would mistakenly not get output from the API request. (Ticket #230389)
Bug fix: When MLM is active, piping would mistakenly not work on (first) survey pages when in "start over" mode.
Bug fix: When using an iOS device to enter data for a date/datetime/time validated field that has an accompanying datetimepicker calendar widget, the field would mistakenly lose focus with each character entered into the Text field, thus causing the user/participant to have to keep putting focus back on the field for each character needing to be entered. Bug emerged in REDCap 14.0.19 LTS and 14.3.2 Standard. (Ticket #230017)
Bug fix: The Export Survey Link API method would mistakenly return a survey link when provided with an instrument and event in which the instrument is not designated for that particular event. In that case, the API should instead return an error. (Ticket #230491)
Bug fix: When viewing an individual email on the Email Logging page, in which the email contains a "mailto" link in the email body, the "mailto" link would mistakenly get mangled when displaying the email inside the dialog on the page. (Ticket #230319)
Bug fix: When using Multi-Language Management, the mouseover tooltips for date/datetime/time validated fields would mistakenly fail to be updated with translations on MLM-enabled surveys and data entry forms. (Ticket #230546)
Bug fix: If REDCap surveys are embedded via an iframe on external web pages, in some situations the survey page might go completely blank when the page loads. (Ticket #229885)
Bug fix: When viewing the Record Status Dashboard or a report, if the Rapid Retrieval feature is working on the page to provide a cached version of the page, and if the RR's cache was stored when REDCap was on a previous version, in which that previous REDCap version has been removed from the web server, some images (e.g., form status icons) might not display correctly on the page and other links might lead to a 404 "does not exist" error. (Ticket #230224)
Bug fix: When a user simply clicks a field in the Online Designer, it would mistakenly call the "field reorder" script even though no fields were actually being reordered on the page. This would sometimes cause the whole table to be reloaded and also could cause annoying issues such as multiple fields getting deselected when attempting to use the "Modify multiple fields" feature.
Bug fix: The variable name "field_label" has been added to the reserved variable name list because it could cause some instruments to become no longer accessible in the Online Designer if a field has "field_label" as its variable name. (Ticket #230669)
Version 14.0.26 (released on 2024-05-03)
CHANGES IN THIS VERSION:
Major bug fix: When the system-level setting "Allow normal users to create new projects?" is set to "No", normal (non-admin) users would mistakenly get the error "You do not have Create Project privileges!" when navigating to the Create New Project page. In that situation, all users should be able to view that page. Bug emerged in the previous release. (Ticket #230090)
Bug fix: When exporting then importing a Project XML file, the two sub-options for the Secondary Unique Field (i.e., "Display the value..." and "Display the field label...") would mistakenly not get transferred to the new project but would resort to their default values. (Ticket #229880)
Version 14.0.25 (released on 2024-05-02)
CHANGES IN THIS VERSION:
Bug fix: Certain queries on the project Logging page might mistakenly take too long to run for certain projects, thus making the page unnecessarily slow. (Ticket #229219)
Bug fix: If using Multi-Language Management and reCAPTCHA is enabled for the public survey, the reCAPTCHA page might mistakenly throw a JavaScript error when MLM is active.
