version 6.11.2 - (released 1/16/2016)

Version 6.11.2 - (released 1/16/2016)

Major bug fix: When using Table-based authentication, in which a new user account is created and the user receives an email to set their password, in some cases it would mistakenly cause multiple false logins after loading the page, which might possibly trigger the auto-lockout feature. If this happens, the user would have to wait until after the set lockout period has passed, but it is possible that the auto-lockout could occur again, thus preventing the user from gaining access to REDCap for a while. This does not occur on all occasions but only randomly. (Ticket #1071)

Medium security vulnerability: It was discovered that SQL Injection might be possible on the File Repository page if a malicious user knows how to send a specifically-crafted request to REDCap to exploit the vulnerability.

Change: When performing the field mapping step in the Dynamical Data Pull (DDP) module in a project, it would display a question mark icon next to each field in the tree of source fields even if the metadata web service does not provide a "description" attribute for the field. This could be confusing since the icon would essentially serve no purpose in this case. It now only displays the icon if a description is actually provided by the metadata web service for a given field.

Bug fix: The Import Users API method had a mistake in its documentation, in which it said the "content" parameter should be "user_rights" when it should instead be "user".

Bug fix: If a survey has the "Save & Return Later" feature enabled and also allows respondents to edit completed responses, then the Return Codes export on the "Data Exports, Reports, and Stats" page would mistakenly leave blank all the return codes for completed responses in the exported CSV file.

Bug fix: When using the REDCap Mobile App page in a project, in which the project has been set up on the mobile app and then the user has performed an emergency data dump from the app, if a file from a Signature field or File Upload field was uploaded to the Mobile App File Archive, its download icon on the page would mistakenly say "Excel CSV". That should only happen for CSV files, such as a logging file or data dump CSV on that page. (Ticket #1074)

Change: When a project is in production status, it was too difficult for users to find the Check For Identifiers page, so it has now been added to the bottom of the Project Setup page when the project is in production.

Bug fix: When opening the Add/Edit? Field popup in the Online Designer, it was mistakenly displaying the Field Annotation section for Section Headers when it should not be displayed for them. (Ticket #1072)

Bug fix: When HTML tags and/or CSS is used inside the Field Label of a required field and a user or survey participant submits the page without having entered a value for the field, it would display the Field Label in a popup when listing which fields have a missing value, but it would mistakenly strip out all HTML in the Field Label. It now maintains all the HTML and styling when displaying it inside the required field popup.

Bug fix: In a longitudinal project that has multiple arms and the first instrument is enabled as a survey, when adding the first event to an empty arm, it would display an erroneous warning message saying that the first event of the arm was moved to another position, which is not correct and should not be displayed in this scenario. (Ticket #1070)

Bug fix: When the Dynamic Data Pull (DDP) module is enabled for a project, on certain occasions the DDP Mapping page might mistakenly display a field at the bottom of the mapping table and list it erroneously as a composite field.

Bug fix: If the Secondary Unique Field feature is enabled in a project, there are certain occasions on which a user or participant might be able to bypass the uniqueness check when submitting values on a form or survey.


Change/improvement: When users are being assigned to a role while being granted access to a project on the User Rights page, it now displays a checkbox option to have the user emailed in order to notify them of having been granted access to the project. In previous versions, there was no way to notify a user when being added to a project via role assignment. (Ticket #1051)

Bug fix: When using the plugin/hook method REDCap::getPDF() for an instrument that has been enabled as a survey, it would mistakenly return the form version of the PDF rather than the survey version of the PDF, which includes the survey title, instructions, and survey completion time.

Bug fix: Several places in REDCap currently send an email in which the From and To address are the same (e.g., emailing a survey Return Code, emailing a confirmation that someone has downloaded a Send-It file, when a Table-based user recovers their password), but that can sometimes cause the email not to be received by the recipient because it can get flagged as spam by certain email services. In those cases, REDCap now uses the email address of the Project Contact Person as to email sender for greater compatibility.

Bug fix: The "Map of Users" page in the Control Center would mistakenly no longer load the map due to changes in the Google Maps API. (Ticket #1058)

Bug fix: If a user is on the File Repository page in a project and selects the "All Exports/Types?" to filter data export files, it would mistakenly display the files from the last export instead. (Ticket #1060)

Bug fix: If a user is on the File Repository page in a project and makes a selection in the drop-down list to filter data export files, in which it will return zero files for that selection, then when the page is redisplayed it would mistakenly hide the "filter by" drop-down, thus making it impossible to make another selection, and the user would be forced to click the Back button in their browser and click on a tab above.

Bug fix: When copying a project or creating a new project from a Project Template, it would mistakenly not copy certain project attributes from the original project, such as if the Randomization module is enabled.

Bug fix: When using the Randomization module in a project and moving the project to production after some records have been randomized while in development status, it would mistakenly leave the "Randomize record" events in the project's Logging history when all records are being deleted during the move-to-production process. It now removes those logged events from the Logging.

Bug fix: The plugin/hook method REDCap::getSurveyLink() would mistakenly return a survey link if provided with a record name for a record that does not yet exist. Also, in a longitudinal project it would mistakenly return a survey link for a record that has not been created in a given arm when an event_id from that arm has been passed as a parameter in the method, and if the link was used by a respondent, it would create the record in the other arm. In these situations, it should instead return NULL.


NEW FEATURES & IMPROVEMENTS:o New API methods (please see the API documentation embedded in REDCap for

details regarding these methods) Arm import/delete - for longitudinal projects only; requires API Import

privileges and Project Design/Setup? privileges Event import/delete - for longitudinal projects only; requires API Import

privileges and Project Design/Setup? privileges Import instrument-event mappings - for longitudinal projects only;

requires API Import privileges and Project Design/Setup? privileges

Import metadata, i.e. data dictionary - available only in development status; requires API Import privileges and Project Design/Setup? privileges

Import users (import new users into a project while setting their user privileges, or update the privileges of existing users in the project.) - requires API Import privileges and User Rights privileges

Create project Allows a user to create a new REDCap project while setting

some project attributes, such as project title, project purpose, enable/disable record auto-numbering, enable the project as longitudinal, and enable surveys in the project.

This method requires a Super API Token that must be granted to a user by a REDCap administrator on the API Tokens page in the Control Center.

After the super token has been granted, the user can view the super token on their My Profile page.

o Improvement: Added support for hosting REDCap in Google Cloud AppEngine? (with Google Cloud Storage). When hosted on the Google Cloud Platform, you can set file storage option to “Google Cloud Storage” on the File Upload Settings page and provide the names of the buckets where the files will be stored. It also works seamlessly to connect with Google Cloud SQL that would host the MySQL backend for REDCap.

o Improvement: REDCap now supports secure connections to MySQL using SSL/TLS. The following PHP variables must be added into database.php in the main "redcap" directory (the first 3 are required at minimum, while the last 2 might be optional for certain configurations).o $db_ssl_key = ''; // e.g.,

'/etc/mysql/ssl/client-key.pem'

o $db_ssl_cert = ''; // e.g., '/etc/mysql/ssl/client-cert.pem'

o $db_ssl_ca = ''; // e.g., '/etc/mysql/ssl/ca-cert.pem'

o $db_ssl_capath = NULL;

o $db_ssl_cipher = NULL;

o Improvement: Users may now download and upload arms and events as a CSV file on the “Define My Events” page, as well as download and upload the instrument-event designations as a CSV file on the “Designate Instruments for My Events” page. Using these methods, users can now fully reconstruct the structure of a project if they wish to copy it, in which they could download the data dictionary file, arms file, events file, event mappings file, and data export file, and then upload all of them into a new project to recreate it. In previous versions, this could only be done for classic projects, but this now allows it to be done for longitudinal projects. When uploading the CSV file for arms, events, or event mappings, it will display a preview to the user to show what changes will be made, such as which things may be added, modified, deleted, or stay the same.

o Improvement: “select all” and “deselect all” links were added to the “Designate Instruments for My Events” page to allow users to more easily

check off the checkboxes if many instruments and/or events exist in the project.

o Improvement: When assigning projects to Project Folders, there is now a checkbox option to hide archived projects in the project list. This should make it easier for users to ignore those projects during the folder assignment process.

o Improvement: A new optional API parameter named "filterLogic" was API method "Export Records". filterLogic should be a string of logic text (e.g., [age] > 30) for filtering the data to be returned by this API method, in which the API will only return the records (or record-events, if a longitudinal project) where the logic evaluates as TRUE. This parameter is blank/null by default unless a value is supplied. Please note that if the filter logic contains any incorrect syntax, the API will respond with an error message.

o Improvement: The Activity Graphs page in the Control Center now includes two new charts: 1) Database Usage (MB), and 2) Usage by Uploaded Files (MB).

* BUG FIXES & OTHER CHANGES:

Change/improvement: If the Survey Login feature is enabled in a project, it now performs a password mask for the text fields on the survey login form in order to obscure the participant's password value(s). In previous versions, the password fields were displayed as clear text.

Changes to existing API methodso Change: For the API method “Export Users”, many more user privilege rights

are included in the response. The following is the full header list: username,email,firstname,lastname,expiration,data_access_group,data_access_group_id,design,user_rights,data_access_groups,data_export,reports,stats_and_charts,manage_survey_participants,calendar,data_import_tool,data_comparison_tool,logging,file_repository,data_quality_create,data_quality_execute,api_export,api_import,mobile_app,mobile_app_download_data,record_create,record_rename,record_delete,lock_records_all_forms,lock_records,lock_records_customization,forms

o Change: For the API method “Export Users”, when requesting a response in CSV format, form-level rights are returned in a different format in order to prevent possible duplication of other new user privileges that are returned, in which all form rights will now be consolidated into a single column named “forms” (whereas in previous versions each form was represented as an individual column). The last column of the CSV string returned will have “forms” as the header, and the value will be each [unique] form name and its numerical value as a colon-separated pair with all the form value pairs strung together as a single comma-separated string (e.g. “demographics:1,visit_data:3,baseline:1”). See a full CSV example below of two users exported from a project.

username,email,firstname,lastname,expiration,data_access_group,data_access_group_id,design,user_rights,data_access_groups,data_export,reports,stats_and_charts,manage_survey_participants,calendar,data_import_tool,data_comparison_tool,logging,file_repository,data_quality_create,data_quality_execute,api_export,api_import,mobile_app,mobile_app_download_data,record_create,record_rename,record_delete,lock_records_all_forms,lock_records,lock_records_customization,forms harrispa, [email protected],Joe,User1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,"demographics:3,baseline_data:1,visit_lab_data:1,patient_morale_questionnaire:1,visit_blood_workup:1,completion_data:1,compl

etion_project_questionnaire:1,visit_observed_behavior:1" taylorr4, [email protected],Joe,User,2015-12-08,group_a,1,0,0,0,2,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,"demographics:3,baseline_data:1,visit_lab_data:1,patient_morale_questionnaire:1,visit_blood_workup:1,completion_data:1,completion_project_questionnaire:1,visit_observed_behavior:1"

Change: For the API method “Export Users”, when requesting a response in XML format, the main parent tags at the beginning and end of the response will no longer be <records> but instead will be <users> to be less confusing (since “records” often denotes something else in REDCap) and also to be more consistent with how other API methods return XML items.

Change: For the API method “Export Users”, the new “data_access_group_id” field was added, in which it returns the numerical group ID number that the “data_access_group” field used to return in previous versions. And now, the unique group name of a user’s Data Access Group is returned for the “data_access_group” field rather than the numerical group ID number.

Change: The API method “Export Instrument-Event Mappings” now returns a different structure if exporting as JSON or XML (however, the CSV format will remain the same). It will now export with “arm_num”, “unique_event_name”, and “form” as attributes of each item/mapping, as seen in the JSON/XML examples below.

JSON example:

[{"arm_num":1,"unique_event_name":"event_2_arm_1","form":"demographics"}, {"arm_num":1,"unique_event_name":"event_2_arm_1","form":"baseline_data"}, {"arm_num":3,"unique_event_name":"visit_2_arm_3","form":"completion_data"}]

XML example:

<?xml version="1.0" encoding="UTF-8" ?> <items> <item><arm_num>1</arm_num><unique_event_name>event_2_arm_1</unique_event_name><form>demographics</form></item> <item><arm_num>1</arm_num><unique_event_name>event_2_arm_1</unique_event_name><form>baseline_data</form></item> <item><arm_num>3</arm_num><unique_event_name>visit_2_arm_3</unique_event_name><form>completion_data</form></item> </items>

Improvement: For “Export Project Information” API method, the following two project attributes were added:

o secondary_unique_field – The variable name of the secondary unique field defined in the project (if applicable).

o display_today_now_button – Value will be “0” or “1” (i.e. False or True). If “0”, then do NOT display the today/now button next to date/datetime fields on data entry forms and surveys. If “1” (default), display them.

Change: When using an API token associated with a super user account, the API now recognizes the API user as having maximum privileges (i.e., super user privileges) with regard to API requests, whereas in previous versions it only inferred the user's privileges literally from what is defined on the project's User Rights page, which was inconsistent with how super user rights are recognized by REDCap in the front-end user interface.

Change/improvement: The Control Center's System Statistics page now has the counts for Total Logged Events and Dynamic Data Pull (DDP) separated as separate AJAX calls since it was causing the whole table to load very slowly on the page.

Small security fix: When a table-based user would reset their password, the password value would mistakenly be displayed on the page (although invisible) for a fraction of a second before the page immediately redirected elsewhere once the page loaded.

Bug fix: Small issue with PHP autoload function that only affects specific PHP configurations, in which it would throw a fatal PHP error when attempting to install REDCap.

Bug fix: If using Google OpenID authentication and the REDCap web server does not have cURL installed, it would throw an error during login.

Change: If using Google OpenID authentication and a user logs in for the first time, it will now capture the user's first name, last name, and email address and add them to the user's REDCap account automatically.

Improvement: When installing REDCap, it is now possible to use the MySQL socket value in the database configuration by adding the PHP variable $db_socket to database.php in the main "redcap" directory.

Bug fix: If a user has some kind of Data Export privileges but does not have Add/Edit? Reports privileges, when the user navigates to the "Data Exports, Reports, and Stats" page, it mistakenly displays a blank page and thus will not let them view a report or export data. (Ticket #1055)

Bug fix: The Field Note text of certain left-aligned fields (e.g. Notes fields) when displayed on surveys or forms would mistakenly begin wrapping their text to the next line after only going halfway across the webpage. Field Notes now extend to the full width of their column in the question table.

Bug fix: When executing an API request in the API Playground for particular web server configurations, it would mistakenly not return anything from the request with an HTTP status code of "0". This was improved in version 6.9.7 but still gave issues for some.


