v2.0.0-rc1 ~ The Message (ce)

Release date: January 13th, 2018.

The main aspect of this release is the upgrade of the passbolt api code base to CakePHP v3. It also ships with improvements such as a simplified configuration system, a better XSS protection and more tolerant validation rules. See the full list below.

This release is a complete rewrite of passbolt server component. We now have a code that is better organised, easier to read and simpler to maintain. Don’t just take our word for it: this new code base has been audited by CakeDC, the experts behind CakePHP. Check out the result of this independent 3rd party code review.

What next? We’ll spend the next few weeks fixing the remaining bugs reported by you and release the final v2.0.0. Then, after this long maintenance cycle, we all deserve some new features. That’s right, we will be working on the most requested ones such as Tags (we need your feedback), Import / Export, and a web-based installer. Some of these features will be shipped directly with v2.0.0.

Passbolt API

Security

• XSS protection improvements, with a new test suite dedicated for XSS.
• HTTP security headers are enabled by default and can be disabled using configuration options.
• Json responses server signature (experimental).

Improved

• An expired setup link can be re-sent through the recovery procedure.
• Dropped SQL views (will allow supporting additional database backends).
• Simplified configuration system. The entire configuration will be done in one dedicated file with safer defaults.
• Most configuration items are now available as environment variables.
• Install commands perform additional health checks prior to running.
• CakePHP and other dependencies have been removed from the repository and are now installed with composer.
• More flexible validation rules for inputs in most fields.
• Emojis support where it make sense (comments, descriptions, etc).
• Some notifications will not be sent if the user is the one doing the action (ex. delete password).
• The App-JS code is now available on a dedicated repository.
• Misc javascript foundation code refactoring.
• Added missing tables index to speed up some database queries.
• “Owner” has been replaced by “Created by” in the password sidebar to be more relevant.
• API supports a more standard response format (documentation coming soon).
• Additional settings for controlling what is displayed in email notifications.
• Added created date information in password sidebar.

Changed

• Passbolt api migration to CakePHP 3.
• PHP 7.0 is now the minimum supported version.
• Dropped table “controller_logs”. It will be soon replaced by the Audit Logs feature.
• Dropped table “schema_migrations”.
• Dropped table “cake_sessions”.
• Dropped “anonymous statistics” feature (nobody opted in…).

Fixed

• “Passwords I own” filter displays all the passwords for which I have “is owner” permission.
• An admin can delete a user if the user is the sole group member of a group owning passwords that are not shared.
• An admin can delete a user if the user is the sole owner of a password that is not shared.

Passbolt docker container

Security

• Security headers sent by default from passbolt app

Changed

• Base container switched to php:7-fpm-alpine3.7
• PHP extensions are now installed/enabled using docker-php-ext-{install,enabled}
• Switched away from nginx user to www-data user
• Removed dependencies: sed, bash, coreutils, recode, libpcre32, git
• Introduced supervisord for process monitoring
• Introduced automated tests for development using rspec
• Environment variables now are determined from default.php config file from passbolt_api
• No more search and replace on docker-entrypoint