Bug fix: When the system-level setting "Allow normal users to create new projects?" is set to "No", and a user does not have the user-level option "Allow this user to request that projects be created for them..." checked on the Browse Users page, if the user knows how to navigate to the Create New Project page (even though the links to that page have been removed in the user interface), it would mistakenly display that page and would allow them to submit a request to create a project. Note: The project would not get created unless the admin mistakenly approved it while not realizing that this user should not be able to request new projects be created. (Ticket #229702)
Bug fix: When downloading an instrument PDF when the field label or section header text of a field is very long, in some cases the text in the PDF might mistakenly run over and obscure the PDF's footer text. (Ticket #205997)
Bug fix: When users are not allowed to create or copy projects on their own, and they submit a "Copy Project" request to an administrator, in which the "Warning about miscellaneous attachments" dialog is displayed to the user on the Copy Project page, when the admin goes to approve the request, that dialog would mistakenly be displayed again (it should only be displayed initially to the user, not the admin) and thus would block the admin from successfully approving the request. (Ticket #228954)
Bug fix: When viewing the Stats & Charts page for Report B in a longitudinal project, in which one or more events are selected for Report B, the Stats & Charts page would mistakenly not filter the data on the page to those selected events but would instead display data from all events. (Ticket #228030)
Version 14.0.24 (released on 2024-04-29)
CHANGES IN THIS VERSION:
Major bug fix: In specific situations when using Multi-Language Management in a project when the web server is running PHP 8.0 or higher, every project page would crash with a fatal PHP error. (Ticket #229529)
Bug fix: When exporting a project's data to Stata, multiple choice fields would mistakenly have a "label values" entry in the Stata syntax file even when not all choice codings are integers. The "label values" entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277b)
Bug fix: Fixed several different SQL queries used in various places in the REDCap code that were silently failing in specific cases.
Version 14.0.23 (released on 2024-04-26)
CHANGES IN THIS VERSION:
Major bug fix: When the "href" attribute of any hyperlink has a value of "#" for any label or other user input, the entire label text would mistakenly be completely removed (i.e., would be blank) when output on the page. (Ticket #229451)
Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #229186)
Version 14.0.22 (released on 2024-04-25)
CHANGES IN THIS VERSION:
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript/HTML in a specially crafted way into the "href" attribute of hyperlinks placed inside labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the JavaScript/HTML into a Text or Notes field whose value is then viewed on a report (i.e., it would appear as a hyperlink in the report that would have to be clicked by the user to be exploited). Bug exists in all versions of REDCap. (Ticket #228857)
Medium security fix: A Base Tag Hijacking vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML in a specially crafted way into labels and other user input that is then output onto the webpage. The user must be authenticated into REDCap in order to exploit this, with one exception: a malicious survey participant could inject the HTML into a Text or Notes field whose value is then viewed on a report. Bug exists in all versions of REDCap. (Ticket #229158)
Medium security fix/protection: All usages of the PHP function iconv() have been replaced in the REDCap code due to a vulnerability (CVE-2024–2961) discovered in Glibc (GNU C Library). Note: This is not a vulnerability in REDCap but in a PHP library. This vulnerability can be remediated at the web server level via configuration settings, but this security fix/protection seeks to protect all REDCap installations in the event that their IT support is not able to remediate this vulnerability at the server level. (Ticket #229281)
Bug fix: Survey pages might mistakenly display text inside P tags in labels as different font sizes in different situations. (Ticket #228686)
Bug fix: When using Multi-Language Management and applying or canceling draft mode changes in projects where MLM is active, there would always be a message/warning that MLM settings/translations have been modified even when this is not actually the case. (Ticket #228877)
Bug fix: When renaming a record on the Record Home Page, in which the new record name is the same as the old record name but with leading zeros (or vice versa), if both the old and new record names are integers, REDCap would not rename the record and would mistakenly take the user to another page to create a new record under the new record name provided, which is confusing.
Bug fix: In certain situations when exporting a report, the survey completion timestamps would mistakenly be date shifted in the resulting export file if the "shift all dates" checkbox is checked while the "shift all survey completion timestamps" is not checked. (Ticket #228879)
Bug fix: A query used on the Data Access Groups page was incompatible with certain versions of MySQL that have ONLY_FULL_GROUP_BY set in the SQL Mode, thus causing the query to fail for some installations. The query has been replaced with an equivalent query that is compatible with all supported versions and configurations of MariaDB/MySQL. (Ticket #228974)
Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875c)
Bug fix: When using Twilio or Mosio for a survey that is taken as an SMS Conversation, if the survey is a repeating instrument, branching logic might not work successfully for fields that have branching logic referencing fields on the same instrument. (Ticket #227028)
Bug fix: The Smart Variables [event-number] and [event-id] would mistakenly not return a numerical value but a string, causing special functions that expect numeric values to fail to produce the correct result (e.g., mod()). (Ticket #228953)
Bug fix: When using the search capability for the Biomedical Ontology feature for a Text field on a form/survey, if the user's search returned the message "[No results were returned]", and the user then clicked on that message, it would mistakenly display a bunch of HTML below the field when instead it should not display anything below the field. (Ticket #229124)
Bug fix: When copying a project, the survey setting "Display page numbers at top of survey page" would mistakenly not get copied to the new project. (Ticket #229243)
Bug fix: When utilizing Microsoft Azure Blob Storage for file storage in REDCap, some operations (specifically the "delete file" action) might mistakenly fail for specific server configurations because the CURL options for VERIFY_HOST and VERIFY_PEER were mistakenly not being set to FALSE in the API request to Azure.