Medium security fixes: Several cross-site scripting vulnerabilities were found on various pages throughout REDCap, in which these vulnerabilities could possibly be exploited by a malicious user (who is a valid REDCap user) who knows how to craft specific HTTP requests to such pages or can trick other authenticated users to navigate to specifically-crafted URLs.

Change: Updated the Help & FAQ page Bug fix: When importing data via the API with the "returnContent" parameter set as

"ids" in which the "format" (or "returnFormat") parameter is set as "json", then it would mistakenly not put quotes around non-numerical record names that are returned in the API's response. Also, it would mistakenly not escape certain characters in the record names if the response is returned as "json" or "csv" for the "format" (or "returnFormat") parameter.


NEW FEATURES & IMPROVEMENTS:o New feature: Project Folders

Project Folders are a way for users to organize the projects on their My Projects page by putting them into groups. The folder can be given a name and can be color-coded (by setting a text color and background color) so that it displays boldly in the My Projects page.

Once a folder has been created, the user can assign any number of projects to a folder (and can even assign a single project to multiple folders). This allows the projects to be grouped together under that folder when displayed on the user’s My Projects page.

Project Folders are for personel organization, so no one else can see a user’s folders (except for REDCap administrators when viewing the user’s projects on the Browse Projects page in the Control Center).

o New feature: Survey themes 3 new options were added to the Survey Settings page for any given

survey (accessed via the Online Designer): Size of survey text – Set the survey text to a bigger font size

(Normal, Large, or Very Large). Font of survey text – Set the font family of all the text displayed

on the survey (Arial, Georgia, Tahoma, and more). Survey theme – Set the color scheme for the survey. There are

10 predefined themes available that users may use, but if they do not prefer them, users can easily click the Customize button to customize the color scheme of the survey any way they want, in which it will open up 8 different options for modifying the colors of various elements in the survey. Also, users may create their own custom survey theme to save the theme with a specified name, after which they may easily use it their saved theme in the future for another survey.

A “survey design preview” box is displayed on the Survey Settings page so that the user can see how their survey design choices will make their survey look to respondents.

Create institution-specific themes: REDCap administrators with access to their MySQL database can create their own installation-specific themes by adding them to the redcap_surveys_themes database table (add new row to the table with NULL value for “ui_id” field). The easiest way to do this is to create a new theme on the Survey Settings page in a project and save that customized theme, and then find that theme in the redcap_surveys_themes database table and set its ui_id value as NULL, after which it will appear for all users as an official REDCap survey theme in the theme drop-down list.

o New feature: A project's Survey Invitation Log is now downloadable in CSV format.

o Improvement: On the Define My Events page in a longitudinal project, it no longer displays the Days Offset and Offset Range columns in the events table if the Scheduling module is not enabled for the project. Since those columns are only utilized during scheduling, this provides a simpler and less confusing interface for users when scheduling is not being used. When creating a new event in this case, the event name is the only thing that needs to be provided, after which the order of that event or any event in the current arm can be change using drag-n-drop by dragging that event's row in the table.

o Improvement: New styling options were added to the rich text editor for survey instructions and survey completion text, such as setting text color and background color, inserting tables, copy-paste options, and indentation options.

BUG FIXES & OTHER CHANGES:o Major bug fix: For surveys that have the survey option "Allow respondents to

return and modify completed responses?" enabled for a multi-page survey, then some responses might appear to be completed (i.e., they appear in the Completed Responses drop-down list of records) even though they have not truly been completed (they appear as "[not completed]" in the drop-down list). This fix will retroactively fix the existing records and will also prevent this issue from occurring in the future.

o Improvement: If using Two-Factor Authentication with the Twilio SMS/phone option enabled, then the Table-based User Management page in the Control

Center will now allow administrators to include a user's "Expiration time for 2-step login code" in the CSV upload file when creating user accounts in bulk.

o Improvement: Better handling of memory on the web server in order to prevent large data exports and large reports from hitting a memory limit.

o Improvement: The Survey Queue now displays better on mobile devices.o Improvement: If a survey participant has added or modified any data on a

survey page and then attempts to exit the survey by closing their browser or browser tab before saving their changes, it will now display the "Save your changes?" prompt in a similar fashion to the prompt that is currently displayed when exiting a data entry form prematurely.

o Improvement: The hook/plugin method REDCap::logEvent() now accepts a new optional parameter $project_id that can be used to specify the project for which the event should be logged when in a system-level context or alternatively to specify the project_id for another project when in a project-level context.

o Change: In the "Edit Field" popup on the Online Designer, the Field Annotation box has been moved over to the bottom left of the popup dialog to distinguish it more from the Field Note box while at the same time helping to keep the popup itself more compact for most field types.

o Bug fix: The <tbody> HTML tag was mistakenly not whitelisted as a safe HTML tag to utilize in field labels, survey instructions, etc. This would inadvertently cause the tag to get HTML-escaped and thus get displayed to the user on the page.

o Bug fix: When viewing the "Data History" popup for a File Upload field on a data entry page, it would mistakenly not display the logged event(s) where a file was uploaded for that field. (Ticket #1043)

o Bug fix: When using the Twilio telephony services and using the designated phone field for survey invitations, it would mistakenly not display the participant's phone number on the Survey Invitation Log. Also, it would not allow users to click on the "Responded?" icon in the Participant List in order to view the response on the data entry form.

o Bug fix: When using the hook/plugin method REDCap::logEvent() in a hook, it would mistakenly not display correctly on a project's Logging page. (Ticket #1042)

o Bug fix: If a user is attempting to import date or datetime fields (either via API or Data Import Tool) that are not in the specified date format, it would return a slightly incorrect error message, in which it would not mention that date or datetime fields can also be imported in Y-M-D format.

o Bug fix: If there exist two or more adjacent Text fields on a survey or data entry form, in which those Text fields have some form of field validation with min/max range validation, then there is the possibility that if the validation error message gets displayed for a field and then later gets displayed again for another field below it, it may mistakenly display multiple popup messages on top of each other so that it makes it impossible for the user to close them all. This can result in the inability to return to data entry on the page, thus forcing the user to have to reload the page, possibly losing any data entered. (Ticket #1044)

o Change: When setting up a new Automated Survey Invitation, the checkbox option "Ensure logic is still true before sending invitation?" is no longer checked by default since it could unwittingly cause confusion or issues in certain use cases when users simply left it checked.

o Change: When importing data in CSV format via API or Data Import Tool, all blank rows will now be ignored instead of returning an error. This is to avoid

the common mistake by users of leaving some lines as blank in the CSV file since most users assume the blank line would be ignored anyway.

o Bug fix: If a user purposefully injects HTML tags into a survey's title for styling purposes, then those tags would mistakenly get displayed literally (e.g. "<b>My Survey Title</b>") in certain places in the project, such as the survey list in the Participant List, Survey Invitation Log, and Survey Queue.


Major bug fix: When importing data into a project via the API or Data Import Tool, if any of the fields being imported were used in a calculated field's equation, then it would mistakenly not perform an auto-calculation and save the calculated field value if the record being imported did not already exist in the project prior to the import. The auto-calculations would, however, work correctly for any existing records that had values imported. (Ticket #950)

Major bug fix: If the @NOW or @TODAY action tags are being utilized on a Text field that has no field validation, then if that field comes after another Text field having date or datetime validation and also has MDY or DMY date format, then the field with the @NOW or @TODAY action tag will mistakenly have its value displayed in the date format of the nearest date/datetime field displayed above it. It should instead be displaying the value in YMD date format when using the @NOW or @TODAY action tags on a field that has no validation.

Bug fix: When executing an API request in the API Playground for particular web server configurations, it would mistakenly not return anything from the request with an HTTP status code of "0".

Bug fix: If executing Rule F on the Data Quality page, it may mistakenly provide false positives in the discrepancy list that is returned. In particular, this would occur if a field had branching logic that referenced a checkbox field that had no values saved (was left all unchecked) for a given record.

Bug fix: When using the REDCap::getData() method in a plugin or hook, if the parameter $combine_checkbox_values is set to TRUE and $exportAsLabels is also set to TRUE, then it would mistakenly not export the multiple choice option labels correctly for checkbox fields if more than one checkbox was being returned. In the case of multiple checkboxes being returned, it would inadvertently use the checkbox option labels from another checkbox field rather than the option labels for that field itself.

Bug fix: An error would mistakenly be displayed if a user attempted to use the Send-It module to send a file to a person having an email address that contains an apostrophe, and thus it would prevent the user from sending a file to that person.

Bug fix: When creating or editing a report in a project and using a multi-select drop-down (e.g. when using a filter for filtering events or data access groups), it would not always be possible to deselect an option in the multi-select once the option had already been selected. (Ticket #1034)

Improvement: Less erratic behavior of the Project Notes popup on the My Projects page when a user moves their cursor over a project that has some text defined for its Project Notes.

Bug fix: In certain PDF exports of a data collection instrument, multiple pages of the instrument might mistakenly overlap on a single page in the PDF. This is often caused when branching logic is used on the instrument, in which an entire section of the instrument must be hidden.

Bug fix: When editing the record ID in the Online Designer, it would mistakenly not display the Field Note option to allow the user to add/edit the Field Note for the record ID field.

Bug fix: If a user steps away from their computer/device when logged into REDCap, after which the autologout time elapses, then even though the automatic logout alert popup displays on the page saying that the user has been logged out, sensitive data may still be visible momentarily on the page underneath the popup after the user clicks the "Log In" button. This was supposed fixed in version 6.9.5, but was only partially fixed. (Ticket #1018)


Bug fix: If a user creates a record that contains a double space in the middle of the record name, then if someone uploads a file for a File Upload field or saves a signature for a Signature field on a form or survey, it would mistakenly create another record containing only that uploaded file/signature in which the new duplicate record will contain a single space in its record name rather than a double space. However, when viewed in most places in the project (e.g. Record Status Dashboard), the two record names will appear identical when viewed next to each other, thus causing even more confusion about how a duplicate record exists and how it was created.

Bug fix: If the Field Label of a field contained a line break when the field is right-aligned, the PDF export of the instrument might mistakenly display strange rectangle characters in place of the line breaks.

Bug fix: In certain PDF exports of a data collection instrument, multiple pages of the instrument might mistakenly overlap on a single page in the PDF. This is often caused when branching logic is used on the instrument, in which an entire section of the instrument must be hidden.

Bug fix: In some projects that utilize the public survey option together with the designated email field option, it might mistakenly display blank values for each participant in the participant list of the first survey in the project when it should display the email addresses.

Bug fix: If utilizing the randomization module in a project, if using a strata field in the randomization process, in which the strata field is a drop-down field with the auto-complete option enabled, then if that field already has a value saved for it prior to the randomization of a record and also the strata field exists on the same instrument as the randomization field, then it would mistakenly display the value of the field twice in its auto-complete text box inside the randomization popup. This would prevent the record from being randomized because the user's cursor would get forever stuck in the strata field's text box and thus cause the user to have to refresh the page.

Bug fix: When using the @LATITUDE or @LONGITUDE action tag, it would mistakenly display the "Save your changes" prompt when leaving the data entry form even though the latitude/longitude value did not change on that page but were saved when the form was loaded previously. This would not affect data but might be confusing to the user.


Improvement: New action tag @BARCODE-APP - Allows the REDCap Mobile App to capture the value of a barcode or QR code by scanning it with the device's camera. NOTE: For use only in the REDCap Mobile App.

Major security vulnerability: It was discovered that SQL Injection might be possible on certain authenticated pages as well as via the API if a malicious user knows how to send a specifically-crafted request to REDCap to exploit the vulnerability.

Major bug fix: If a field's variable name somehow contains a double underscore, which should not be allowed, and then after the project is in production, a user

modifies the field in Draft Mode via the Online Designer, there is a chance that it may replace the double underscore in the variable name with a single underscore, thus mistakenly renaming the variable and causing data to get orphaned as if the original field had been deleted. (Ticket #1012)

Bug fix: If a user in a project has been set to receive email notifications whenever a participant has completed a survey, they would still mistakenly receive the emails even if the user was suspended from REDCap.

Bug fix: The R code that is automatically generated for a given API method in the API Playground module has a small error when defining the URI for the API request.

Bug fix: Small typo fixed on the Project Setup page. (Ticket #1021) Bug fix: If a user steps away from their computer/device when logged into REDCap,

after which the autologout time elapses, then even though the automatic logout alert popup displays on the page saying that the user has been logged out, sensitive data may still be visible on the page underneath the popup. (Ticket #1018)

Bug fix: If a survey invitation has been scheduled for an existing record but then the invitation was deleted via the Survey Invitation Log, then it would still mistakenly display the timestamp of the deleted invitation at the top of the data entry form for that record. (Ticket #1007)

Change: The API is now more strict with regard to the validation of API tokens sent in API requests. In previous versions, if the token was longer than 32 characters, it would truncate the token to 32 characters (which is the expected length). It no longer truncates the token if longer than expected but merely returns an error message.

Minor security fix: A page in the Control Center was found to be susceptible to SQL injection if a super user was tricked into following a custom-created URL by a malicious user. However, the likelihood of occurrence is low and the difficulty is high.

Bug fix: If the API is returning an error message in JSON format, some messages might mistakenly not get JSON-encoded correctly. (Ticket #1003)

Bug fix: If a user does not have "Create Record" user privileges, then it would mistakenly display the "Add new record" button on the data entry form in a project with record auto-numbering enabled. However, it would not allow them to create a new record, so at worst, this would merely cause confusion to the user. (Ticket #1013)

Bug fix: The data dictionary upload page would mistakenly allow variable names containing a double underscore, even though the Online Designer would prevent it. It now replaces any double underscores with single underscores.

Bug fix: In some random cases when loading a CAT survey, it would mistakenly attempt to determine if the page should be skipped based upon branching logic. Since it should never check this for CATs, it now ensures that it skips that logic check, which makes the survey page load much faster for those affected.

Change: The "Brief Overview" video was updated. Bug fix: In the downloaded PDF export of an instrument, it would not display Field

Notes correctly for Notes fields and Signature fields, in which it might run off the page or not display at all, either due to field type and custom alignment values. (Ticket #1005)

Bug fix: PDFs containing Japanese or Chinese characters (when project encoding is set to Japanese or Chinese) would not get rendered correctly and would basically be unable.

Bug fix: When copying an instrument in a project using the "Copy" button in the instrument list in the Online Designer, it would mistakenly remove any non-Latin characters that were entered for the new instrument name.

Bug fix: The API Playground would not be able to send API requests successfully if the REDCap server was using a proxy server for outbound web requests.

