kimai/kimai 1.16

on GitHub

Full Changelog

Implemented enhancements:

• Extend orderNumber string to 50 characters (#2824) #2828 - thanks @iusgit
• Extend length of project orderNumber string #2824
• default team for new users #2802
• Update "Preview"/ "Save" buttons after invoice template (re)selection #2749
• Reporting - choose which type of times #2575
• improve error handling during invoice generation #2932 (kevinpapst)
• submit invoice search after changing the template #2931 (kevinpapst)
• added new invoice status: canceled #2922 (kevinpapst)
• Translations update from Weblate #2915 #2850 (weblate)
• added resname for tool compatibility #2912 (kevinpapst)
• change data filter on project month report #2911 (kevinpapst)
• Fetch user preferences via API #2905 (kevinpapst)
• optimizations #2904 (kevinpapst)
• prevent empty migration warning #2901 (kevinpapst)
• composer upgrade #2900 (kevinpapst)
• added invoice replacer for currently logged-in user #2899 (kevinpapst)
• activate bleeding edge rules for phpstan and fix problems #2898 (kevinpapst)
• fix weekly view day format #2893 (kevinpapst)
• simplify building theme independent plugins #2888 (kevinpapst)
• include roles and teams in user create form #2849 (kevinpapst)
• Weekly "quick-entry" form #2793 (kevinpapst)
• allow to set 24 hour format as user preference #2789 (kevinpapst)
• added ProjectConstraint to add dynamic project validation #2747 thanks @pkaltenboeck
• PDF memory optimizations #2736 (kevinpapst)
• workflow to trigger event for docker build #2882 (kevinpapst) thanks @Apfelwurm

Fixed bugs:

• Time records marked as exported even when invoice is not saved due to duplicate invoice numbers #2917
• Error on Install: "Call to undefined method Doctrine\DBAL\Statement::fetchAll()" #2885
• Request via API with X-AUTH-USER invalidates all other sessions for the (LDAP) user #2873 thanks @handcode
• improve csrf handling #2936 (kevinpapst)
• link to doctor #2930 (kevinpapst)
• do not reset password for LDAP and SAML users unless needed #2916 (kevinpapst)
• use token in invoice delete route #2889 (kevinpapst)
• fixes for new quick-entry week form #2887 (kevinpapst)

Multiple possible CSRF attacks were found and patched. Thanks to @Asura-N and @Haxatron for the disclosure.
If you use Kimai in a multi-user environment, you are urged to update as soon as possible.