Bug fix: When regular users (non-admins) import data dictionaries containing Dynamic SQL fields, in certain cases REDCap might refuse to import the file, mistakenly stating that the query has changed when in fact it has not. (Ticket #229148)
Bug fix: When exporting a project's data to Stata, multiple choice fields would mistakenly have a "label define" entry in the Stata syntax file even when not all choice codings are integers. The "label define" entries should only be added to the Stata syntax file when a multiple choice field has an integer code for every choice. (Ticket #229277)
Bug fix: When accessing a project that is enabled as a Project Template, if the current user is an administrator that is currently impersonating another user in the project, the "Project is used as a template" box would mistakenly be displayed on the Project Home Page. That should only be displayed when the user is an admin with "Modify system configuration pages" rights and while not impersonating a non-admin user. (Ticket #229370)
Bug fix: When an instrument contains an inline PDF attached to a Descriptive field, and the instrument is then downloaded as a PDF, the first page of the generated PDF might mistakenly have text that runs off the bottom of the page if the inline PDF is displayed (via iMagick conversion to an image) on the first page of the generated PDF. (Ticket #228282)
Version 14.0.21 (released on 2024-04-18)
CHANGES IN THIS VERSION:
Bug fix: Data Quality rules A and B will now return checkbox fields in the list of discrepancies if none of the checkbox options have been checked for a given checkbox field. This reverts a change made in REDCap 13.7.10 LTS and 13.9.0 Standard (via Ticket #212048), which is now considered to have been a mistake. This has been changed because the previous behavior was considered to be inconsistent with regard to how checkboxes, especially required checkboxes, are treated on survey pages and data entry forms. For example, if a checkbox field is required and no checkboxes are checked, the Required Field alert is displayed to the user, which implies that a checkbox field with no checked checkboxes is considered to be a field with a missing value. Thus, to provide more consistency with how checkboxes are treated throughout REDCap, this fix has been applied to correct this issue. (Ticket #217798)
Change: All hard-coded references to "redcap.vanderbilt.edu" have been changed to "redcap.vumc.org" to reflect the recent change of the Vanderbilt REDCap server's domain name. Note: The old URL will continue to work and automatically redirect to the new URL until April 2025.
Bug fix: After editing the Survey Queue settings in the Online Designer, the SQ button might mistakenly display multiple green check mark icons. (Ticket #228741)
Bug fix: When using the Field Bank in the Online Designer to search for fields, it might mistakenly show answer choices that say "Login to see the value." for specific items. (Ticket #228217)
Bug fix: When completing a survey, a JavaScript error might occur during certain parts of the survey that might cause other important processes to be blocked on the page. (Ticket #228785)
Bug fix: If some surveys are set as inactive in a project, then the Copy Project page might mistakenly have the "Survey Queue and Automated Survey Invitation settings" option unchecked and disabled. (Ticket #228742)
Bug fix: When a Text or Notes field containing HTML tags in its value is being piped to another place on the same page/instrument, the HTML tags would mistakenly not be interpreted but instead would be escaped in its final piped form. This issue would only occur when the field has a SETVALUE or DEFAULT action tag. Bug emerged in 13.7.27 LTS and 14.0.3 Standard. (Ticket #228818)
Version 14.0.20 (released on 2024-04-11)
CHANGES IN THIS VERSION:
Major bug fix: If a project is deleted by a user, when that project is eventually deleted from the database 30 days later, if the project's data is stored in the redcap_data2, redcap_data3, or redcap_data4 database table, the data might mistakenly not get removed from those data tables when the project as a whole is deleted. This could leave orphaned data in those data tables. Note: During the upgrade process, REDCap will automatically delete any orphaned data still present in the redcap_data2, redcap_data3, and redcap_data4 database tables. Bug emerged in REDCap 14.0.0.
