v2.0.1

This is a maintenance release that fixes a breaking change introduced in v2.0.0.

Many thanks to @OdyX for his blazing fast reaction at reporting the bug and submitting a fix.

[2.0.1] - 2018-04-09

Fixed

• GITHUB-239: Fix unsafe mode logic
• GITHUB-240: Make sure unconfigured 'passbolt.plugins' doesn't break the extension
• PASSBOLT-2511: Improve healthcheck tables list so that tables are listed per major version number

Insomnia

This is not an April fool! Passbolt v2.0.0 is ready and available for download.

Kindly note that this is a major version release. If you are still running on the v1.x branch, you will need to follow a specific upgrade procedure.

The main aspect of this release is the upgrade of the passbolt api code base to CakePHP v3. It also ships with improvements such as a simplified configuration system, a better XSS protection and more tolerant validation rules. See the full list below.

This release is a complete rewrite of passbolt server component. We now have a code that is better organised, easier to read and simpler to maintain. Don’t just take our word for it: this new code base has been audited by CakeDC, the experts behind CakePHP. Check out the result of this independent 3rd party code review.

Release song: https://youtu.be/P8JEm4d6Wu4

Below is the list of the changes since passbolt v2.0.0-rc2.

[2.0.0] - 2018-04-09

Added

• PASSBOLT-2725: Implement start page when passbolt is not configured
• PASSBOLT-2740: Update <3 link and add unsafe mode warning
• PASSBOLT-2697: Add passbolt migrate shell with backup option prior migration
• PASSBOLT-2803: Make the privacy policy footer link configurable in the settings
• PASSBOLT-2720 Move dev dependencies out of the passbolt_api repo
• PASSBOLT-2511: passbolt pro bootstrap is moved in a separate folder

Fixed

• GITHUB-229: Fix passbolt can not run in a subdirectory
• COMMUNITY-533: Fix plaintext should be initialized prior verification
• PASSBOLT-2776: Fix: As AN, settings entry point should be able to have plugins settings whitelisted
• PASSBOLT-2762: Fix unexpected error on resource share
• PASSBOLT-2754: Change the way to define if passbolt is installed while running the unit tests
• PASSBOLT-2571: Delete secrets when a password is soft deleted
• PASSBOLT-2688: Fix healtcheck warning if the development plugin passbolt_test_data is not loaded
• PASSBOLT-2711: Delete orphans secrets
• PASSBOLT-2678: Edit Appjs API calls to use version number
• PASSBOLT-2694: Improve GPG lib to handle private keys validation
• PASSBOLT-2744: Favorites delete on group user delete
• PASSBOLT-2743: Favorites delete on permissions update
• PASSBOLT-2705: Increase coverage, ensure all users who lost access to a resource have no a secret in db for this resource
• PASSBOLT-2735: Display a specific message if a sidebar section has not content to display
• PASSBOLT-2664: Change cakephpConfig into settings entry point and adjusted app-js to work with it

Get Up

This release is a maintenance release to preflight the custom GPG headers in the API and implement the changes requested by Mozilla in the web extension.

The web extension also ships with the integration of some premium features which will be available shortly with the release of passbolt pro edition.

Release song: https://youtu.be/JOD-M7WZkZQ

[1.6.10] - 2018-03-28

Fixed

• PASSBOLT-2777: Fix preflight issue with chrome and custom GPG headers

Planète mars

Release song: https://www.youtube.com/watch?v=kgxKuRO21AU

Kindly note that this is a release candidate. While it has been audited and tested in depth, there are likely still bugs or glitches. Please wait for the official v2.0.0 release if you prefer a fully stable version.

This releases fixes a few issues reported by the passbolt users that have switched to the v2.0.0-RC1. It also ships with a few cosmetic improvements as well as new healthchecks and debug tools to ease the installation process. For example you can now call the following command to send a test email and get some information to debug your setup: "./bin/cake passbolt send_test_email"

[2.0.0-rc2] - 2018-02-20

Added

• PASSBOLT-2638: Added command to test email configuration and SMTP communication
• PASSBOLT-2608: Implement Sidebar v2 in the Appjs
• PASSBOLT-2660: Add codacy badge
• PASSBOLT-1741: Add more GPG healthchecks
• PASSBOLT-1741: Add PHP extension checks to the healthcheck
• PASSBOLT-2597: Add check before upgrade to ensure passbolt is already in latest 1.x
• PASSBOLT-2631: Add an env var to control which email transport to use and defaults to Smtp
• PASSBOLT-2601: Add Travis v2: phpunit, coverage, phpcs

