v4.1.0 ~ War Pig (ce)

Release date: July 5th, 2023.

Version 4.1 of Passbolt introduces the long-awaited Role-Based Access Control (RBAC) feature. In its first version, RBAC provides admins with the ability to control the capabilities offered to users through the user interface (UI). As passbolt evolves, subsequent releases will expand on this, eventually providing control over API capabilities.

On the performance side, while passbolt was able to handle thousands of passwords, sharing on large volumes was a challenge due to the end-to-end model. With this new version, users will be pleased to experience enhanced performance when sharing their passwords with others. More improvements are yet to come in future releases, so stay tuned.

Additionally, users will notice improvements in some areas: passwords are now easier to read, special characters and numbers are highlighted with contrasting colors, and multi-factor authentication is now able to remember the last method used.

Finally, this release also includes the latest security fixes (minor and info) identified during the March security audit by Cure53. As usual, the full report along with the mitigations will be fully disclosed on the website.

Thank you for choosing passbolt. Your support and feedback are greatly appreciated.

API

Added

• PB-24259 As an administrator I can define with role based access control users’ rights

Improved

• PB-24744 As a LU the date time format in the response always display the time zone
• PB-24929 As a LU with multiple MFA providers setup, the latest provider used is proposed by default
• PB-24488 Non-JSON request should return a 404 if JSON is required
• PB-24617 As LU I want improved performance while sharing a folder with a user

Security

• PB-25030 As an admin I can set a feature flag to prevent user email enumeration
• PB-24273 As an admin I can disable the GET auth/logout.json endpoint (enabled by default)
• PB-19510 As a user I should be redirected to HTTPS if SSL FORCE configuration is true
• PB-24566 As an admin the email settings password should be masked in the test email command log output
• PB-23591 As a user authenticating I can perform a limited amount of TOTP MFA attempts

Fixed

• PB-24658 As an admin I should see no false warning in the email notification configuration section
• PB-25275 As an admin I should see the option page during installation after creating the server GPG keys
• PB-25276 As an admin on installation SSL force option should be set to true if the installation is launched over https
• PB-25274 Set force SSL config to false by default

Maintenance

• PB-24925 Updates the fixture factories to its latest version
• PB-24913 Removes “type” from required JSON schema definition for TOTP resource types
• PB-24305 Recovery and register legacy routes are not used in emails and commands outputs
• PB-21604 Extract composer audit task from checkstyle job and make it non-blocking
• PB-21641 Rename check-style job to static-analysis and make it blocking

Browser extension

Added

• PB-24169 As an administrator I want to customise what capabilities users are allowed to access on the UI of my organisation

Fixed

• PB-14174 As a user I want the inform menu not to be displayed outside my browser window

• PB-25031 Fix margin on folder name in the information panel

Improvement

• PB-24619 As LU I should see the link on the same line in a paragraph
• PB-24646 As LU, I should see colored passwords

Maintenance

• PB-24794 Adapt browser extension to not crash when unknown content types are retrieved from the API

Security

• PB-23852 PBL-02-002 As a user I should sign-out using POST method
• PB-24997 Change static images URL to be served from the browser extension instead of the API