Major bug fix: When the e-signature functionality has been enabled on an instrument, the e-signature checkbox at the bottom of the data entry form would mistakenly be displayed and would be clickable even when the whole record is locked. If the whole record is locked, the e-signature checkbox should remain disabled. Additionally, it might be possible in certain situations (e.g., simultaneous users locking and editing a record) for a user to lock, unlock, or e-sign an instrument while the whole record is locked. Server-side checks have now been added to prevent that. (Ticket #225320)
Bug fix: When using Clinical Data Mart for CDIS, revisions were failing to be imported using the Data Mart import feature.
Bug fix: When importing a data dictionary, it would be possible to import fields that have a variable name ending with an underscore character. This should not be allowed, and thus it now displays an error message when attempting to do so. (Ticket #227821)
Bug fix: When the PDF Auto-Archiver is enabled for a survey, the IP address of the participant would mistakenly be stored in the PDF Survey Archive table in the File Repository. It was intended that the participant's IP address should only be stored when completing a survey with the e-Consent Framework enabled.
Bug fix: When opening REDCap Messenger while in a project, and then attempting to create a new conversation, the project's left-hand menu would mistakenly cover over the "Create new conversation" dialog. Bug emerged in REDCap 14.0.16 LTS and 14.2.2 Standard. (Ticket #228033)
Bug fix: When using the Mapping Helper for CDIS, the status mapping for different types of Condition resources was inaccurately handled.
Bug fix: When accessing an instrument in the Online Designer right after creating a new project from scratch (i.e., when only the Record ID field exists), some instructional text at the top would mistakenly be too wide and might be partially covered up by other things on the page. (Ticket #228129)
Bug fix: When importing the Survey Queue settings via CSV file, an error might mistakenly be returned if certain things, such as condition_surveycomplete_form_name, do not have a value, even when not needed. (Ticket #227928)
Bug fix: When the "Auto-suspend users after period of inactivity" setting is enabled, users who recently had their account created but had not logged in yet would mistakenly get auto-suspended. (Ticket #224747)
Bug fix: When editing some previously-saved content using the rich text editor (i.e., editing the body of an alert, ASI, project dashboard, or field label), in which an inline image was uploaded and saved by a user while on an earlier REDCap version, the inline image in the rich text editor would mistakenly appear as a broken image inside the editor if that older REDCap version's directory has been removed from the REDCap web server. (Ticket #228239)
Version 14.0.19 (released on 2024-04-04)
CHANGES IN THIS VERSION:
Bug fix: When a participant is completing an e-Consent survey on a mobile device, and thus it is unable to display the inline PDF of their response at the end of the survey, although they are able to view the PDF by clicking the button on the page to view it in another tab, the "Working..." popup would mistakenly appear for 20 seconds before disappearing. Instead, it should only appear very briefly before revealing the page.
Bug fix: When using Multi-Language Management, a piping issue would occur when viewing survey pages for participant-specific survey links only. (Ticket #227555)
Bug fix: Automated Survey Invitations were mistakenly not getting triggered when set up with a survey completion condition together with conditional logic in which the “OR” option is selected. (Ticket #227693)
Bug fix: The datetimepicker calendar widget used for datetime fields would mistakenly inject numbers at the end of the field value when typing a datetime value that has a time beginning with "23:". The Datetimepicker library has been updated to a newer version, which resolves this issue. (Ticket #227636)
Bug fix: When using MyCap, there is some missing text that is utilized for displaying notes inside the repeating instruments popup (for longitudinal projects).
Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875b)
Bug fix: When viewing a report in a longitudinal project or a project containing repeating instruments/events, it now displays the text "('records' = total available data across all events and/or instances)" near the top of the report. In previous versions, it did not display any clarifying text for non-longitudinal projects that had repeating instruments, which caused confusion for users regarding the meaning of the word "records" in "Total number of records queried".
Bug fix: When using the piping parameter ":inline" when piping a File Upload field, in which a unique event name (or event-based Smart Variable) is not prepended to the field but [first-instance] or [last-instance] is appended to the field (e.g., [my_upload_field:inline][last-instance]), the piping would fail to work correctly.
Version 14.0.18 (released on 2024-03-28)
CHANGES IN THIS VERSION:
Minor security fix: The TinyMCE library embedded in REDCap was upgraded to its latest version (7.0.0) due to a XSS (Cross-site Scripting) vulnerability in the library's previous version.
Major bug fix: Users with API Import/Update privileges could successfully call the API method "Import User-DAG Assignments" without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.
Bug fix: Users with API Export privileges could successfully call the API method "Export User-DAG Assignments" without having Data Access Groups privileges in the project. Data Access Groups privileges should always be required when creating/renaming/deleting DAGs and when importing/exporting user-DAG assignments.
Bug fix: Users with API Import/Update privileges could successfully call the API method "Import Repeating Instruments and Events" without having Project Design/Setup privileges in the project. It was instead checking for User Rights privileges instead of Project Design/Setup privileges.
Bug fix: Users with API Export privileges could successfully call the API method "Export Repeating Instruments and Events" without having Project Design/Setup privileges in the project.
Bug fix: Users with API Import/Update privileges could successfully call the API methods "Import DAGs" and "Delete DAGs" without having Data Access Groups privileges in the project.
Bug fix: Users with API Export privileges could successfully call the API method "Export DAGs" without having Data Access Groups privileges in the project.
Bug fix: Users with API Import/Update privileges could successfully call the API method "Import Project Settings" without having Project Design/Setup privileges in the project.
Bug fix: Users with API Export privileges could successfully call the API methods "Export Users", "Export User Roles", and "Export User-Role Assignments" without having User Rights privileges in the project.
Bug fix: When using Multi-Language Management, some MLM AJAX calls might mistakenly not work when using Shibboleth authentication. (Ticket #225282)
Bug fix: When using Google Cloud Storage for file storage in the system, uploading/downloading a file via Send-It for a File Upload field might mistakenly not work successfully. Additionally, file downloads might also fail when using GCS when downloading files attached to data queries in the Data Resolution Workflow dialog. (Ticket #226875)
Bug fix: When using Multi-Language Management and adding a system language to a project where the language set on the Control Center’s General Configuration page differs from the language set in a project (via Edit Project Settings page), the "The original values of some translated items have changed" message would mistakenly be shown. (Ticket #227077)
Bug fix: The order of the alerts as displayed in the "Re-evaluate Alerts" dialog mistakenly does not match the order of the alerts on the Alerts & Notifications page. (Ticket #227234)
Bug fix: When using the randomization feature, while a radio strata field exists on the same instrument as the randomization field, after the record is randomized on the data entry form, the strata field's "reset" link (for resetting its value) would mistakenly still appear on the page until the page is refreshed or returned to later. The "reset" link should be immediately hidden after randomization has occurred. (Ticket #226998)
Bug fix: When a survey participant submits the first page of a survey and gets the "Some fields are required" prompt because some required fields were left empty, the "start time" of the response would mistakenly not get stored in the backend database, thus preventing REDCap from displaying the start time or duration of the survey at any time afterward, including via Smart Variables (e.g., [survey-time-started], [survey-duration]). Note: This only occurs when required fields are left empty on the first page of the survey, not on subsequent pages. While this fix will prevent the issue from occurring in the future, it will unfortunately not be able to retroactively fix the issue for already-affected responses that are missing their start time and duration values. (Ticket #226240)
Bug fix: If the E-signature feature is disabled system-wide via the Modules/Services Configuration page in the Control Center, the user rights option "Locking/Unlocking with E-signature authority" would mistakenly still appear when adding/editing a role or user. Additionally, if the E-signature feature is enabled system-wide but is not available for a specific user to use (e.g., if using Entra ID authentication but not using Two-Factor Authentication with the E-signature 2FA PIN option enabled), the user rights option "Locking/Unlocking with E-signature authority" would mistakenly still appear for that specific user. (Ticket #227220)
Bug fix: When using CDP, encounter diagnosis mappings and potentially other kinds of conditions in CDP projects were not being applied correctly, causing data not to be imported correctly from the EHR. (Ticket #227307)
Version 14.0.17 (released on 2024-03-21)
CHANGES IN THIS VERSION:
Bug fix: In specific situations when downloading an instrument PDF in a longitudinal project, the process would mistakenly crash when using PHP 8. (Ticket #226047)
Bug fix: When utilizing the project-by-project Unicode Transformation process, which is done using a cron job via Step 2 on the Unicode Transformation page, the data in the Data Resolution Workflow related table might mistakenly not get transformed (i.e., the comments for data queries in DRW).
