The Message

Release song: https://youtu.be/KXqKswtX_KU

Kindly note that this is a release candidate. While it has been audited and tested in depth, there are likely still bugs or glitches. Please wait for the official v2.0.0 release if you prefer a fully stable version.

The main aspect of this release is the upgrade of the passbolt api code base to CakePHP v3. It also ships with improvements such as a simplified configuration system, a better XSS protection and more tolerant validation rules. See the full list below.

This release is a complete rewrite of passbolt server component. We now have a code that is better organised, easier to read and simpler to maintain. Don’t just take our word for it: this new code base has been audited by CakeDC, the experts behind CakePHP. Check out the result of this independent 3rd party code review.

To report any bug / feedback / improvement suggestion regarding passbolt v2.0.0-rc1, you can do it through the traditional channels (github and community forum). Please add [v2.0.0-rc1] in the title so we can identify it more easily. This release candidate is a major version upgrade, so it requires more steps compared to a usual update. You will need to follow the migration instructions available here.

What next? We’ll spend the next few weeks fixing the remaining bugs reported by you and release the final v2.0.0. Then, after this long maintenance cycle, we all deserve some new features. That’s right, we will be working on the most requested ones such as Tags (we need your feedback), Import / Export, and a web-based installer. Some of these features will be shipped directly with v2.0.0.

Passbolt API

Security

• XSS protection improvements, with a new test suite dedicated for XSS.
• HTTP security headers are enabled by default and can be disabled using configuration options.
• Json responses server signature (experimental).

Improved

• An expired setup link can be re-sent through the recovery procedure.
• Dropped SQL views (will allow supporting additional database backends).
• Simplified configuration system. The entire configuration will be done in one dedicated file with safer defaults.
• Most configuration items are now available as environment variables.
• Install commands perform additional health checks prior to running.
• CakePHP and other dependencies have been removed from the repository and are now installed with composer.
• More flexible validation rules for inputs in most fields.
• Emojis support where it make sense (comments, descriptions, etc).
• Some notifications will not be sent if the user is the one doing the action (ex. delete password).
• The App-JS code is now available on a dedicated repository.
• Misc javascript foundation code refactoring.
• Added missing tables index to speed up some database queries.
• “Owner” has been replaced by “Created by” in the password sidebar to be more relevant.
• API supports a more standard response format (documentation coming soon).
• Additional settings for controlling what is displayed in email notifications.
• Added created date information in password sidebar.

Changed

• Passbolt api migration to CakePHP 3.
• PHP 7.0 is now the minimum supported version.
• Dropped table “controller_logs”. It will be soon replaced by the Audit Logs feature.
• Dropped table “schema_migrations”.
• Dropped table “cake_sessions”.
• Dropped “anonymous statistics” feature (nobody opted in…).

Fixed

• “Passwords I own” filter displays all the passwords for which I have “is owner” permission.
• An admin can delete a user if the user is the sole group member of a group owning passwords that are not shared.
• An admin can delete a user if the user is the sole owner of a password that is not shared.