Bug fix: The "Submit Changes for Review" button on the Online Designer when in Draft Mode would not display correctly for certain languages (e.g., French).

Bug fix: When using the Dynamic Data Pull (DDP) module, clicking the "Remove unused DDP data" button on the Other Functionality page would mistakenly not get logged properly.

Bug fix: When upgrading from version 5.X, if any fields in a report have a "not =" operator with a blank limiter value, then that limiter would mistakenly get lost and not migrated into the version 6.X report format.

Bug fix: If the Dynamic Data Pull (DDP) module is enabled, then the System Statistics page in the Control Center might mistakenly report incorrect DDP stats, in which they might be overinflated.


Bug fix: The "All custom" button at the top of the rules table in the Data Quality module would mistakenly not work and would display an incorrect error message when clicked.

Bug fix: When using the datediff() function in a custom data quality rule in the Data Quality module, if a record is missing a value for one of the dates used in the datediff() function in the DQ rule, it will mistakenly get returned as a discrepancy when in fact it should not return it as a discrepancy. This does not appear to affect any other advanced functions but only datediff() and only when used in the Data Quality module.

Bug fix: The floating table headers that appear on some pages (e.g. reports) would mistakenly appear on top of a dialog popup that would later be opened on the page.

Bug fix: If HTML tags are used in the record ID field' Field Label in a project, then it would mistakenly display those tags as visible on the Record Status Dashboard table and (if a longitudinal project) also on the event grid after a record has been chosen.

Bug fix: If a survey expiration time was set for a survey, then if a user reopened the survey settings page afterward and pressed Save, it would mistakenly lose the time portion of the expiration date/time, which might prevent the survey from being expired at the exact desired time. Bug emerged in version 6.9.0.

If the Mcrypt PHP extension has not been installed on the REDCap web server, then the Stats & Charts page for reports would mistakenly not display correctly if the report contains any filters. The report would instead display plots representing *all* records in the project rather than just the records after applying the filter. (Ticket #984)

Change: Since the REDCap Mobile App is now available on the Amazon Appstore for Android, a link was added on the REDCap Mobile App page in each project to download the mobile app from the Amazon Appstore.

Bug fix: If a super user is on the Manage All Project Tokens section of the API page in a project or on the API Tokens page in the Control Center, if a user's username contains either a period/dot (.) or an "at" sign (@), then the Last Used column for that user will mistakenly never display the timestamp but will continually say "Loading...".

Bug fix: When using some non-English languages (specifically French) for a project's language, it might mistakenly not allow a production project to be moved to inactive status on the Other Functionality page because of a JavaScript? error that occurs. (Ticket #996)

Bug fix: When using the randomization module in a project and utilizing strata fields, if a user is randomizing a record on a data entry form in which one or more of the strata fields are a drop-down field with the auto-complete option enabled, then it would mistakenly not display the drop-down correctly in the randomization popup, thus preventing the user from performing randomization on the record. (Ticket #995)


Improvement: When copying a project, it now displays a new option to copy "all project bookmarks" on the Copy Project page, thus allowing users to copy all project bookmarks in that project to the new project.

Improvement: When copying a project, it will now automatically copy the values for "Custom text to display at top of Project Home page in project" and "Custom text to display at top of all Data Entry pages in project", which are only accessible for modification on the "Edit a Project's Settings" page in the Control Center.

Minor security fix: A cross-site scripting vulnerability was found on the Install page that could possibly be exploited if a malicious user knows how to append certain characters into the web address for the page. However, the ability of a user to take advantage of this vulnerability is severely limited.

Bug fix: If the user is creating a new record on a data entry form (i.e., record auto-numbering is not enabled), then after they place their cursor inside the text box to enter a new record name, it would mistakenly not allow them to remove their cursor in order to do something else on the page if they have not entered anything yet, in which the only way to get the cursor out of the text box is the refresh the page. (Ticket #980)

Change: If a project's first instrument has been enabled as a survey, and then a user on the Online Designer drags/moves an instrument that has not been enabled as a survey into the front so that it becomes the new first instrument, previous REDCap versions would transfer the survey settings onto the new first instrument (which was not a survey instrument) and thus removing them from the survey instrument, which would then become a regular data entry form and no longer a survey. This was done to preserve the public survey link in case a user had already distributed the public survey link and would not want it to change. However, due to possible conflictions with newer features, in which this behavior could cause other major issues, it now no longer transfers the survey settings from the survey instrument to the non-survey instrument in this scenario but leaves them as-is (aside from moving their position in the instrument list).

Change: Small aesthetic changes on survey pages to remove gray gradient background and borders to provide a flatter look.

Change: The id or class names of certain elements on survey pages and data entry forms have changed. See the list below for both the old and new name of each element affected. This should only affect REDCap hooks that are referencing these elements via CSS orJavaScript? to manipulate the page.

o The id of the main table housing all the survey questions: #form_table => #questiontable

o The spans and divs that contain a multiple choice field's choice label (for both radios and checkboxes)

o Vertically-aligned .frmrd => .choiceverto Horizontally-aligned .frmrdh => .choicehorizo Div containing "must provide value" text for required fields: .reqlbl

=> .requiredlabelo Table that houses a slider field's labels (that sits above the slider): .sldrlbl

=> .sliderlabelso "Reset" links for radio buttons: .cclink => .smalllinko Matrix header row: .matrixHdrs => .headermatrixo Field labels for matrix fields: .label_matrix =>.labelmatrixo Question number (surveys only): .quesnum => .questionnumo Question number for matrix fields (surveys only): .quesnummtxchk

=> .questionnummatrixo The div just inside the body tag has changed from #outer to #pagecontainer

o The div that contains the survey instructions was changed from #surveyinstr to #surveyinstructions

Change: When a super user is adding/editing a bookmark on the Project Bookmark page in a project and selecting "REDCap Project" as the Link Type, it will now display in the project drop-down list the projects belonging to all the users in that project. Whereas in previous versions, super users would only see their own projects. (Ticket #979)

Bug fix: If a project using the randomization module has the randomization field set as "required" and also has Left/Vertical? or Left/Horizontal? custom alignment, then the red "*must provide value" label for the field as displayed on the survey page or data entry form would mistakenly not display correctly but get appended as black text onto the end of the Field Label.

Bug fix: The plugin/hook documentation for the REDCap::saveData() method's dateFormat parameter is incorrect and mistakenly refers to something completely different.

Bug fix: When tabbing through fields on a data entry form or survey, it might mistakenly skip over some fields and put the cursor on links or images on the page. Bug introduced in version 6.9.2.

Bug fix: If a user's project has drafted changes that are currently awaiting approval by an administrator, the user could mistakenly still upload a data dictionary before the administrator has reviewed and approved the changes. This would not cause any data loss but could cause confusion as to how the user made field changes while the project was in review.


Major bug fix: If Automated Survey Invitations had been set to be triggered via conditional logic based upon the changes of data values, then the ASIs would mistakenly not get triggered when they should during an API data import. This issue would not manifest when importing data via the Data Import Tool page but only via the API data import method. (Ticket #970)

Improvement: New configuration setting added to File Upload Settings page in Control Center if using AWS S3 storage for file storage, in which you can now manually set the AWS endpoint URL. In previous versions, it only allowed the endpoint to be "s3.amazonaws.com", which now only works for U.S. East region of AWS. This allows you to manually set the endpoint if you are using a different AWS region.

Improvement: When viewing a data entry form where the instrument has been enabled as a survey, it will now display the "Save and Mark Response as Complete" button if the survey has not been started yet (i.e., on the survey page), thus allowing the user to mark it as complete without even having to open the survey page. In previous versions, users would only see that button as a valid option once the survey had at least been partially completed via the survey page.

Improvement: When exporting a survey's participant list to CSV file, it now includes the record name of the respondent if it corresponds to an existing record and if it is identifiable (i.e., if the participant has a Participant Identifier defined or if the designated survey email field has been enabled).

Improvement: When using the REDCap::getParticipantList() plugin/hook method for obtaining a survey's participant list, it now includes the record name of the respondent if it corresponds to an existing record and if it is identifiable (i.e., if the participant has a Participant Identifier defined or if the designated survey email field has been enabled).

Improvement: When viewing the Compose Survey Invitations popup on the Participant List page, it now displays the total count of all participants that have been selected in that popup to be invited to take the survey.

Bug fix: When a project has record auto-numbering enabled and a user opens a data entry form to create a new record, instead of clicking one of the Save buttons on the page, the user clicks another form on the left-hand menu, after which if they click the "Save changes and leave" option, it will redirect them to the desired form but will advance to the next record number as if they are going to create a new record on that form. In this way, they unwittingly navigate off of the record they just created, which could be confusing and could cause new records to get inadvertently created when they shouldn't. (Ticket #972)

Change: The jQuery and jQueryUI libraries inside REDCap were upgraded to version 1.11 since the existing ones were outdated.

Bug fix: If using the Real Time Execution feature for a Data Quality rule, in which it determines on a data entry form that a DQ rule was violated while at the same time a required field was left empty/blank on the form after clicking a Save button, it would only display the "Some fields are required!" popup and would mistakenly not display the "Data Quality rules were violated!" popup, which could cause some confusion and might accidentally cause a user to not be aware of a DQ rule that was violated. It has been changed so that if both issues occur at the same time, it will now display both popups at the same time on the page so that the user is aware of them both.

Bug fix: When utilizing Automated Survey Invitations in a project in which an ASI has the option "Ensure logic is still true before sending invitation?" enabled and the ASI is using only conditional logic as the Condition in Step 2 and *not* basing it off of whether a survey has been completed, then it would mistakenly display empty duplicate rows in the Survey Invitation Log. Note: This would not affect how or when survey invitations were sent.

Bug fix: The tabs on the File Repository page in a project would not display correctly on certain occasions.

Bug fix: If the Double Data Entry module is enabled for a project, then the correct form status icons will mistakenly not display correctly on the Record Status Dashboard for DDE user 1 or 2, but instead it will only display gray icons for all forms/records. (Ticket #975)

Bug fix: An SQL query that would get executed after a user logged in might be really slow for some server configurations. It has been optimized to reduce any slowness.

Bug fix: When downloading a PDF of a data entry form with data, in which all the field's in a section are hidden by branching logic, it might mistakenly display the section header for that section in the PDF instead of hiding it if the section would have spilled over onto the next page if it would have been displayed.

Bug fix: If a drop-down field on a survey or data entry form has a very long choice label, then the drop-down would mistakenly spill out of the table and could crowd other fields and text on the page, thus distorting the whole form/survey.


Bug fix: Duplicate rows mistakenly appear in a survey's participant list when records are created via data entry form or via data import and when more than one person then goes to view the participant list at the exact same time. This can cause a race condition, which generates duplicate rows in the back-end database tables for each record being populated in the table. There is unfortunately no way to fix the duplicates retroactively except by exporting all data in the project, then erasing all records, and then re-importing all the exported data.

Bug fix: If the "redcap_save_record" hook function is being used on a survey, in which the hook will redirect the page or stop page execution while at the same time a survey question that is required has not had a value entered, then it will mistakenly

not set the survey response as being partially completed but leave it as if the survey had not been started yet.

Change: Replaced TTS-API.com as the third-party service used for the text-to-speech feature on surveys since that service has ceased to function for unknown reasons, thus making it no longer viable for use in REDCap. It has now been replaced by a service hosted by Vanderbilt at https://redcap.vanderbilt.edu, which utilizes the AT&T Text To Speech API service. Note: This service hosted by Vanderbilt does not store any of the text sent to it in any way.


NEW FEATURES & IMPROVEMENTS:o New hook function: redcap_project_home_page - Allows custom actions to be

performed on the "Project Home" page in a projecto New feature: API Playground - The API Playground is an interface that allows

experimentation with the REDCap API without actually writing any code. Users can explore all the different API methods and their various options to customize a given API request. Users may even execute a real API request and see the exact response that REDCap returns from the request.

o New action tags @LATITUDE - Allows a Text field to capture the latitude of the user, in

which the user will be prompted on the webpage to allow or deny this. Once the value is captured, it will not be changed when visiting the page at a later time.

@LONGITUDE - Allows a Text field to capture the longitude of the user, in which the user will be prompted on the webpage to allow or deny this. Once the value is captured, it will not be changed when visiting the page at a later time.

@PASSWORDMASK - Masks the value of a Text field so that the true value is not visible on the webpage after it has been entered (like password fields on login pages).

@HIDDEN-APP - Hides the field only on the form ONLY on the REDCap Mobile App. Field will stay hidden even if branching logic attempts to make it visible.

@READONLY-APP - Makes the field read-only (i.e., disabled) on the form ONLY on the REDCap Mobile App so that its value cannot be changed.

@NOW - Automatically provides the user's current time as the value of a Text when the page is loaded. Once the value is captured, it will not be changed when visiting the page at a later time. If the field has validation, the value will conform to the date/time format of the field.

@TODAY - Automatically provides the user's current date as the value of a Text when the page is loaded. Once the value is captured, it will not be changed when visiting the page at a later time. If the field has validation, the value will conform to the date/time format of the field.

o Improvement: New look for API Documentationo Improvement: Numbered lists and bullet lists (i.e., <ol>, <ul>, and <li> tags)

can now be used in field labels, survey instructions, etc.o Improvement: Much better search utility on Browse Users page in the user list

popup to allow administrators to search a user by a specific user attribute or by all user attributes. Also, the list is now exportable in CSV format. Additionally, columns for the time of suspension and expiration date are now listed in the user list.

o Improvement: If using a proxy server for outgoing HTTP requests, REDCap now supports proxies that require authentication via username and password. On the General Configuration page in the Control Center, you can now enter the proxy username and password.

o Improvement: On the REDCap main Home page (not the Project Home page), you may now provide a URL that gets linked at the end of the last sentence "If you require assistance or have any questions about REDCap, please contact..." rather than a mailto link to the home page contact email. This is useful if you have a ticket system (or something similar) at your institution that you would prefer to link to on the Home page rather than an email account. The URL can be set on the Home Page Settings page in the Control Center and is completely optional.