Fixed

• PASSBOLT-2618: Fixes for PHP 7.2 compatibility
• PASSBOLT-2624: PR#219 Fixed use CONFIG instead of "ROOT . DS . 'config'"
• PASSBOLT-2631: Fixed default class for EmailTransport to Smtp in configuration
• PASSBOLT-2640: Fixed incomplete urls in email templates
• PASSBOLT-2640: Fixed escaping of non safe characters in emails
• PASSBOLT-2667: Fixed regression: create a user that has been deleted previously returns an error
• PASSBOLT-2673: Fixed regression: as AD I cannot create a group with the name of previously deleted group
• PASSBOLT-2545: Fixed regression: As AD deleting a group I should be notified that all members of the group gonna lose access to the passwords shared with the group
• PASSBOLT-2139: Fixed check sessions calls are logged as error
• PASSBOLT-2139: Fixed not found image on password workspace
• PASSBOLT-1741: Fixed set license to AGPL-3.0-or-later for composer compatibility
• PASSBOLT-2589: Fixed App-js should check request response code from the http response header and not from the body header
• PASSBOLT-2533: Fixed resource name, username, uri, description min length should be 1 char not 3
• PASSBOLT-2660: Fixed remove flash message from login layout

The Message

Release song: https://youtu.be/KXqKswtX_KU

Kindly note that this is a release candidate. While it has been audited and tested in depth, there are likely still bugs or glitches. Please wait for the official v2.0.0 release if you prefer a fully stable version.

The main aspect of this release is the upgrade of the passbolt api code base to CakePHP v3. It also ships with improvements such as a simplified configuration system, a better XSS protection and more tolerant validation rules. See the full list below.

This release is a complete rewrite of passbolt server component. We now have a code that is better organised, easier to read and simpler to maintain. Don’t just take our word for it: this new code base has been audited by CakeDC, the experts behind CakePHP. Check out the result of this independent 3rd party code review.

To report any bug / feedback / improvement suggestion regarding passbolt v2.0.0-rc1, you can do it through the traditional channels (github and community forum). Please add [v2.0.0-rc1] in the title so we can identify it more easily. This release candidate is a major version upgrade, so it requires more steps compared to a usual update. You will need to follow the migration instructions available here.

What next? We’ll spend the next few weeks fixing the remaining bugs reported by you and release the final v2.0.0. Then, after this long maintenance cycle, we all deserve some new features. That’s right, we will be working on the most requested ones such as Tags (we need your feedback), Import / Export, and a web-based installer. Some of these features will be shipped directly with v2.0.0.

Passbolt API

Security

• XSS protection improvements, with a new test suite dedicated for XSS.
• HTTP security headers are enabled by default and can be disabled using configuration options.
• Json responses server signature (experimental).

Improved

• An expired setup link can be re-sent through the recovery procedure.
• Dropped SQL views (will allow supporting additional database backends).
• Simplified configuration system. The entire configuration will be done in one dedicated file with safer defaults.
• Most configuration items are now available as environment variables.
• Install commands perform additional health checks prior to running.
• CakePHP and other dependencies have been removed from the repository and are now installed with composer.
• More flexible validation rules for inputs in most fields.
• Emojis support where it make sense (comments, descriptions, etc).
• Some notifications will not be sent if the user is the one doing the action (ex. delete password).
• The App-JS code is now available on a dedicated repository.
• Misc javascript foundation code refactoring.
• Added missing tables index to speed up some database queries.
• “Owner” has been replaced by “Created by” in the password sidebar to be more relevant.
• API supports a more standard response format (documentation coming soon).
• Additional settings for controlling what is displayed in email notifications.
• Added created date information in password sidebar.

Changed

• Passbolt api migration to CakePHP 3.
• PHP 7.0 is now the minimum supported version.
• Dropped table “controller_logs”. It will be soon replaced by the Audit Logs feature.
• Dropped table “schema_migrations”.
• Dropped table “cake_sessions”.
• Dropped “anonymous statistics” feature (nobody opted in…).

Fixed

• “Passwords I own” filter displays all the passwords for which I have “is owner” permission.
• An admin can delete a user if the user is the sole group member of a group owning passwords that are not shared.
• An admin can delete a user if the user is the sole owner of a password that is not shared.

I Will Survive

Release song: https://youtu.be/gYkACVDFmeg

This release ships with small maintenance fixes and some pull requests from the community. Version 1.6.9 will mark the end of the 1.x serie. The next release (happening shortly) will be v2.0.0. You can find the v2.0.0-rc1 on the development branch and is already available for testing. You can use the following instructions to install and test it.

Kindly note that from now on, we will not accept pull requests on the v1.x branch. All pull requests have to be done directly from the development branch until the release of v2.x on master.

A big thank you to our contributors: @DanielRuf, @threesquared, @bjozet and @colinfrei. Your contributions help us make passbolt better, one pull request at a time.

