Help Search

Edit on github
RSS feed

v4.5.0 ~ Summer is ending (ce)

Release date: February 8th, 2024.

Passbolt v4.5.0 named “Summer is Ending” brings a host of new features and improvements, all designed to make your password management experience more secure, efficient, and user-friendly.

At the heart of this release is the introduction of the Password Expiry feature, a much-anticipated functionality that allows administrators to enable the automatic expiry policy, enhancing security by ensuring that potentially passwords are rotated when someone loses access to resources, for example by leaving a group or the organization.

Password expiry fig. Password expiry

Alongside, we’re excited to introduce the Russian translation, making Passbolt more accessible to a wider audience.

We’ve also expanded our SMTP settings to include Microsoft 365 and Outlook providers, responding to the community’s feedback for more integration options. The section to help users install and configure the Windows desktop application feature is also now enabled by default.

Improvements in the performance of some important API endpoints and other security enhancements and bug fixes are also part of this release.

Thanks to everyone in our community for your ongoing support and contributions that made this release possible. Your feedback and involvement continue to shape Passbolt, enhancing our collective security and usability. Together, we’re making password management better for everyone.

API

Added

  • PB-23913 As a user I can see my passwords marked as expired when users lose permissions on these
  • PB-23913 As an administrator I can activate the password expiry feature
  • PB-28923 As a user I want to be able to use passbolt in Russian
  • PB-21484 As an administrator I can define Microsoft 365 and Outlook providers in SMTP settings
  • PB-19652 As an administrator I can cleanup groups with no members with the cleanup command
  • PB-27707 As administrator, with RBAC I should be able to set “can see users workspace” to “Allow if group manager”
  • PB-28716 Desktop application flag is now enabled by default
  • PB-26203 Desktop app define the account kit exportation help page

Improved

  • PB-27616 Improve resources serialization performance on GET resources.json

Security

  • PB-29148 Bump selenium API plugin version to v4.5
  • PB-29005 Upgrades phpseclib/phpseclib to fix composer audit security vulnerability
  • PB-22336 As an admin I should be able to enable/disable request group managers to add users to groups emails separately (LDAP/AD)
  • PB-28871 Mitigate supply chain attack on PR and lint lock files
  • PB-28658 Mitigate supply chain attack on post npm install script

Fixed

  • PB-29200 Fixes the recover_user command (GITHUB #504)
  • PB-29164 Fix recent InstallCommand changes breaking selenium tests
  • PB-29132 Fix composer lock file not up-to-date message when installing dependencies
  • PB-29160 Fix failing static analysis job in CI
  • PB-29137 Fix failing in UsersEditDisableControllerTest file due to purifier
  • PB-29113 Fix a typo in the email sent when admins lose their admin role
  • PB-28130 Fix invalid cookie name should not trigger a 500
  • PB-29007 Fix constantly failing test in RbacsUpdateControllerTest file
  • PB-28991 Fix email queue entries not marked as sent

Maintenance

  • PB-28857 Require phpunit-speedtrap to track down slow tests
  • PB-25516 Remove –dev from .gitlab test options, it has not effect and will break with composer v3
  • PB-28844 Improves the methods testing email content
  • PB-28845 Skip unauthenticated exception from logging
  • PB-28653 Speed-up tests by mocking the client in healthcheck relevant tests

Browser Extension

Added

  • PB-28681 As a user importing a resources from a file I should also import expiry date from keepass files
  • PB-28682 As a user I can quickly mark resources as expired
  • PB-28687 As a resource owner, I can change the resource expiration date manually
  • PB-28692 As a user I can change the expiry date of a resource automatically based on the password expiry configuration
  • PB-28850 As a signed-in user creating a resource from the app I should set the expired date if default expiry period has been defined in the organisation policies
  • PB-28851 As a signed-in user creating a resource from the quickaccess I should set the expired date if default expiry period has been defined in the organisation policies
  • PB-28852 As a signed-in user creating a resource from the auto-save I should set the expired date if default expiry period has been defined in the organisation policies
  • PB-29045 As a user I want to open the quickaccess using a keyboard shortcut
  • PB-29125 As an administrator I should not see the control function AllowIfGroupManagerInOneGroup on the UI

Improved

  • PB-15269 As a user I do not want my browser extension to make multiple calls on resources.json in a row
  • PB-21484 As an administrator I can use Microsoft 365 or Outlook as SMTP providers
  • PB-25860 As signed-in user I want to see the full name of the user at the origin of any account recovery action
  • PB-27783 As a user opening the quickaccess I should have a clear feedback if the API service is unreachable
  • PB-28507 As signed-in user importing resources I should know what is supported
  • PB-28612 As a signed-in user I should see TOTP in uppercase
  • PB-28646 As an administrator in the account recovery settings I should see “Prompt” instead of “Mandatory”
  • PB-28923 As a user I want to be able to use passbolt in Russian
  • PB-29008 As an administrator in RBAC administration page I should not see the role to setup the desktop or mobile app if the plugin is not enabled
  • PB-29159 As a signed-in user I want the Mfa screen to be available when using the bext 4.4 and API 4.5
  • PB-29263 Replace the mechanism to have CSRF token from the cookie

Security

  • PB-29194 Upgrade vulnerable library web-ext
  • PB-28658 Mitigate browser extension supply chain attack
  • PB-28659 Mitigate browser styleguide supply chain attack
  • PB-28660 Mitigate browser windows app supply chain attack

Fixed

  • PB-22864 As a signed-in user, I should see a relevant error if I use special characters as security token
  • PB-24496 As a user I should be able to use a passphrase with emoji
  • PB-28283 As a user when I preview a secret I should see the activity sidebar updated
  • PB-28540 As a user I should scroll automatically to the resource selected from the route
  • PB-28625 As a user I can open resource url from the resource sidebar on Firefox
  • PB-28632 As a user Fix design TOTP button disabled on create and edit resource
  • PB-28696 As a user I should fill secret for TOTP with spaces
  • PB-28721 As a user I can see the beta chip next to the desktop app menu item in the users settings menu
  • PB-28753 As a user I should be able to edit a standalone TOTP from contextual menu
  • PB-28880 As a user I should not see an error when I update the description of a resource with TOTP from the information panel
  • PB-28842 As a user I can reach the Windows store passbolt app from the Desktop app setup screen
  • PB-28282 As a user deleting a TOTP I should see the relevant dialog title mentioning Resource and not password
  • PB-28873 As a signed-in user when I autofill input fields I should trigger a change event
  • PB-29006 As a user I should not have my browser extension crashing when it receives an unsupported RBAC control_function value

Maintenance

  • PB-28592 Fix minimum gecko version in firefox manifest.json
  • PB-29020 Fix detection pagemod duplicate

"Summer is ending"

Listen to the release song!