BUG FIXES & OTHER CHANGES:o Medium security fix: The Password Recovery page, which is only available if

using Table-based authentication, was found to have a Blind SQL Injection vulnerability that could be exploited if a malicious user sends a specially crafted request to that page to spoof certain client values that REDCap receives in the request.

o Change: The user list popup on the Browse Users page no longer displays the column "Active User?" because this designation was confusing and not very helpful because all it implied was that the user had a first activity timestamp, which merely means that (for most installations) the user had logged in to REDCap at least once.

o Change: Now compatible with PHP 7, which is to have its first stable release near the end of 2015.

o Change: When using the Survey Login feature in a project, it will no longer allow the record ID field to be used as a survey login field if record auto-numbering is enabled in the project for security reasons.

o Bug fix: When a user is viewing a project-level plugin, it would mistakenly display the auto-logout popup after being on the page for 3 minutes and would tell them that their session has expired, even thought it had not. Also, it would sometimes mistakenly display an error popup if the user attempted to click a project bookmark on the right-hand menu while viewing a project-level plugin, thus preventing them from navigating to the bookmark page.

o Bug fix: The cron job that resets any survey invitations that are stuck in limbo because they did not get sent properly (due to cron crashing, etc.) was mistakenly sending invitations that were weeks or months old, thus often useless to be received by that participant at that point. The cron job now only resets any invitations that have been stuck for less than one week.

o Bug fix: If any survey invitations were sent from the data entry form for a record (rather than via the Participant List) on a version of REDCap before v6.5.0, then the invitations would mistakenly no longer display in the Survey Invitation Log after upgrading to v6.5.0 or higher.

o Bug fix: When using the Twilio telephony services in a project with multiple surveys, in which the user attempts to modify a participant's Invitation Preference on the Participant List for any survey/event, it mistakenly would not apply the desired invitation preference to every survey/event, thus forcing the user to have to set the preference for each survey/event in order to work correctly.

o Bug fix: If data is being piped into the option of a drop-down field on a survey page or data entry form, then it would mistakenly not get updated if a user on that page changed the value of a field whose value is being piped into a drop-down option. Instead it would pipe into the drop-down only data values that had already been saved prior to loading the page.

o Bug fix: Calculated fields may mistakenly throw an error on a survey or data entry form if multiple round() and multiple if() statements are nested together in the calculation.

o Bug fix: The Participant Identifier of a given participant in a survey's participant list would mistakenly not be editable after the participant had started or completed the survey if the identifier was not blank. For privacy reasons, users are prevented from adding an identifier to a participant if the identifier was originally left blank, but it should allow it to be editable (either before or after taking the survey) if not blank. This fix will now allow the identifier to be editable at any time if the identifier is not blank. (Ticket #962)

o Bug fix: If using Twilio telephony services for two-factor authentication or for survey functionality, some voice calls or SMS messages might fail to send to certain international phone numbers that resemble U.S. phone number format - i.e., 10 digits long without a "1" at the beginning. (Ticket #963)

o Bug fix: If the randomization module is enabled and set up for a classic project and then the user converts the project into a longitudinal project, then the Randomize button will mistakenly not appear on the data entry form but instead display a the randomization field as a disabled field. (Ticket #961)

o Bug fix: When viewing the Compose Survey Invitations popup for a survey's participant list, it would note that the participants being displayed in the popup are "those who have not responded" (assuming that the option "Allow respondents to return and modify completed responses?" has not been enabled), which is confusing because the list does include those who have partially responded. To prevent confusion, the text has been changed to "those who have not responded completely" to signify that partial responses are included. (Ticket #964)

o Bug fix: On certain random occasions where a record was mistakenly saved with a blank record name, in which the record would then get orphaned and become inaccessible on the front-end web application, if that blank record were somehow assigned to a Data Access Group, the Data Access Groups page would mistakenly include it in the count of records for each DAG, even though the blank record is not viewable or accessible anywhere else.


Improvement: If utilizing the Dynamic Data Pull (DDP) module, the following two counts have been added to the DDP section of the Control Center's "System Statistics" page under the section "Project attributes (all projects)": "Total adjudicated data values imported via DDP" and "Projects with at least one data value adjudicated via DDP".

Major bug fix: If importing data via the API in XML format, then the import will mistakenly not be successful if only one record is being imported in that request. However, if multiple records are being imported in XML format in the same request, the issue does not occur.

Improvement/change: The HTML tags <sub> and <sup> are now allowed in Field Labels, Field Notes, Survey Invitation Text, and all other user-defined text that gets displayed somewhere.

Bug fix: The Twilio telephony services for surveys might not successfully send SMS messages to or successfully make phone calls to some non-U.S. phone numbers.

Bug fix: The Twilio option for Two-Factor Authentication might not successfully send SMS messages to or successfully make phone calls to some non-U.S. phone numbers.

Bug fix: When using calculated fields in longitudinal projects, a processing bottle-neck was discovered that was causing unnecessary slowdown when performing auto-calculations when a user clicked the Save button on a data entry form or survey

page. This fix allows the page saving to be processed about 3x-10x faster than before.

Bug fix: When using calculated fields that utilize cross-event calculations in longitudinal projects, it may have mistakenly not been performing the calculation for other events. Thus, some events containing calc fields with cross-event calculations may not have gotten their value saved. (Note: The values can be fixed retroactively by running Data Quality rule H.)

Bug fix: When adding a filter field to a report, in which the field has some form of field validation (e.g., date_ymd, email), then if the user selects the operator to be "contains", "not contain", "starts with", or "ends with", then it would prevent the user from entering a value into the text field to the right unless the value entered adhered to the field validation format. For example, if a user selected "Email" as the filter field, then selected "contains" as the operator, and entered "gmail.com" into the text box as the filter value, it would display the validation error message. (Ticket #939)

Bug fix: The Twilio telephony services for surveys might not work successfully if using a proxy server in your web server configuration. (Ticket #940)

Change: On a project's Logging page, it now displays "SYSTEM" in the user drop-down filter at the top of the page to allow users to filter by events performed automatically by the REDCap system, such as survey invitations being scheduled. In previous versions, the "SYSTEM" option was not available in the drop-down list of users.

Bug fix: If on the User Access Dashboard page and click the Reset link at the bottom of the page, any selected radio buttons would not have their cell background changed back to green but would mistakenly be changed to a white background instead. (Ticket #947)

Bug fix: When using the Survey Login feature on a CAT (computer adaptive test - e.g., PROMIS assessment), the questions on the survey page would mistakenly not be displayed at all.

Bug fix: When a participant is taking a CAT (computer adaptive test - e.g., PROMIS assessment), it should be selecting the choice's radio button whenever the choice label text was clicked, but it was mistakenly not and required clicking on the radio button itself.

Bug fix: In a project utilizing Data Access Groups, if a user does not have "View & Edit" permissions for any instrument in the project and also does not have "Create Record" privileges, then the user could still navigate to an instrument on a record and change the DAG assignment of the record. This could be done if the user changes the DAG selection drop-down on the instrument, in which the page will not allow them to click the Save button but it will mistakenly prompt them to save their changes if they attempt to click a link somewhere in order to navigate off the page. (Ticket #941)

Bug fix: If a user clicked the "Lock all forms" or "Unlock all forms" link for a record in a project, it would mistakenly lock/unlock forms to which the user does not have form-level access. (Ticket #943)

Bug fix: In a longitudinal project, if a record is created via the Scheduling module (rather than via form or survey), then the record would mistakenly not display on the Record Status Dashboard until some data was entered for it on a form or survey. (Ticket #944)

Bug fix: When importing data via the Data Import Tool, even if no checkboxes are being imported, the import comparison table displayed on the page would mistakenly display some checkbox fields, although they would be ignored and would not cause any issues with the data import process. Bug emerged in version 6.8.0.

Bug fix: If using a cross-event calculation for a calculated field on a data entry form or survey in a longitudinal project, in which a non-text field (e.g. drop-down, radio) used in the calculation has a negative value, then the calculation would mistakenly return a blank value instead of the correct calculated number. (Ticket #946)

Bug fix: In longitudinal projects only, the "Total survey responses" count was mistakenly being displayed on a project's "Add/Edit Records" page when it should not have because it only refers to the first survey (even though it does not specify that) and also is not always accurate. Displaying the total survey response count made sense in version 5.X of REDCap, but it no longer makes sense after version 6.0, which allows for multiple surveys.

Bug fix: When viewing a survey response on a data entry form, it notes at the top of the page all the users who have contributed to the response data, but it may mistakenly list users that contributed to other forms or surveys for the record but not necessarily that particular survey. This is now fixed for all survey responses collected hereafter. However, this issue is not able to be fixed retroactively for already completed responses. (Ticket #942)

Bug fix: The survey auto-continue feature would mistakenly not get copied for surveys when copying a project. (Ticket #954)

Bug fix: When clicking the Upload Document link for a File Upload field or when clicking the Add Signature link for a Signature field on a data entry form or survey, if data values are to be piped into the field's label inside the popup that is displayed, it would mistakenly only pipe saved values and would not pipe unsaved values that had been entered on the page.


New feature: Administrators may disable the auto-calculation functionality for a given project on the "Edit a Project's Settings" page in the Control Center. If left as enabled (default), server-side auto-calculations (introduced in REDCap 6.3.0) will be performed for calc fields when data is imported (via Data Import Tool or API) or when saving a form/survey containing cross-form or cross-event calculations. If auto-calculations are disabled, then calculations will only be done after being performed via JavaScript (client-side) on the data entry form or survey page on which they are located, and they will not be done on data imports. Tip: This setting should *only* be disabled if the auto-calculations are causing excessive slowdown when saving data. If disabled, then some calculations might not get performed, and if so, must then be fixed with Data Quality rule H.

Bug fix: The REDCap hook function "redcap_add_edit_records_page" was mistakenly not being called in longitudinal projects on the Add/Edit Records page but only in classic projects.

Bug fix: If a Text field is utilizing the biomedical ontology auto-suggest feature and the user then downloads the data dictionary and later re-uploads the data dictionary, the page will mistakenly display a warning message that is intended to be for multiple choice fields only. It should not display a warning message at all. However, it does not prevent the user from uploading the data dictionary, but might cause some confusion.

Bug fix: If two-factor authentication is enabled, in which the Google Authenticator option is used, it would mistakenly not display a user's Google Authenticator QR code on the My Profile page except only when the Twilio option is enabled (rather than if the Google Authenticator option is enabled).

Version 6.8.0 - codename "Pfeffernüsse" (released 08/11/2015)

NEW FEATURES & IMPROVEMENTS:o New feature: Two-factor Authentication

This feature is optional and can be enabled on the "Security & Authentication" page in the Control Center. Enabling two-factor authentication (also known as 2-step login) can provide greater

security with regard to users logging in to the system. While the standard login process consists of entering a username and password, two-factor authentication provides a second step after the initial login, such as entering a 6-digit verification code received via SMS text message, via email, or generated using the Google Authenticator app on their mobile device, or responding to a phone call or a push notification (for Duo app only).

Administrators can choose one or more of the following options for users to log in via two-factor authentication on the REDCap login page:

Email - A six-digit verification code will be emailed to the user. Google Authenticator app - A six-digit verification code can be

obtained by the user in their Google Authenticator app. Before they can use this option, they must first go to their My Profile page and scan the QR code on that page in their Google Authenticator app to add their REDCap account to the app on their mobile device.

SMS message via Twilio (connected to Twilio account at https://www.twilio.com) - A six-digit verification code will be sent via SMS text message to the user on their mobile device using the phone number provided on the user's My Profile page.

Phone call via Twilio (connected to Twilio account at https://www.twilio.com) - A user's phone will ring, after which they will be asked to enter a number on their keypad to complete the login process.

Duo (connected to Duo account at https://www.duosecurity.com) - Duo Security provides push notifications via their mobile app, as well as SMS and phone call options.

Two-factor configuration settings: (Optional) Trusted IP range - You can enforce two-factor login

on all users OR only enforce it on users with an IP address in a specific IP range. For example, if you know the IP ranges of computers at your institution, then you can enforce two factor only for users accessing REDCap from outside your institution. There is an additional checkbox option to allow you to easy include all private network IP addresses in the IP exceptions (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255).

(Optional) Authentication interval: Trust a device's two-factor login for X days - This optional setting, if enabled, will allow a user's 2-step login to be remembered and thus will allow them to only have to perform the 2-step login every X days, in which you can set the length of time.

(Optional) Secondary authentication interval for specific IP address ranges - If desired, you can set an alternative authentication interval for devices in certain IP ranges. For example, you may want to set the interval to 30 days for users on a semi-secure network but set it to 1 day for users not on a secure network at all. You can set the interval to X days that the user's device will be trusted if within a given IP range.

Project-level settings: Setting to exclude specific projects from 2-step login - On the

Edit a Project's Settings page in the Control Center, you can exempt a project from 2-step login, which means that if any user has access to an exempt project, then they will *not* be

prompted with the 2-step login when they initially log in, nor will they be prompted when entering the exempt project, but they *will* be prompted with the 2-step login if they attempt to enter a non-exempt project or their My Profile page (and if a super user, if they enter the Control Center). This setting may be used to exempt certain projects where the 2-step login would be very burdensome and/or costly for users.

Setting to always force 2-step login on specific projects (even if the authentication interval is set) - For high-profile projects that might have very sensitive data, for example, this setting can be enabled so that even if the authentication interval is set to allow users to not have to perform the 2-step login for every session, if they enter a project with this setting enabled, they must *always* perform the 2-step login during their session before they can enter the project.

User-level setting: Setting to modify the expiration time of the 2-step login

verification code for SMS, email, and Google Authenticator options - In some cases where they might be a lag for a user to receive their 2-step login verification code, such as if sent via email and doesn't appear in their inbox for a long time. By default, the code expires after 2 minutes. But in cases where it may take longer to be received by the user, an administrator can increase the expiration time of the code up to 30 minutes for a given user on the Browse Users page in the Control Center.

o New developer methods for plugins/hooks REDCap::saveData - Saves record data for a project. Accepts data in

the following formats: "csv", "json", "xml", and "array" (same array format as received from getData method with record name as 1st key, event_id as 2nd key, and field_name as 3rd key)

REDCap::getDataDictionary - Returns a project's data dictionary in any of the following formats: "csv", "json", "xml", and "array"

o New hook functions redcap_survey_page_top — Allows custom actions to be performed at

the top of a survey page - exactly like redcap_survey_page but executed in a different location

redcap_data_entry_form_top — Allows custom actions to be performed at the top of a data entry form (excludes survey pages) - exactly like redcap_data_entry_form but executed in a different location

redcap_add_edit_records_page — Allows custom actions to be performed on the "Add/Edit Records" page in a project

o Improvement: The Data Import Tool now has a new option "Allow blank values to overwrite existing saved values?" that allows users to choose if they want to perform a mass overwrite of saved values with blank values when importing data. By default, it will ignore all blank values in the uploaded CSV file (as it has always done).

o Improvement: If using the Twilio telephony services in a project, it will now detect (with fairly good accuracy) if a phone call is made to a survey participant in which an answering machine or voicemail answers the call instead of a person. In such a case, it will not begin speaking the survey text as it would to a person, but will instead leave the following message for the participant: "To take the survey, please call back at this phone number: XXX-XXX-XXXX."

