Release Notes 15-04-2026

Comprehensive Data Table Security Audit - Security hardening applied to 24 data tables across the platform. All tables now properly sanitise user-supplied data before display.

Security Hardening on Training Results Endpoint - The training results endpoint now requires proper authentication and validates all input before processing.

Security Hardening on Permit Type File Deletion - Permit type file deletion endpoints now require proper authentication and authorisation checks.

Security Hardening on Equipment Document Upload - The equipment document upload route now requires proper authentication before accepting file uploads.

Login Page Security Improvement - The login page now shows the same generic error message regardless of whether the email exists, preventing user account enumeration.

Email HTML Injection Fix - Incident notification emails now properly sanitise incident and project names.

Worker Document History Security - Security hardening applied to the worker document history table to prevent script injection via comment fields.

Email Verification Rate Limiting - The public email verification endpoint now includes rate limiting to prevent abuse.

Enterprise Starter Registration Fix - Fixed an error during the Enterprise Starter registration process when form validation failed.

Staff Email Verification Workflow - Staff email address changes now go through an email verification process. The change only takes effect once confirmed via the new email address.

Permission Scheme Display on Staff Profile - The staff detail panel now displays the assigned Permission Scheme name with a "Manage" link.

Staff Permissions Export Audit Columns - The Staff Permissions CSV export now includes "Updated By (Email)", "Updated By (Staff ID)", and "Last Updated" columns.

Staff Document Expiry Alerts for Uploaders - Staff who upload documents on behalf of others now receive dashboard alerts when those documents are expired or expiring.

Staff Document Expiry Email Improvements - Document expiry email notifications now include the file name, category, staff member name, and organisation name.

Transfer Actions from Inactive Staff - Inspection actions can now be transferred away from deactivated or inactive staff members.

Staff Detail Suppliers Tab Fix - Fixed the Suppliers tab on the Staff Detail page which was showing no data.

Staff Editing Error Fix - Fixed an error caused by phone number validation being too restrictive.

Registration Page Redesign - The Staff and Worker registration pages have been refreshed with the updated design.

Form Uncancel Capability - Staff with Permit Admin permissions can now uncancel a cancelled form, restoring it to its previous status.

AI Review Loading State - A loading spinner now appears while the AI review is processing, with inline error and retry if it fails.

CTA Buttons Disabled During AI Review - Action buttons are now disabled while an AI review is in progress on a form.

AI Review Feedback Auto-Expand - The AI review feedback section now opens automatically when results arrive.

AI Review Auto-Scroll - After an AI review completes, the page automatically scrolls to bring the feedback into view.

Form Answer Change Notifications - Email notifications for form answer changes now show clearer descriptions for first-time feedback.

File Upload UI Improvement - The oversized trash can icon has been replaced with a cleaner "Remove" text link.

Form Question Inline Feedback Now Visible - Form question feedback (Action Required and Feedback) is now visible directly in the form detail view, with a slide-over panel for full feedback history and inclusion in PDF exports.

Permit Type File Upload Fix - Fixed an issue where uploaded files on a Form Type disappeared when editing the configuration.

Corrective Actions Inline Editing Fix - The Edit action on pending corrective actions and investigations now works correctly.

Incident History File Type Display - File-type question changes now display correctly in the incident History tab.

Incident File Upload Button Fix - The file upload button no longer disappears after uploading an unsupported file type.

Contractor Worker Incident Access - Contractor workers can no longer view other workers' incident details by navigating directly to the URL.

Incident Tags Column Header - The Tags column header has been shortened so it no longer overflows.

Incident Classification Error Fix - Fixed an error that could occur when opening an incident form where classification data was not yet configured.

Notification Group Staff Filter - Unregistered staff members no longer appear in staff selection dropdowns across the Incident module.

Inspection Column Sorting - Sorting now works correctly on the Status, Completed/Pending, and Inspection columns across multiple views.

Inspection Supplier Filter Fix - The supplier filter dropdown no longer shows deleted, declined, or inactive suppliers.

Risk Review Comments Fix - Risk Review organiser comments now save and display correctly.

Risk Register Special Characters Fix - Comments containing special characters no longer cause the page to break.

Risk Register Console Error Fix - Fixed a console error when opening the Manage Controls panel.

Risk Register Action Owner Access - Action Owners can now browse and view the Risk Register without the dedicated permission.

Permission-Based Site Visibility - Staff without organisation-level site permissions now only see sites they are directly assigned to.

Add Location Mobile Fix - The action buttons on the Add Location form are now visible and usable on mobile devices.

Plant ID Column Sorting - The ID column in the Plant & Vehicles list can now be sorted.

Plant Site Assignment Fix - Fixed inconsistent results in the site assignment dropdown for plant items.

Invite Contractor Fix - Fixed a fatal error when inviting a contractor already registered with another organisation.

Documents Approved Without Expiry Fix - The "No Expiry" flag is now correctly cleared when a document is superseded.

Worker Supplier Filter Persistence - The Supplier filter on the Workers list now persists correctly after viewing a worker profile.

Unregistered Worker Form Name Fix - Forms submitted by unregistered workers now display the correct worker name.

Global Documents Performance - The Global Documents list now loads significantly faster.

Global Documents Dashboard Fix - Global documents no longer disappear from the contractor dashboard after category changes.

Dashboard CTA Link Fix - The "Click Here" link in document category alerts now displays correctly as a clickable link.

SCORM Upload Description - Activity descriptions now show the staff member's name instead of "Uploaded via API".

Moodle Enrolment Retry - The system now automatically retries failed enrolments during high-load periods.

Organisation Logo in Emails - Organisation logos now appear correctly in document expiry and dashboard reminder emails.

Configurable Support Email - System email templates now display the organisation's own support email address instead of the generic one.

Document Expiry Alerts for Inactive Users - Expiry alert emails are no longer sent to deactivated, archived, or deleted employees.

Client Logo Cropper Rebuilt - The logo cropper has been rebuilt with zoom controls, a "Use Entire Image" button, and a live preview.

Security Default Deletion Protection - Deleting an in-use Security Default now shows a clear error message instead of a system error.

Worker Card Generation Fix - Fixed an error preventing contractor worker card and sticker generation.

Add Plant / Assign to Organisation Fix - Fixed an error preventing contractors from adding or assigning plant items.

Licence Invoice Fix - The licence purchase process now correctly records the tax invoice after payment.

Competency Matrix Error Fix - Fixed an error on the Competency Matrix page when loading filtered data.

ACU API Staff Update Fix - Partial staff updates no longer accidentally clear other fields.

Staff API Unicode Sanitisation - The Staff APIs now strip invisible Unicode characters from name and address fields.

API Pagination Ordering - Five API endpoints now return results in a consistent order.

Onboarding Error Fix - Fixed a production error with unauthenticated onboarding requests.

Supplier Compliance Tab Error Fix - Fixed a production error on the Supplier compliance tab.