Finally, as you know each release of passbolt comes with a release song. So, to mark the end of the v1 branch, we have made a compilation of all the release songs published since the first public version of passbolt: v1.0.5. The v1 release songs theme was “funky and popular songs from the 70’s”, if this fits your tastes, you will probably like it: https://www.youtube.com/playlist?list=PLzjv2928Zl0UHuKjSTnBGYFFh5mIjHDXH

Improvements

• PR-159 Updated and renamed license file (by @DanielRuf)
• PASSBOLT-2474 New contributing guidelines for community forum
• PR-214 Remove html purifier submodule (was about time, thanks @threesquared)
• PR-209 Expose the ‘client’ variable in default conf (by @bjozet)

Fixed

• PASSBOLT-1453 Add optional predictable UUID for auth token in selenium testing mode
• PR-207 Stray apostrophe on title element for Group names (by @colinfrei)
• PR-208 Fixed typos in email templates (by @colinfrei)
• PASSBOLT-2599 Fixed Travis

September

Security

• PASSBOLT-2409: Noopener on resource url in password workspace
• PASSBOLT-2402: XSS on resource url in password workspace

Fixed

• PASSBOLT-2383: Add + and \ to the list of allowed characters for the Resource fields: name, username and description
• PASSBOLT-2371: Force the charset of the cake_sessions table in utf8
• PASSBOLT-2325: As system administrator I shouldn't be able to execute passbolt CLI commands as root
• PASSBOLT-2397: As system administrator I should see in the healthcheck if app/tmp content and app/webroot/img/public content are writable
• PASSBOLT-1991: As system administrator I should see in the healthcheck if the server key can be used for encrypting/decrypting

Give me the night

Added

PASSBOLT-2358: As a user registering on the demo instance I must click on a checkbox to confirm I understand the disclaimer

Feeling Good

Release song: https://youtu.be/KXqKswtX_KU

This maintenance release fixes the github issue #124 that affected organizations with large user base. With this fix it is now possible to share a password with more than 200 users.

This version also contains a small but valuable user experience improvement for administrators: users that have not completed the setup will be shown in the users workspace as 'Activation pending'. It becomes easier for administrators to organize a follow up when on-boarding new users.

As suggested by the Mozilla addon reviewers we also removed the need for 'unsafe-eval' content security policy, in order to tighten security even further in the web extension. This does not mean that the previous versions had known security issues, since we used eval to render the EJS template in a safe fashion already (e.g. EJS escape the variables by default to prevent XSS attack).
Thank you to @erosman from Mozilla addon review team, @tomofumi0003, and Helder Martin for their suggestions and contributions to this release.

Disclaimer for Firefox users: Version 1.6.3 is still pending approval from volunteers at Mozilla reviewing addons. Therefore the automatic rollout has not started yet. If you want to use passbolt v1.6.3, please switch to the development channel. Your profile will be kept and you can switch back later. Switch to v1.6.3-RC1 or browse on addons.mozilla.org.

Fixed

• PASSBOLT-2316: Merge the selenium & phpunit dummy data sets
• PASSBOLT-2317: Speed up dummy secret creation task
• PASSBOLT-2327: Add a large set of dummy data for performance testing
• PASSBOLT-2282: As admin on the user workspace, I should be able to distinguish visually the users who haven't activated their account yet

Boom Boom

Release song: https://youtu.be/X70VMrH3yBg

This release is a maintenance release, with a few bug fixes and some additional settings to manage emails notifications.

The bulk of the work for this release was the migration for firefox, from the soon deprecated SDK plugin format to the new webextension format. Quite a bit of work went into upgrading the selenium testsuite and providing a fully transparent data migration from the old to the new format. This is why this version is still running as a “legacy” plugin, with all the code embedded as a webextension, to make sure users have nothing to do to migrate. However please make sure your users upgrade to this version this month, otherwise they may need to perform an account recovery with the next version. Fret not, because unless they have disabled automatic update, the only thing firefox users need to do to update is to have the browser running.

As a passbolt instance administrator I can find new settings manage email notifications in config/default.php under EmailNotification. If you want to override the default you can copy/paste them to your own app.php configuration. With these settings you can for example disable notifications when a user is added to a group, or when a password is deleted. It also allows to change the content of the notification and hide the username and/or the encrypted secret.

Thank you to @bluenetinc, @PoetiCode and @technogenus for their suggestions and contributions to this release.

Unless there is a major issue with the 1.6.2, our next release will be version v2.0, with an upgrade to Cakephp v3.

Read the full release notes : http://www.passbolt.com/release/notes#BoomBoom

Added

• PASSBOLT-2284: As an administrator I can set which notifications are enabled for my organization #98
• PASSBOLT-2284: As an administrator I can prevent encrypted secret or username to be sent in email notification #114

Fixed

• PASSBOLT-2301: Remove additional slashes in passbolt.js urls such as model/users::find #142
• PASSBOLT-2270: Fix modified_by not set on resource edit regression
• PASSBOLT-2271: Fix no wrap issue on resource description
• PASSBOLT-1943: As an administrator I should not be able to install passbolt on a hostname that is not RFC3986 compliant
• PASSBOLT-1937: As an administrator I should not be be able to install passbolt with a server key without an email id
• PASSBOLT-2002: Refactor install script to reuse healthcheck library