BUG FIXES & OTHER CHANGES:

o Major bug fix: If a user with "De-identified" export rights or "Remove all tagged Identifier fields" export rights performs a data export for Report B on the "Data Exports, Reports, and Stats" page, in which they leave the "All instruments" option selected in the Instruments multi-select list, it would mistakenly export ALL fields in the project and would not remove free-form text fields and identifier fields like it should.

o Major bug fix: On rare occasions when using Automated Survey Invitations for a survey, in which the option "Ensure logic is still true before sending invitation?" is enabled and the logic is fairly complex, survey invitations that have been scheduled might mistakenly be sent twice to the same participant.

o Minor security fix: A cross-site scripting vulnerability was found on the project Logging page that could possibly be exploited if a malicious user knows how to inject certain text into the "Reason for Data Change" text box when editing an existing record in a project that has the "Require a Reason" feature enabled.

o Minor security fix: A vulnerability could possibly be exploited if a malicious user knows how to execute some specific JavaScript calls on a data entry form where the Locking/E-signature feature is used, in which it would allow them to bypass the signing process of entering a correct username/password when e-signing a data entry form for a record. Also, using certain methods to manipulate page elements on a data entry form that has been locked, they could possibly execute some specific JavaScript calls that would allow them to unlock the form and make data changes even if the user does not have Record Locking privileges. NOTE FOR SHIBBOLETH USERS: If your institution is using a hack to modify the REDCap base code in order for e-signatures to work with Shibboleth, please be aware that this change *might* prevent your modifications from working.

o Bug fix: When using the Twilio telephony services in a longitudinal project where the first instrument is not used as a survey, it would throw an error whenever a user attempted to modify a participant's Invitation Preference on the Participant List for any survey/event.

o Bug fix: If a user clicks the "Delete data for this form only" button or clicks the "Delete data for this event only" button on a data entry form that has some required fields that have no values entered for them, it would mistakenly display the "Some fields are required!" popup to force the users to enter values for the required fields before it would let them delete the form's/event's data.

o Bug fix: When reviewing the drafted changes in a production project, it would mistakenly not display the Field Annotation column in the table of changes on that page. (Ticket #927)

o Bug fix: Incorrect text was used in the Twilio configuration popup for the "default invitation preference" option on the Project Setup page of a project.

o Bu fix: Incorrect text was used in the Twilio configuration step on the Project Setup page of a project. (Ticket #925)

o Change: The "Stats & Charts" section on the "Data Exports, Reports, and Stats" page no longer allows checkbox fields to be viewed as pie charts but only as bar charts. This is due to the fact that since checkboxes allow multiple values per field per record, the total counts/frequency can add up to higher than 100%, which is not compatible with the pie chart and thus causes it to display incorrect values.

o Change: If the Twilio SMS option is enabled for two-factor auth, then the My Profile page will display a "mobile phone number" field where they can enter their phone number, and then use it for two-factor login via SMS.

o Bug fix: If a project has the "Use surveys in this project?" setting enabled on the Project Setup page but does not have any instruments enabled as surveys, then when a data export is performed, it would mistakenly include the redcap_survey_identifier field in the syntax file for the stats packages but would appropriately not include that column in the CSV data export file. This would inevitably cause issues when attempting to import the data into a stats package, such as SPSS.

o Bug fix: If using the Twilio telephony services in a longitudinal project in which the first instrument was not enabled as a survey, then if a user attempted to change a survey participant's Invitation Preference in the Participant List, it would mistakenly not change it successfully.

o Bug fix: If using the Twilio telephony services in a project and sending out survey invitations for the participant to take the survey via phone call or SMS, in which one or more invitation reminders were set, then even though the participant would complete the survey, the reminders would still get sent to them afterwards (via SMS or phone call).

o Bug fix: If using the Twilio telephony services in a project in which records would be created via data entry form or data import (rather than via survey), then it would mistakenly not assign the record the correct default invitation preference as defined by the project's "Default invitation preference for new participants" setting in the Twilio configuration popup on the Project Setup page.

o Bug fix: After clicking the table headers of the user list on a project's User Rights page, it would no longer be possible to edit the rights of a user or role on the page by clicking a username or role name in the table until the page is reloaded. (Ticket #932)

o The Help & FAQ page was updated.o Bug fix: When enabling the auto-complete feature for a drop-down field on an

instrument, if any of the option labels contained an ampersand (&), less than character (<), or greater than character (>), it would mistakenly display the HTML character code version of those characters in the drop-down field rather than the literal character itself. (Bug emerged in version 6.7.0.)

o Bug fix: On the "Stats & Charts" tab of the "Data Exports, Reports, and Stats" page in a project, if a user clicks the "Show plots only" button, then it would mistakenly display the spinning circle image for text fields that have no data.

o Bug fix: When viewing the "Day" or "Week" tab on the Calendar module in a project, clicking the left-arrow icon or right-arrow icon would not advance to the prev/next day or prev/next week, respectively, but would always advance to the prev/next month, which is not intuitive and is confusing. (Ticket #935)

o Bug fix: If utilizing the randomization module in a project and trying to copy an instrument via the Copy option in "Choose action" drop-down on the Online Designer, if the randomization field or strata fields are located on the instrument being copied, it would mistakenly display an error message saying that the instrument could not be copied.

o Bug fix: If the REDCap page header was displayed on a REDCap plugin page or if the base.js JavaScript file was included on a plugin page, then it would mistakenly inject the redcap_csrf_token (Cross-Site Request Forgery token) onto all forms displayed on the plugin page and also inject it into all POST AJAX requests made via the jQuery $.post function on the plugin page. This might give the impression that REDCap provided CSRF protection on plugin pages when in fact it does not. The redcap_csrf_token value is now no longer injected into forms or in the $.post function on plugin pages.

o Bug fix: If a survey participant completes a survey that has the "Send confirmation email" setting enabled but the participant's email address has

not yet been captured after having completed the survey, and if the Survey Queue is enabled for the project, then if the participant enters their email address on the survey acknowledgment page in order to receive their confirmation email, it would mistakenly display a popup message saying that the survey has not been set up yet, which is incorrect and confusing. (Ticket#930)

o Bug fix: When the Dynamic Data Pull (DDP) module is enabled in a longitudinal project, if a user selects some fields to be mapped to the external source system on the DDP Setup page, then it might mistakenly convert the last field on the page to a non-temporal field if it was a temporal field, which would prevent it from being mapped correctly on that page. (Ticket #913)

o Bug fix: Users would mistakenly be allowed to archive a development project even if the setting "Allow normal users to move projects to production?" in the Control Center was set to "No". This would allow a user to archive a development project and then un-archive the project, which puts the project in production status, thus inadvertently bypassing the production approval process. If users are not allowed to move projects to production on their own and they attempt to archive a development project, it will now display a message letting them know that they can only archive production projects. (Ticket #852)

o Bug fix: If a user imports data via the Data Import Tool in which the record names contain UTF-8 characters but the imported file is encoded with ANSI encoding, it would mistakenly store the record names incorrectly (with a black diamond character being displayed on the page) during the import, which would prevent the records from being accessed or edited on a data entry form and thus prevent them from being deleted after having been imported. (Ticket #859)

o Change: If the setting "Require a 'reason' when making changes to existing records?" has been enabled for a project, it will now prompt the user for a reason if they attempt to delete a record via the Delete Record button on a data entry form. In previous versions, it only prompted for a reason whenever an existing record was changed and not when it was deleted.

o Bug fix: If the "Auto-continue to next survey" setting is enabled for a PROMIS CAT, it would mistakenly not auto-continue to the next survey instrument. (Ticket #938)

o Bug fix: If entering data on a survey or data entry form while using an Android device, fields with "Phone (North America)" validation would mysteriously have their value disappear immediately after it was entered, thus preventing the user from entering a value for the field.

Version 6.7.5 (released 07/29/2015)

Change: Replaced Google's Speech API with TTS-API.com as the third-party service used for the text-to-speech feature on surveys since Google now enforces a captcha upon heavy use of that free API, thus making it no longer viable for use in REDCap. This also means that there will no longer be a language option for text-to-speech on surveys (the option will be hidden) since TTS-API.com only works for English.


Medium security vulnerability: Several cross-site scripting vulnerabilities were found that could possibly be exploited if a malicious user knows how to inject certain text into an arm name or event name when creating/editing arms or events in a

longitudinal project, in which this could execute malicious JavaScript on that page for other unwitting users.

Medium security vulnerability: A Cross-site Request Forgery vulnerability was found that could possibly be exploited if a malicious user tricks an unwitting super user into navigating to a specially-crafted REDCap link that would could cause a specified suspended user to be unsuspended just by clicking the link.


Major bug fix: If a user is attempting to perform a data import via the Data Import Tool or API, in which one of the fields being imported is a drop-down field with auto-complete enabled, then it would mistakenly throw an error saying that the value was in an invalid format. Bug emerged in version 6.7.0. (Ticket #921)

Major bug fix: When utilizing the Randomization module in a project, there is a very small possibility that when saving a data entry form for a record that has already been randomized, in which the form being saved contains the disabled randomization field, it mistakenly might be possible for the user to modify the randomization field's value after clicking the Save button before the form is officially saved.

Bug fix: If the MySQL database server is set to use ANSI_QUOTES for the SQL_MODE setting, then it will mistakenly display the warning "YOUR REDCAP DATABASE STRUCTURE IS INCORRECT!" on the main Control Center page and on the Configuration Test page. (Ticket#920)

Bug fix: When using the Twilio telephony services in a project and sending an SMS message to an invalid phone number, it would mistakenly not fail gracefully but would throw a fatal PHP error, which could result in crashing the cron job if the SMS was being sent via the invitation scheduler cron. This could result in other invitations not getting sent on time but a few hours late.

Change: New cron job was added to fix any survey invitations that got stuck in 'SENDING' status but were never sent (due to server going offline unexpectedly, etc.).

Bug fix: When a super user would view the Manage All Project Tokens tab on the API page in a project, it would mistakenly not display the table of project users and would throw a JavaScript error.

Bug fix: The following features were mistakenly not enabled by default if performing a fresh install of version 6.7.X: Embedded video for Descriptive fields, Text-to-speech functionality for surveys, and BioPortal auto-suggest for Text fields. This upgrade will automatically turn them on.

Bug fix: If a Text field is utilizing the biomedical ontology auto-suggest feature and the user then downloads the data dictionary and later re-uploads the data dictionary, the field will lose the ontology auto-suggest feature.

Bug fix: If a Text field is utilizing the biomedical ontology auto-suggest feature, in which another field uses branching logic or calculations based upon that field, then the branching logic and/or calculations would not fire if a value was added to or removed from the field but would only fire when the page was later reloaded after being saved.


Major bug fix: When using the "Ensure logic is still true before sending invitation?" option for Automated Survey Invitations in a project, it might mistakenly prevent some survey invitations from getting scheduled whenever a record is updated via survey/data entry form or imported.

Improvement: The Codebook page in a project now has branching logic icons next to each field so that when an icon is clicked it takes the user to the Online Designer and

opens that field for editing its branching logic. This allows users to quickly make edits to fields' branching logic when viewing the Codebook. There also exists a "Return to Codebook" button at the top of the Online Designer to allow them to return back to the Codebook again.

Bug fix: When clicking the pencil icon next to a field on the Codebook page in a project, it would mistakenly not open the matrix popup dialog on the Online Designer but would instead open the normal "Edit Field" popup, which could cause issues with the display of the matrix if the user changed anything in the "Edit Field" popup and then saved it. (Bug emerged in version 6.7.0.)

Bug fix: If a drop-down field has the "auto-complete" feature enabled and a user on a data entry form tabs into or puts their cursor inside the drop-down's text box but then leaves the field without entering a value, then if the user clicked a link or button to navigate away from the form, it would mistakenly display the "Save your changes?" popup even though no values changed on the page.

Bug fix: If some survey invitations with reminders have been scheduled in a project, then the Survey Invitation Log might display in incorrect count of the total invitations on that page, which could be very confusing to users. This only occurs when reminders exist.

Bug fix: On the Record Status Dashboard page of a project that has Data Access Groups, if a user is not in a DAG and they select a DAG from the DAG drop-down at the top of the page, in which the DAG selected does not contain any records yet, then it would mistakenly display ALL the records in the project on the page and also mistakenly display the form status icon as gray for every form/record. In this case, it should instead display a table with no rows. (Bug emerged in version 6.7.1.)

Bug fix: When using the Double Data Entry module in a project, DDE user #1 or #2 would mistakenly be able to view and edit events displayed in the Upcoming Calendar Events table at the bottom of the Project Home page for records that do not belong to them but belong to another DDE user. It now only shows the records that belong to the DDE user and properly displays the record number (i.e., removes the --# ending) in the calendar description.


Improvement: On the Record Status Dashboard page of a project that has Data Access Groups, if a user is not in a DAG, then they will see a new drop-down at the top of the page to filter the records by any given DAG. Also, it will remember their selection in case they return to that page later, in which the drop-down will be pre-selected with their last selection of it during that same REDCap session.

Bug fix: If using Shibboleth authentication, then the biomedical ontology auto-suggest feature for Text fields will not work on survey pages (although it will work on data entry forms).

Bug fix: Certain API requests (e.g., File Export method) would return a response that was not gzip compressed but would mistakenly include the header "Content-Encoding: gzip" in the response, which could confuse some clients and cause the request to fail in specific situations. The API now only returns that gzip header if the API response is truly gzip compressed.

Improvement: Text fields with "Phone (North America)" validation now display the numeric keypad on iOS and Android devices instead of the QWERTY keyboard.

Bug fix: If a user goes to remove another user from their project, it might mistakenly display a warning message that the user being removed has used the REDCap Mobile App and therefore might have some unsynced data on the app. It will do this if the user doing the removing has initialized the project in the mobile app - i.e., not the user that is selected for removal.

Bug fix: When creating a Descriptive field on an instrument on the Online Designer and adding an inline YouTube video to that field, in certain web browsers the video

frame might mistakenly be visible above any popups that open on the page, thus obscuring the contents of those popups.

Bug fix: If a project is utilizing the auto-complete functionality for a drop-down field on a survey or data entry form, then it would mistakenly display the "invalid value!" error message if the user begin to type the answer and then clicked the answer in the list below it *only if* what had been typed thus far did not match any of the valid values from the drop-down.