Bug fix: When using CDIS, some mapping for Adverse Events were not being pulled, such as causality.
Bug fix: Multi-language Management mistakenly failed to translate a number of survey exit pages (survey offline, response limit reached), and the language selector would be inaccessible. (Ticket #226237)
Bug fix: When using CDP or DDP Custom, the “database” icon would mistakenly not be displayed next to a mapped field on the data entry form for right-aligned Notes fields. (Ticket #226554)
Bug fix: When using CDP or DDP Custom, the Record Status Dashboard page might mistakenly attempt to automatically pull data from the EHR for records on the page when viewing that page as an administrator that is not a user in the project. Instead, it will now only do this for project users.
Bug fix: The "characters/words remaining" message mistakenly was not translated on data entry and survey pages when using Multi-language Management. (Ticket #226676)
Bug fix: When using the Stats & Charts page in a longitudinal project, in which some data had been collected on specific instruments and then later those instruments were undesignated for certain events, thus orphaning some of the data, the charts displayed on the page would mistakenly include the orphaned data for the undesignated instruments when they should be excluding that data. (Ticket #30382)
Bug fix: When a confirmation email is defined for a survey on the Survey Settings page, and then later the user selects "No" to disable the confirmation email on that page, it would mistakenly not disable the confirmation email setting after clicking the Save Changes button. Note: This would only be noticeable if the user returned to the page afterward. (Ticket #226697)
Bug fix: When an inline image is used in the body of an alert, the image might mistakenly not be displayed (i.e., a broken image icon would appear) when a user views an already-sent alert message in the Notification Log. (Ticket #226089)
Bug fix: When using the Data Resolution Workflow while a project is in Analysis/Cleanup status with data as Read-only/Locked, users might still be able to submit a data entry form after navigating to the form in a specific way from the Resolve Issues page. Users should not be able to submit a data entry form while in Analysis/Cleanup status with data as Read-only/Locked. (Ticket #226735)
Bug fix: When the datediff() function is used in a calculated field, in which it contains "today" or "now" as one of the two parameters and the other parameter is a DMY or MDY formatted date/datetime field from another event and also exists on a repeating event or repeating instrument, a calculation error message might appear on the survey page or data entry form, thus preventing the page from working correctly. (Ticket #226037)
Bug fix: When taking a survey using a mobile device, in certain situations the Submit button might be partially obscured by the browser window and thus might not be clickable. (Ticket #226895)
Bug fix: If a project has a repeating Automated Survey Invitation, and then later the survey instrument is set to be no longer repeating (via the Project Setup page settings), the ASI would continue to function as if the survey was still a repeating instrument.
Bug fix: When a regular user (non-admin) is uploading a CSV data file via the Background Data Import, the upload process might mistakenly fail due to a PHP error if the user is not assigned to a Data Access Group. (Ticket #226639)