v4.1.0 ~ War Pig (pro)
Release date: July 5th, 2023.
Version 4.1 of Passbolt introduces the long-awaited Role-Based Access Control (RBAC) feature. In its first version, RBAC provides admins with the ability to control the capabilities offered to users through the user interface (UI). As passbolt evolves, subsequent releases will expand on this, eventually providing control over API capabilities.
On the performance side, while passbolt was able to handle thousands of passwords, sharing on large volumes was a challenge due to the end-to-end model. With this new version, users will be pleased to experience enhanced performance when sharing their passwords with others. More improvements are yet to come in future releases, so stay tuned.
Administrators are not left behind with this release. Continuing the efforts from v4.0, LDAP/AD integrations now support multi-domain (via config file, UI to be added soon) and can synchronize with large datasets. On the other hand, SSO integrations now support username/email remapping, enabling organizations with custom settings to deploy this feature
Additionally, users will notice improvements in some areas: passwords are now easier to read, special characters and numbers are highlighted with contrasting colors, and multi-factor authentication is now able to remember the last method used.
Finally, this release also includes the latest security fixes (minor and info) identified during the March security audit by Cure53. As usual, the full report along with the mitigations will be fully disclosed on the website.
Thank you for choosing passbolt. Your support and feedback are greatly appreciated.
API
Added
- PB-24259 As an administrator I can define with role based access control users’ rights
- PB-24054 As an administrator I can define LDAP field mapping
- PB-24051 As an administrator I can define LDAP multi domain
Improved
- PB-24744 As a LU the date time format in the response always display the time zone
- PB-24929 As a LU with multiple MFA providers setup, the latest provider used is proposed by default
- PB-24488 Non-JSON request should return a 404 if JSON is required
- PB-24617 As LU I want improved performance while sharing a folder with a user
- PB-23843 Update SSO settings endpoint to allow prompt for Azure provider
- PB-24244 As an administrator I can remap email and username properties
Security
- PB-25030 As an admin I can set a feature flag to prevent user email enumeration
- PB-24273 As an admin I can disable the GET auth/logout.json endpoint (enabled by default)
- PB-19510 As a user I should be redirected to HTTPS if SSL FORCE configuration is true
- PB-24566 As an admin the email settings password should be masked in the test email command log output
- PB-23591 As a user authenticating I can perform a limited amount of TOTP MFA attempts
Fixed
- PB-24782 As an administrator I can perform LDAP synchronization with over 1k records with improved performance
- PB-24914 As an admin I should be able to rename a tag with uppercase
- PB-24658 As an admin I should see no false warning in the email notification configuration section
- PB-25275 As an admin I should see the option page during installation after creating the server GPG keys
- PB-25276 As an admin on installation SSL force option should be set to true if the installation is launched over https
- PB-25274 Set force SSL config to false by default
Maintenance
- PB-24925 Updates the fixture factories to its latest version
- PB-24913 Removes “type” from required JSON schema definition for TOTP resource types
- PB-24305 Recovery and register legacy routes are not used in emails and commands outputs
- PB-21604 Extract composer audit task from checkstyle job and make it non-blocking
- PB-21641 Rename check-style job to static-analysis and make it blocking
Browser extension
Added
- PB-24169 As an administrator I want to customise what capabilities users are allowed to access on the UI of my organisation
- PB-24598 SSO allow administrators to remap email/username properties
Fixed
- PB-14174 As a user I want the inform menu not to be displayed outside my browser window
- PB-24657 As a user I should see the triage page even when SSO is misconfigured
- PB-25031 Fix margin on folder name in the information panel
Improvement
- PB-24619 As LU I should see the link on the same line in a paragraph
- PB-24646 As LU, I should see colored passwords
Maintenance
- PB-24622 Put back the rolled-back code for LDAP multi-domain and field-mapping feature
- PB-24794 Adapt browser extension to not crash when unknown content types are retrieved from the API
Security
- PB-23852 PBL-02-002 As a user I should sign-out using POST method
- PB-24997 Change static images URL to be served from the browser extension instead of the API
"War Pig"
Listen to the release song!