Version 6.7.0 - codename "Macaroon" (released 07/02/2015)

NEW FEATURES & IMPROVEMENTS:o New feature: Text-to-speech functionality for surveys

Can be enabled on the Survey Settings page for any given survey. Once enabled for a survey, it will display a "speaker" icon next to all visible text. When the icon is clicked, it will audibly speak that text to the survey participant in their web browser. Participants can click the "Disable speech" button at the top of the survey to remove the icons if they do not wish to use the text-to-speech functionality, in which it will remember that preference if they return to another survey on that REDCap server in the future.

Many different languages are supported, in which the text-to-speech service is capable of reading text in various languages. For example, if all the survey questions are in Spanish, you can choose Spanish to be the text-to-speech language, which will allow the service to read the text more accurately for that language. (Note: This feature does *not* perform translation.) The language setting is also on the Survey Settings page.

Works on mobile devices when viewing the survey webpage in the mobile web view. However, the text-to-speech functionality is currently not supported in the REDCap Mobile App.

This feature can be disabled at the system level on the Modules Configuration page in the Control Center.

Note: This feature requires that your REDCap web server be able to make outbound HTTP requests to https://translate.google.com

o New feature: Embedded videos for Descriptive fields - Users can embed an externally hosted video (e.g., YouTube, Vimeo) on a data entry form or survey page by simply providing the video URL (web address). The video can be displayed inline on the page, or it can instead be initially hidden but displayed after clicking a button. Any video can be set to full-screen mode, if desired.

Works when viewed in a web browser on mobile devices. This feature can be disabled at the system level on the Modules

Configuration page in the Control Center. Note: Video embedding is not currently supported in the REDCap

Mobile App.o New feature: Embedded audio for Descriptive fields - New option that will take

an attached audio file (e.g., MP3, WAV) on a Descriptive field and display it in an embedded audio player on the data entry form or survey page.

Works when viewed in a web browser on mobile devices. Note: Audio file embedding is not currently supported in the REDCap

Mobile App.o New feature: Action Tags

Action Tags are special terms that begin with the '@' sign that can be placed inside a field's Field Annotation. Each action tag has a corresponding action that is performed for the field when displayed on

data entry forms and survey pages. Such actions may include hiding or disabling a given field (either on a survey, data entry form, or both).

Full list of all available action tags: @HIDDEN - Hides the field on both the survey page and the

data entry form. Field will stay hidden even if branching logic attempts to make it visible.

@HIDDEN-FORM - Hides the field only on the data entry form (i.e., not on the survey page). Field will stay hidden even if branching logic attempts to make it visible.

@HIDDEN-SURVEY - Hides the field only on the survey page (i.e., not on the data entry form). Field will stay hidden even if branching logic attempts to make it visible.

@READONLY - Makes the field read-only (i.e., disabled) on both the survey page and the data entry form so that its value cannot be changed.

@ READONLY-FORM - Makes the field read-only (i.e., disabled) only on the data entry form (i.e., not on the survey page) so that its value cannot be changed.

@ READONLY-SURVEY - Makes the field read-only (i.e., disabled) only on the survey page (i.e., not on the data entry form) so that its value cannot be changed.

o New feature: New auto-complete feature for drop-down fields and "sql" fields Users can enable the auto-complete feature in the Online Designer for

drop-down fields. (Note: Super users can also enable auto-complete for "sql" fields.) Auto-complete can also be enabled via the Data Dictionary by entering "autocomplete" in the validation column for "dropdown" and "sql" fields.

The auto-complete feature transforms the drop-down into a combobox that still functions as a normal drop-down list but has the additional capability of employing a text search on the options in the drop-down in order to find an option much more quickly. Enabling the auto-complete feature is most useful when a drop-down list is very long with lots of options.

Note: Even though users are able to hand-enter text into the text field when searching the autocomplete drop-down, it will not allow saving the value unless it is a valid option in the drop-down list.

o New feature: Enable searching within a biomedical ontology for text fields on a survey or data entry form

An ordinary text field on a survey or data entry form can have a special feature enabled that provides auto-complete functionality for real-time searching within biomedical ontologies, such as RxNorm, ICD-9, ICD-10, Snomed CT, LOINC, etc. There are over 400 ontologies available from which users may choose.

This feature can be enabled for any given Text field in the Add/Edit Field popup in the Online Designer by simply choosing an ontology in the ontology drop-down list in the popup.

This feature can be disabled at the system level on the Modules Configuration page in the Control Center.

Note: This feature utilizes the BioPortal API web service (see documentation at http://bioportal.bioontology.org), and thus it requires that your REDCap web server be able to make outbound HTTP requests to http://data.bioontology.org

o New feature: Auto-continue to next survey - Automatically start the next survey instrument after completing a survey.

On the Survey Settings page for any survey instrument listed on the Online Designer, under the "Survey Termination Options" section, the user can enable the survey auto-continue setting so that when that survey has been completed, the participant will automatically be redirected to the next survey instrument (if any exist after that survey). If the next instrument is a data entry form that has not been enabled as a survey, then it will be skipped during this process.

Linking surveys together is only supported inside the same event and must be enabled for each survey a user wishes to link. This feature allows users to have separate survey instruments strung together to appear as though they were a single survey to the participant. This is especially useful for complex longitudinal projects where different combinations of instruments are given in separate events. If enabled and this is the last survey, the selected termination option below will be used.

NOTE: If users wish to utilize more advanced conditional logic to control which survey that the participant goes to next, they should use the Survey Queue feature, which can be enabled in the Online Designer.

o New feature: New Survey Base URL (alternative to REDCap base URL used only when constructing web addresses for surveys)

This feature can be useful if you wish to use a different web address for surveys than for the web address where users normally log in to REDCap, such as if using a reverse-proxy server or separate web server for surveys.

The survey base URL will only be used when constructing survey URLs (e.g., when sending invitations to survey participants, displaying a public survey link). For all other URLs in REDCap, the REDCap base URL will be used.

This setting can be set on the General Configuration page in the Control Center immediately below the REDCap base URL setting.

o Improvement: Checkboxes and radio button fields on surveys and data entry forms can now be selected/checked by clicking the label text of the option rather than just clicking the checkbox or radio button itself. This makes it easier and more intuitive to select an option. (Note: This does not work on Internet Explorer 8 and earlier versions.)

o Improvement: The Codebook page in a project now has pencil icons next to each field so that when an icon is clicked it takes the user to the Online Designer and opens that field for editing. This allows users to quickly make edits to fields when viewing the Codebook. There also exists a "Return to Codebook" button at the top of the Online Designer to allow them to return back to the Codebook again.

o Improvement: Survey pages are now more compatible and better fitting to the screen when viewed on mobile devices.

o Improvement: New project-level attributes are now included in the "Export Project Information" API method. The following attributes were added: "project_irb_number", "project_grant_number", "project_pi_firstname", and "project_pi_lastname".

BUG FIXES & OTHER CHANGES:o Bug fix: When using the Twilio telephony features in a project, the language

instructing users on how to disable the Twilio "Request Inspector" setting was outdated.

o Bug fix: When executing a rule in the Data Quality module using Internet Explorer 9, it would always mistakenly return zero discrepancies because of a

bug in IE9 that would cause the record drop-down list not to load properly whenever the user loads that page.

o Bug fix: Help & FAQ page was updated to remove some inaccuracieso Bug fix: When exporting a PDF of all forms/surveys with saved data in which

an instrument ends with a matrix of fields, then on the instrument directly following that one, it might mistakenly mangle the text in the PDF and cause some fields or parts of fields to not get displayed (or not get displayed correctly) in the PDF.

o Bug fix: When using a min or max validation range for a date or datetime field on an instrument, if the value entered into the field was out of range, the error message displayed to the user would mistakenly represent the min/max values in Y-M-D formate when it should instead display them in the field's designated date format.

o Change: The "API Tokens" link on the Control Center's left-hand menu has been moved to the "Users" section of the menu (in previous versions it was under the "Dashboard" section).

o Bug fix: When using the Data Resolution Workflow in a project that also has Double Data Entry enabled,if a user is assigned as DDE person #1 or #2 and accesses the Resolve Issues page in the project, it will mistakenly not display the record names correctly. This will cause the issues to not be displayed correctly when the button is clicked, and the link to the data entry form would not be correct.

o Bug fix: When using the Double Data Entry module in a project in which a user is assigned as DDE person #1 or #2, the "Displaying record" drop-down list at the top of the Record Status Dashboard page might mistakenly display records that are not theirs. This only affects the display of the drop-down and not their access to any records.

o Bug fix: When viewing the "Stats & Charts" page of a report, it would mistakenly not display any Text fields with non-numerical field validation.

o Bug fix: If a value is manually hand-entered into a datetime or datetime_seconds field on a survey or data entry form and if a leading zero is not included as part of the hour component in the time (e.g., 2015-01-31 9:45), then it would mistakenly not add the leading zero before saving the value, which could cause some sorting issues on reports and possibly some data quality issues. It now makes sure that the hour component in the time gets padded with a "0" if it is only entered as one digit. (Ticket #885)

o Bug fix: When exporting the PDF of a survey or data entry form that contains a matrix of fields, on certain occasions some fields in the matrix might mistakenly not have any space vertically between them. There should be one blank line of space between matrix field labels in the PDF.

o Bug fix: If the first field on a data entry form is a radio button field, in which the cursor is automatically moved to that field when the form is loaded, it will mistakenly allow users to type values via their keyboard into the radio button field invisibly and will mistakenly save those values when the form is saved (even those the types values are not visible on the page), resulting in invalid data values being saved for that field. (Ticket #861)

o Bug fix: When using the Double Data Entry module in a project in which a user is assigned as DDE person #1 or #2, the "View or Edit Schedule" tab in the Scheduling module would mistakenly display records that are not theirs in the record drop-down list.

o Bug fix: If using filters in a report in which the filter value begins with "1-" (e.g., [study_id] = "1-35"), then it might mistakenly return a record named "1" in the report results (if record "1" exists) even if it record "1" should not be returned in the results.

o Bug fix: For any user-defined field labels or saved text where the text contains a < character followed immediately by anything other than >, =, or a number, it would mistakenly truncate the text at the < character if it was not the beginning of a valid HTML tag (e.g., "<this would be removed> and <-so would this"). (Ticket #909)


Improvement: When using the Twilio telephony services for SMS surveys and voice surveys, it now supports the Matrix Ranking functionality if enabled for a matrix of radio fields. It behaves by removing a matrix choice once it has already been used by a previous question in the matrix. And if the user attempts to enter an already used value, it will tell them that it is an invalid choice and to try again.

Major bug fix: If the REDCap web server has the "short_open_tag" setting in PHP set to "Off", then the page would crash when a user would attempt to enable an instrument as a survey in the Online Designer.

Change: In longitudinal projects the order of the "delete" buttons at the bottom of data entry forms have been changed so that the "Delete data for this event only" button now comes before the "Delete data for this form only" as a means of ordering them according to the severity of what they delete.

Bug fix: When using WebDAV file storage, inline image attachments for Descriptive fields and Signature field images would mistakenly not get displayed in a downloaded PDF of an instrument.

Bug fix: If a user was attempting to copy an instrument via the "Copy" option next to an instrument on the Online Designer, in which one or more multiple choice fields on that instrument had no choice options defined, then it would throw an error and prevent the instrument from being copied.

Bug fix: If the Email Domain Whitelist is enabled, then if a user logs in to REDCap for the first time and is prompted to enter their name and email address, it would mistakenly not enforce the Email Domain Whitelist but instead would allow the user to enter an email address of any domain. (This excludes users using Table-based authentication.)


Major bug fix: In the event that a public survey is being taken by a very large number of respondents simultaneously (e.g., hundreds or thousands of respondents per minute), there is a chance that some responses might mistakenly get merged together under the same record name when being saved, thus corrupting the data and making it difficult to manually split the separate responses into individual records. New methods have been implemented to ensure that this never happens.

Bug fix: When a user attempts to use the alternative method to obtain a mobile app initialization code on the REDCap Mobile App page in a project, if the REDCap web server is not able to communicate with redcap.vanderbilt.edu, which generates the code, then it would mistakenly return an incorrect 4-digit number to the user rather than the correct 10-character alphanumeric code.

Bug fix: In a longitudinal project containing multiple arms, if a user attempts to rename a record to a record name that exists in another arm, it would mistakenly display an error saying that the record could not be renamed. Instead, it should allow the record to be renamed for the current arm regardless of whether or not that same record name exists in other arms.

Bug fix: When using the Randomization module in a project and viewing the randomization dashboard page, the record names that appear in the "Allocated

records" column of the table would mistakenly not wrap to the next line in the table cell but would instead be truncated.

Bug fix: When the cron job is expiring user accounts that have an expiration time set, it might mistakenly CC the sponsor of another user who is getting expired in that same batch of emails.

Bug fix: Confusing or incorrect instructions were given when exporting data into SPSS or SAS on a non-Windows operating system with regard to modifying the CSV data file's path in the syntax file.

Bug fix: When copying a project that has surveys, some survey attributes would mistakenly not get copied to the new project. This would include "display page numbers at top of page", "allow respondents to return and modify completed responses", "hide the Previous Page button", and the confirmation email settings.

Change: For clarity, a new note was added on the Security & Authentication page in the Control Center to denote that the Login Settings section is not applicable to Shibboleth authentication.

Post-release fix: If a project has record auto-numbering enabled and a user opens a data entry form to create a new record but instead clicks the Cancel button, then it would mistakenly skip a record number in the sequence when the next record was created.

Version 6.6.0 - codename "Frosted Sugar" (released 05/29/2015)

New features:o Twilio telephony/IVR services (SMS surveys and phone surveys)

Other changes in this version:o Bug fix: When using Rule H in the Data Quality module and clicking the "Fix

calcs now" button, it would mistakenly not exclude any results that the user had explicitly excluded for that rule.

o Bug fix: When using Rule H in the Data Quality module, in which one or more results had been excluded and then the rule was run again at a later time, then if the user clicked the "view" link in the results popup to view the exclusions, the "Fix calcs now" button would fail to work if the user tried to click it afterward.

o Bug fix: When utilizing the Randomization module in a project that has UTF-8 encoded field labels for the randomization field or the strata fields used (especially if multi-byte characters are used in the label), then on certain occasions the Randomization Dashboard page would not display correctly.

o Bug fix: When survey participants returned to a partially completed survey, in which it displayed the "Start Over" button to allow them to erase their current responses and start the survey over from the beginning, it was too easy for them to accidentally click this button without realizing the repercussions of data loss. It now gives them an extra confirmation dialog that they must click so that they more fully understand the repercussions before starting the survey over.

Version 6.5.0 - codename "Oatmeal Raisin" (released 05/22/2015)

NEW FEATURES & IMPROVEMENTS:o New feature: REDCap Mobile App for iOS and Android - The REDCap mobile

app is an app that can be installed on a tablet or mobile device so that data may then be collected in an offline fashion on that device, after which it may then be synced back to this project on the REDCap server. The app is most useful when data collection will be performed where there is no internet service (e.g., no WiFi or cellular service) or where there is unreliable internet

service. Once a user is given 'REDCap Mobile App' privileges in a project, they can navigate to the mobile app page on the left-hand menu and set up the project inside the mobile app on their device. Once the mobile project is set up on the device, the user can collect data (which is stored locally on the device), and then at some point sync that data back to their project on the REDCap server.

Documentation: iOS

app: https://itunes.apple.com/us/app/redcap-mobile-app/id972760478

Android app: https://play.google.com/store/apps/details?id=edu.vanderbilt.redcap

About the REDCap Mobile App (PDF): http://projectredcap.org/app/about.pdf

Security in the REDCap Mobile App (PDF): http://projectredcap.org/app/security.pdf

Before users can use the mobile app for a project, they must first be given "Mobile App" user privileges, after which they will be able to see the "REDCap Mobile App" link on the project's left-hand menu and then be able to access that page, which will provide links to download the Android and iOS app and instructions for initializing that project in the app on their mobile device. Note: When a user creates a new project, they will automatically be given "Mobile App" privileges by default.

There is an additional user privilege "Allow user to download data for all records to the app?" that specifically governs whether or not the user is allowed to download records from the server to the app. This may be done to prevent users from unwittingly (or wittingly) downloading lots of sensitive data to their mobile device. If a user is given this privilege, then when they initialize the project in the app and the project contains at least one record, then the app will prompt the user to choose if they wish to download all the records to the app or not.

Syncing data back to the REDCap server: When the user has collected some data in the app and now wishes to send the data back to the server, they will go to the "Send data to server" page in the app. If there are any possible issues that might arise when sending the data to the server, the app will prompt the user to make a decision before sending the data. For instance, if the project uses record auto-numbering, and a record already exists on the server with the same record name, then it will let the user know that it will rename the record accordingly during the sync process in order to prevent any overwriting of the record already on the server. There are many different scenarios that can occur in which a user might be prompted to make a decision, and the app is fully capable of providing the user with just the right amount of guidance so that they feel confident sending their data to the server with no issues.

Remote lockout: If a user sets up a REDCap project on the mobile app, and then another user revokes their "REDCap Mobile App" user privileges on the User Rights page in that project, then it will prevent them from accessing it on their mobile device by locking them out of that particular project. In this way, you may perform "remote lockout" to further protect data stored on mobile devices. Additionally, a user can revoke/delete their API token for the project, which will also cause a remote lockout, although the lockout will be permanent and will cause all data currently stored in the app to be lost.

Admins: If you do not want your REDcap end-users to be able to use the mobile app at all, the mobile app can be disabled at the system level, if desired. When disabled, it will hide all information and all pages that mention the mobile app as if it does not exist. This setting is located on the Control Center's Modules Configuration page.

o New feature: Copy Instrument - On the Online Designer, users can click the "Choose action" drop-down next to a given instrument to copy the instrument. They will be given the choice to name the new instrument and to also provide the suffix text that gets appended to each variable name to prevent duplication of variable names.

o New features: Instrument ZIP Upload and External Instrument Libraries In the Online Designer, if a user clicks the "Choose action" button in

the Instruction Actions column and selects "Download Instrument ZIP", they can download a zip file of that data collection instrument, which also includes any attachment files for descriptive fields in the instrument. Using this feature makes it easy to share in individual instrument with colleagues or to keep for yourself if you want to re-use it and re-upload it into another REDCap project.

If user has obtained an instrument zip file from another project, from another user, from an institutional library of recommended zips, or from an External Instrument Library, they may upload the instrument on the Online Designer using the "Upload" button to add the instrument to the list of data collection instruments in the project.

External Instrument Libraries now exist in which REDCap users can navigate to an external website that can provide them with an instrument in the REDCap instrument zip format so that they can then take that zip file and upload the instrument into their REDCap project. It is somewhat similar to how the Shared Library works, except these external libraries are not associated with the REDCap consortium but are advertised as REDCap-friendly libraries or tools for creating instruments. The Online Designer contains a link to the current list of recommended external libraries where instrument zip files can be downloaded by users.

o New feature: Auto-scoring Instruments - A new class of instruments called "auto-scoring instruments" were recently added to the REDCap Shared Library. They cannot be used by previous REDCap versions but only by v6.5.0 and later. An auto-scoring instrument is a type of survey that contains scoring that is automatically performed and saved once the survey has been completed. Most of them are referred to as "short forms". An auto-scoring instrument is static (not adaptive), and can only be implemented in survey format as one question at a time. Similar to CATs (computer adaptive tests) downloaded from the Shared Library, users will not be able to modify any fields on the instrument at any time. This auto-scoring instrument can only be taken in survey form. If the data entry form is viewed for this instrument, all fields will be displayed as read-only. Also similar to CATs, auto-scoring instruments utilize the external CAT server hosted by Vanderbilt University. The external server provides the auto-scoring functionality once the survey has been completed. Users can find these auto-scoring instruments by searcing the REDCap Shared Library.

o New feature: Field Annotation - Can be used to add explanatory notes or commentary about a given field. An annotation can be added to any field via the Online Designer or Data Dictionary (column R). It can be used for several purposes, such as for the bookkeeping of a project's field structure (as metadata about the given field) for reference purposes regarding what the field represents or how it should be used (during data entry, analysis, etc.).

Field annotations are not displayed on any page but are merely for reference. Field annotations can also be used to map the field to various standards (e.g., CDISC, SNOMED, LOINC) using whatever notation the user sees fit (e.g., using a simple ID code for the standard or a complex XML structure containing information about how to transform the data to the standard). Since it is just an annotation for reference purposes, REDCap will not do anything with the field annotation text on its own, but the annotation can be obtained by users at any time for any purpose (typically accessed via the Data Dictionary download or via the API metadata export). Summarily, field annotations are essentially open-ended, so users may use them in whatever way they so choose.

o New feature: Project Notes - When creating a new project, users may optionally provide project notes, which are comments describing the project's use or purpose for documentation purposes. Once a project has been created, its project notes can be edited in the "Modify project title…" popup on the Project Setup page. Also, any projects having project notes will have a small icon displayed next to the project title on the My Projects page, and if a user moves their cursor over the project title, it will display the project notes in a hovering tooltip so that it can be quickly viewed. The project notes text can also be useful for other things, such as if someone is utilizing the Field Annotation attributes of fields in the project for standards mapping, in which the project notes fields could be used as a way to store project-level metadata about how the Field Annotation is being used (e.g., what type of standard is being used).

o New feature: API method "Export Project Information" - Exports some of the basic attributes of a given REDCap project, such as the project's title, if it is longitudinal, if surveys are enabled, the time the project was created and moved to production, etc. See the official API documention/help page in 6.5.0 for all the details.

o Improvements to the REDCap Upgrade Module Improvement: The REDCap Upgrade module now has an option to

download the SQL upgrade script as a file, which can be saved on the database server and then executed by MySQL command line. The upgrade module displays instructions on how to execute that file in MySQL, which sometimes may be preferable to executing all the SQL upgrade commands in a window in a MySQL client, which could time out if it runs too long.

Improvement: REDCap can now (on certain occasions) be upgraded to a newer version without being taken offline. The upgrade module now has the ability to let an administrator know if an upgrade can be performed without setting REDCap's online status to "offline" beforehand. If the upgrade module detects that this is possible, it will provide a note about it in Step 1 of the upgrade page. In instances where REDCap is upgraded without being taken offline, there are special safeguards in place to prevent loss of data while users are using REDCap during the upgrade. Being able to upgrade REDCap without taking it offline will be a great asset to institutions that upgrade often.

o New feature: New delete buttons at the bottom of data entry forms allow users to delete all data on the current form of a given record and also (for longitudinal projects) to delete all data on the current event of a given record. The user must have "Delete records" user privileges in order for these buttons to be displayed and utilized.

o Improvement: When building reports in a longitudinal project, Step 3 now contains a new checkbox option: "Show data for all events for each record

returned". If this option is CHECKED, then *all* events are returned for each record, but if UNCHECKED, then some events in each record *may* get removed (depending on the filters defined in the report). This option provides users with more control when using report filters, in which it allows them to apply filters to return a group of records (e.g., a cohort) and then optionally filter those records returned even further, such as by removing specific events. This will make report filtering much more palatable for longitudinal projects.

o Improvement: When building a report on the "Data Exports, Reports, and Stats" page, a new "Quick Add" button has been added to Step 2, in which it opens a popup window to allow users to select fields for the report very rapidly using the old-style checkboxes (similar to the Data Export Tool in REDCap version 5.X).

o Improvement: On the "Data Exports, Reports, and Stats" page, users can now create a new report based on the custom selections made in Report B. This makes it much easier to create a report that includes all fields from many instruments and/or events.

o Improvement: On the Browse Users page in the Control Center, a new user account setting called "Display user on 'Email Users' page?" can be set to "No" so that an individual user will no longer be displayed on the Email Users page in the Control Center, thus preventing them from receiving any emails sent using that page. This can be useful if a user requests to opt out of system-wide announcements sent to REDCap users by administrators, for example.

o Improvement: The Data Entry Trigger now sends the parameter "username" to the defined URL. This corresponds to REDCap user that is triggering the Data Entry Trigger. Note: If it is triggered by a survey page (as opposed to a data entry form), then the username that will be reported will be '[survey respondent]'.

o Improvement: New option for Automated Survey Invitations to ensure that the ASI's conditional logic is still true before sending the survey invitation. When enabled, REDCap will re-evaluate the logic against the record's data values whenever the record values are changed AFTER the invitation has been scheduled but BEFORE it has been sent to the respondent. And if the logic is no longer true (i.e., if the data values have changed during the time after the survey invitation was scheduled), it will not send the invitation to the respondent but will instead delete it (as if it had never been scheduled). Additionally, if the invitations get deleted due to this setting, then the invitations *may* get scheduled again later if data values are changed such that the logic evaluates as true again. Enabling this setting provides you with greater control over when and how invitations get sent when using conditional logic for Automated Survey Invitations.

BUGS & OTHER CHANGES:o Major bug fix: For user-uploaded files on the File Repository page in a project,

it is possible for a user to manipulate the URL of a given uploaded file and be able to view the name/label, filename, and upload date of files in the File Repository of other projects to which the user does not have access. The user would not be able to edit or delete the files from other projects, but could only view the file's associated metadata information.

o Major bug fix: When utilizing datediff() and some other advanced logic functions in the logic used in Data Quality rules, Automated Survey Invitations, Survey Queue, report filters, etc., it might mistakenly evaluate the logic as true when it should return false. This could cause Automated Survey Invitations to get sent prematurely or cause surveys to appear in the Survey Queue prematurely, among other things.

o Major bug fix: If any data had been imported into REDCap using the Dynamic Data Pull (DDP) module, it would no longer be able to display the data in the DDP adjudication popup. This is due to an inadvertent, recent change in REDCap to accommodate issues with Mcrypt in PHP 5.6. REDCap will have to refresh the cache of all non-adjudicated data imported via DDP from the source system. This will not affect any data that has already been imported via DDP. The data refresh may take several hours to complete after the REDCap upgrade has finished.

o Major bug fix: When using the round() function in a calculated field, in which the calculation results in a value of "0", it might get mistakenly reverted back to a blank/null value if running Rule H on the Data Quality module or if an auto-calculation is triggered when using cross-form or cross-event calculations. This bug emerged in REDCap 6.3.0.

o Improvement: Longitudinal projects using lots of calc fields should now experience a speed improvement when it comes to performing and saving auto-calculations on data entry forms/surveys and also for Rule H on the Data Quality page.

o Improvement: General speed improvement when it comes to performing and saving auto-calculations on data entry forms/surveys. In versions 6.3.0 till 6.4.6, it would evaluate *all* fields on a form/survey when performing auto-calculations, but it now only evaluates fields on the page whose value was changed, deleted, or added. This will allow it to ignore irrelevant fields and thus increase the processing speed of calculated fields in general.

o Improvement/change: On the "Data Exports, Reports, and Stats" page, the multi-select boxes (e.g., those in User Access or in Additional Filters section) now behave more intuitively when users select choices from them. Users no longer need to hold down the Ctrl/Command button when clicking multiple choices, but instead simply clicking a choice adds it as selected without de-selecting the other options already selected.

o Improvement: When viewing reports in longitudinal projects, any fields displayed in the report that are not designated for that particular event (i.e., row in the report) will be grayed out to show that the field is not designated. This makes it easier for users to discern if a field's value is not applicable or if it is missing.

o Improvement: Added new "Edit project settings in Control Center" link at the top of every project's Project Setup page (can be seen only by super users), which allows them to navigate to the Control Center in order to modify any project-level settings that only administrators are allowed to modify (e.g., enable Double Data Entry).

o Change: The parent-child functionality (i.e. project linking feature) has been removed in REDCap 6.5.0 and all versions thereafter. Any projects that were using the parent-child functionality will now operate as normal projects do and will no longer be linked to each other in any way. All functionality related to the parent-child feature (e.g., being able to export parent data from the child Data Export page, viewing parent or child forms on the left-hand menu of the other project) will cease to work and will be removed automatically. However, during the REDCap upgrade process, a project bookmark will be added to both the parent and child project so that users can navigate back and forth easily from the parent project to the child (and vice versa). And if a record is being viewed in the child, then clicking the bookmark will take the user to that same record in a data entry form in the parent project (and vice versa). For the announcement and discussion of why this feature was removed, please see https://groups.google.com/d/msg/project-redcap/CqXDO2JjawU/Kokyz4vhu6wJ

o Change: Temporary passwords are no longer sent in emails when resetting passwords for Table-based users or when creating new Table-based user accounts. Instead, a unique link is sent in the email that will allow the user to set a new password for their REDCap account.

o Improvement/change: The Browse Projects page in the Control Center no longer displays Archived projects by default but instead displays a "Show Archived Projects" link at the top of the page that, when clicked, will display the Archived projects in the project list.

o Improvement: If using the Dynamic Data Pull (DDP) module in a project, and the value of the source identifier field (e.g., MRN) for a given record is changed *after* REDCap has already imported and cached the data from the source system for that record, then it will now purge the previously cached values for the record, after which it will begin to import new data from the source system for the new value of the source identifier field.

o Change: Information on the "sql" field type is no longer located on the REDCap consortium wiki but has been integrated into the Online Designer (for super users only).

o Change: Record auto-numbering is enabled by default for new projects that are created from scratch.

o Change: When performing a fresh installation of REDCap, all the template projects now have record auto-numbering enabled. (Note: This will not enable record auto-numbering for template projects that already exist.)

o Change/improvement: When an administrator is approving production changes to a project, the optional feature to send the user an email so that they may confirm the pending changes now has slightly modified text for the pre-filled confirmation email in order to improve clarity regarding what the user should do.

o Change: The auto-suggest functionality for searching for users on the Browse Users page, Browse Projects page, or User Rights page in a project now ignores commas so that more accurate results are returned in cases where a user enters "LastName, FirstName", for example.

o Improvement: Added user's "sponsor" and "Institution ID" field for their user account to the popup that lists users on the Browse Users page in the Control Center.

o Change: Due to the fact that Google is deprecating OpenID 2.0, which was used by REDCap in versions prior to REDCap 6.5.0, the "OpenID (Google)" authentication method in REDCap will now utilize Google OpenID Connect (OAuth2), which uses a different protocol. So as far as the REDCap user is concerned, their login process will not change at all. However, this change to using OAuth2 requires an extra setup step, in which a REDCap administrator must go to the Security & Authentication page in the Control Center and enter a Client ID and Client Secret if they are using the "OpenID (Google)" authentication method. If they upgrade to REDCap 6.5.0 and then log in, they will immediately see an error message giving the administrators instructions on how to obtain a Client ID and Client Secret for the Google API, which should only take a few minutes.

o Change: When creating Project Bookmarks in a project (or Custom Application Links in the Control Center), the "Link URL / Destination" is no longer required to be full URL (beginning with "http") but can now be a relative link (i.e., beginning with "/") or can begin with another non-http protocol. This adds flexibility for users creating bookmarks.

o Change: When adding the URL for a Data Entry Trigger for a project, it is no longer required to be full URL (beginning with "http") but can now be a relative link that begins with "/".

o Change/improvement: New instructional text was added to the top of the "Help & FAQ" page to inform the user that they can use Ctrl+F (or Command+F) on their keyboard to do a keyword search on the page.

o Bug fix: When using the Data Comparison Tool for a project with Double Data Entry enabled, if the records entered by DDE person 1 and person 2 had a record name that was in a different case than the other in the pair, then it would mistakenly not allow the user to compare the pair of records nor merge them together. (Ticket #823)

o Bug fix: When using the Scheduling module in a longitudinal project containing more than one arm, in which either the Custom Record Label or Secondary Unique Field is being used, then it would mistakely display the Custom Record Label or Secondary Unique Field for only the records from the first arm. For all other arms, there would not be a value displayed for the Custom Record Label or Secondary Unique Field for a given record in that arm. (Ticket #790)

o Change/bug fix: When editing the record ID field (i.e., first field in project) in the Online Designer when record auto-numbering has been enabled in the project, it would not allow you to set the validation as "Integer" even though "Integer" is technically a valid option when record auto-numbering is enabled. It will now allow you to set it as "Integer" but will display an error message if changed to any other validation type. In previous versions, the field validation for the record ID field could be changed via the data dictionary but not in the Online Designer. (Ticket #736)

o Bug fix: For longitudinal projects that utilize surveys in which a survey is not designated for the first event in the project, when a user first navigates to the Participant List page (i.e., by clicking the "Participant List" tab), it would mistakenly not have the first option selected in the drop-down list of surveys in the Participant List. This might cause the user to think they are viewing the Participant List of a different survey if they are not paying close attention.

o Improvement: It now does a better job of not removing "<>", "<=", or "<"+number in text, which in previous versions might mistakenly get removed on certain pages (e.g. field labels on forms/surveys) because they were assumed to be an illegal HTML tag.

o Change: Some text was added below the big text box on the Email Users page in the Control Center to remind administrators that they are permitted to use HTML formatting in the body of their email message.

o Bug fix: On certain rare occasions, such as when a user is assigned to a Data Access Group and records have been created via a data import of only the record ID field and no other fields, the Record Status Dashboard might mistakenly not display all the records that it should on the page.

o Bug fix: Any users that were suspended from the system but still had a user-level expiration date set would mistakenly receive an email warning letting them know that their account would expire soon, which is confusing because their account had already been suspended. It now no longer sends the expiration warning email to suspended users.

o Change: The font size of some of the text on the main login form was increased.

o Bug fix: When viewing the Stats & Charts view of a report (excluding Report A and B), the fields would mistakenly not be displayed in the order in which they are defined in the report but instead would be displayed according to their order/placement as displayed on the project's instruments.

o Bug fix: When adding new arms or renaming arms on the Define My Events page in a longitudinal project, certain non-Latin (UTF-8) characters would not

save correctly in the arm name, thus resulting in a black question mark symbol for that character. (Ticket#825)

o Bug fix: When viewing a PDF export of a survey or data entry form in which non-Latin (UTF-8) characters are used in a Slider field's field label or in its slider labels, the text would not display correctly in the PDF. (Ticket #683)

o Bug fix: When creating a new instrument from scratch in the Online Designer, if a new instrument's name is very close to an existing instrument's name, in which the name is also very long (>50 characters), then there is a chance that when the instrument is being created it will get stuck in an infinite loop and never actually create the instrument.

o Bug fix: When viewing the Stats & Charts page of a report that has filters and is in a longitudinal project, in which the record ID field is not a field in the report, it would mistakenly not display the charts on the page and would have incorrect counts for the descriptive stats for each field.

o Change: The "Help & FAQ" page was updated.o Change/improvement: When using the Scheduling module in a project with

multiple arms, if a user chooses to schedule an existing record by selecting the record from the drop-down on that page, it will now auto-select the arm in the arm drop-down based on the arm on which that record exists. If the record exists on multiple arms, it will auto-select the first arm on which it exists. This will prevent users from inadvertently scheduling a record on the wrong arm while also giving the user the flexibility to schedule the record on another arm, if they choose to do so, why changing the arm selection from the one that is auto-selected for them.

o Change: When the recipient of a Send-It file loads the webpage to download their file, the password field now has the autocomplete="off" attribute to prevent web browsers from possibly auto-filling the password, if the browser had somehow stored it.

o Bug fix: A change in PHP 5.6 for Mcrypt encryption/decryption would cause a few very minor things to fail internally for very specific configurations.

o Bug fix: When adding a new filter field in a report, if the user then selected the operator drop-down or value drop-down for that filter field within 2 seconds of selecting the field used in the filter, it would mistakenly cause the drop-down selection to jump around to different options while being selected, which could be frustrating.

o Bug fix: When using record auto-numbering in a longitudinal project, there is a chance that when two users are creating a record at the same time in which one user clicks the "Save and Continue" button on the form to create the record, they will mistakenly get locked out of that record until the other user saves their record and leaves the data entry form. It does not appear that data gets overwritten for the record nor that records get duplicated. It merely locks a user out of a record mistakenly when it should not.

o Bug fix: The field validation type "Phone (U.S.)" was modified to be more inclusive of more area codes. Also, it was renamed to "Phone (North America)" since it actually applies to all of North America and not just the United States.

o Change/improvement: When viewing the Survey Queue of a record in a longitudinal project, it now displays the event name in parentheses next to the survey title in each row. In previous versions, it did not display the event name, which could make it difficult to know which survey in the queue belonged to which event.

o Change/improvement: When navigating to the Data Quality module in a project, the record drop-down list on that page now loads via AJAX after the page has been fully loaded. This makes the page load much faster for projects containing lots of records.

o Bug fix: When viewing the Survey Queue of a record in which one or more of the completed surveys in the queue have the setting enabled to "allow respondents to return and modify completed responses", then if more than 5 surveys were completed in the queue, it would compact the rows of those surveys but would mistakenly not compact the "Edit response" buttons on those rows. So the buttons would display even those the row itself was hidden, which is confusing to the user.

o Change/improvement: The Stata syntax file that is produced during data exports now explicitly defines the minimum version as Stata 12. This reduces the number of issues that might occur when loading REDCap data into Stata by setting the first line of the syntax file as "version 12".

o Bug fix: When a user that is assigned to a Data Access Group is accessing a longitudinal project via the mobile web view, it would mistakenly display all the records for the project in the record drop-down list on the page when instead it should only display the records belonging to the user's DAG. If the user clicked any records not in their DAG, it would not allow them to access them, as expected.

o Change: When uploading a data dictionary containing a Text field with a min or max validation range in which the validation type of the field is a "number_Xdp" validation, it will accept values for the min or max if it is a number even though it does not follow the validation rule explicitly (e.g., it will allow a min of 5.6 even though the validation requires 3 decimal places). This is done because Microsoft Excel often removes any trailing zeros after decimals when opening the data dictionary and re-saving it. So this serves as a workaround for Excel's undesirable behavior without compromising anything with regard to data quality.

o Bug fix: When using the REDCap::getData() method in a plugin or hook and providing a value for the $filterLogic parameter in which no records in the project match that logic, then instead of returning an empty array as it should, it would mistakenly return an array of every event's default values with a blank/null as the array's key (i.e., with a blank record name).

o Bug fix: When using the auto-start feature for a survey in the Survey Queue, it would mistakenly not trigger the redcap_survey_complete hook when the survey was completed before auto-starting the next survey in the queue.

o Bug fix: When a plugin or hook calls the REDCap::getData method for a project having a Data Access Group whose unique group name is numerical, it would ignore that numerical-named DAG if passed in the method's $groups parameter, thus causing an incorrect data set to be returned. (Ticket #839)

o Bug fix: The "email" field validation type was modified to be more inclusive so that it now allows for plus signs (+) in email addresses, which is allowable for certain email services.

o Bug fix: Some language was mistakenly not abstracted (i.e., was hard-coded in English) in the "Return Code" popup on a survey's "Save & Return Later" page.

o Bug fix: The JavaScript functions that enable Slider fields and reset their value were mistakenly employing branching logic prior to calculations when it should have been performing calculations first for calc fields.

o Bug fix: A user with special knowledge of how the Data Access Group page in a project makes AJAX requests to load the DAG list on that page might be able to bypass certain user privileges, such as being able to remove or change their own DAG assignment. (Ticket #848)

o Change: When the API crashes due to exceeding web server memory during a data export or import, it now returns a 500 error code with the message "REDCap ran out of server memory. The request cannot be processed. Please

try importing/exporting a smaller amount of data." In previous versions, it would return different status codes, which could be confusing and not helpful for the user to troubleshoot the situation. (Ticket #847)

o Bug fix: When using the method REDCap::getPDF() inside a REDCap hook, it would mistakenly force a PDF file download instead of returning the PDF content string. It would work as expected for plugins but would only fail for hooks.

o Bug fix: If the REDCap web server is on PHP 5.5.0 or higher, then it would fail whenever a user attempted to submit a data collection instrument to the REDCap Shared Library.

o Change: The file_import.php file inside the API Example ZIP file was updated to work with PHP 5.5.0 and higher.

o Bug fix: When initially installing REDCap, the two template projects named "Longitudinal Database (1 arm)" and "Longitudinal Database (2 arms)" that are auto-created during the installation contain some fields whose field label does not match the variable name, which could be confusing. (Ticket #858)

o Bug fix: For certain web server configurations, some REDCap installations are not able to use the PROMIS CATs functionality due to cURL not being able to verify the PROMIS server's SSL certificate. This is now more compatible to work for all server configurations. (Ticket #862)

o Bug fix: If the extra UTF-8 PDF package for REDCap has not been installed on the web server, then when a user attempts to export a PDF of a form/survey containing Signature field images, it would throw a PHP fatal error. It now displays the text "[signature]" in the PDF in this case when it is not able to display the Signature image itself inside the PDF.

o Change: For the REDCap cron job, the maximum execution time in PHP was increased from 20 minutes to 60 minutes to prevent some long cron jobs from timing out.

o Bug fix: When a Table-based user resets their own password and is setting a new one, in which they attempt to enter a password that has fewer than 9 characters, which is the the minimum, it displays an error message that mistakenly says it must be "10 characters" at minimum when it should instead say "9 characters". (Ticket #875)

o Bug fix: When clicking the "Erase all data" button on the Other Functionality page in a project, although it does make all files in the File Repository no longer accessible (i.e., "deleted"), as it should, it mistakenly does not set those files for deletion on the server after 30 days. So those files mistakenly never get removed from the back-end after 30 days but instead remain on the server indefinitely as permanently orphaned.

o Bug fix: If the Participant List for a survey contains more than 50 participants, and a user goes to remove a participant, then after removing the participant, it would mistakenly reset the list back to the first page of participants rather than keeping it on the current page of participants. This would make it very difficult to remove many participants in some cases.

o Change: The API method "Export Users" will now return two new attributes for each user: "mobile_app" and "mobile_app_download_data". If mobile_app's value is "1", then the user has privileges to use the REDCap Mobile App for that project. If "0", then not. If mobile_app_download_data's value is "1", then the user has the ability to download all records from the project to the mobile app, but if "0", then the user will not have the option in the app to download any records to the app.

o Bug fix: When using survey invitation reminders for a PROMIS or Neuro-Qol CAT, when the survey is completed by the participant, it would mistakenly not delete any reminders that were still to be sent in the future. This would cause

the participant to keep receiving the survey invitation reminders (if any had not been sent at that point) after they had completed the survey, which is confusing.

o Bug fix: When using a survey confirmation email for a PROMIS or Neuro-Qol CAT, when the survey is completed by the participant, it would mistakenly not send the confirmation email to the participant.

o Improvement/bug fix: If a survey's title is blank (has no text), then the row for this survey in the Survey Queue would show up as blank, which could be confusing to participants. This also occurs when in the Automated Survey Invitation setup popup, in which the survey's option shows up as blank in the drop-down list of surveys. In these cases, it now displays the instrument name in place of the title if the title is blank.

o Bug fix: In certain cases when a user has been suspended after their user expiration has taken affect for their user account, it would mistakenly keep sending them an email each week to let them know that their account was just suspended.

o Change: Replaced the "Detailed Overview" videoo Bug fix: When using the Dynamic Data Pull (DDP) module in a project, under

certain circumstances (e.g., a record was missing a value in REDCap for the external source's identifier field when data is being pulled via the cron job) a record would mistakenly get used endlessly by the cron job when fetching data from the source system, which could bog it down and overwhelm the DDP data web service that calls the source system.

o Post-release fix: If the REDCap server is set to send its stats to the consortium "automatically" and fails to do so, then it would redirect to the user to the Control Center and keep reloading the page over and over again to no end.

version 6.11.2 - (released 1/16/2016)

Documents