github nilsteampassnet/TeamPass 3.1.6.11
on GitHub

9 hours ago

What's Changed

Bug Fixes

MFA re-check after LDAP update (#5111)

mfa_auth_requested_roles was not recomputed after the LDAP checks potentially updated the user's roles, causing MFA to be skipped or incorrectly required. The value is now re-evaluated at the correct point in the authentication flow.

Orphan objects maintenance task (#5110 by @guerricv)

Prevent the maintenance cleanup task from deleting sharekeys belonging to soft-deleted users (only treat as orphan when the user record is truly missing).
Adjust the Health report logic so sharekeys linked to disabled / soft-deleted users are no longer counted as orphan sharekeys.
Fix and internationalize the Migration Statistics modal: remove hardcoded labels, use language strings, and align “Total Users” with the dashboard by excluding TeamPass system users (API, TP, OTV).
Fix JavaScript error in the Personal items migration status modal: Cannot access 'doneUsers' before initialization.

Item access rights corrupted by orphan role restrictions (#5108)

Deleting a role did not clean up the restriction_to_roles table. Stale rows caused count() to return a non-zero value, granting $right = 10 and hiding items in the list view. Fixed by:

  • Adding an INNER JOIN to the item list query so orphan restrictions are ignored.
  • Purging restriction_to_roles entries when a role is deleted.

Item lock check on new items (#5106)

Calling isItemLocked() with itemId = 0 (a new, unsaved item) triggered a spurious database lookup. A guard clause now returns status: false immediately for new items.

Fatal error on file attachment upload/download - missing IV initialisation(#5105)

File attachments cannot be uploaded or downloaded due to a missing IV (Initialization Vector) setup in the encryptFile() and decryptFile() functions in sources/main.functions.php.
encryptFile() and decryptFile() now explicitly set the cipher IV, preventing non-deterministic behaviour depending on the PHP-phpseclib environment.

OAuth2 / Azure Entra ID — new user creation and login flow (#5104)

3 regressions affecting first-time OAuth2 login have been resolved:

  • A foreign-key violation that prevented new users from being created (missing early return after user creation, mirroring the existing LDAP behaviour).
  • Profile data (name, email, groups) was not persisted to the database for new OAuth2 users, and the confirmation email was not sent.
  • A second login attempt always failed with "credentials do not correspond" because the oauth2_login_ongoing flag (session-derived, not stored in the database) was lost after the DB reload step in the authentication pipeline. It is now re-injected from the PHP session.

CSV/KeePass import — inherited folder permissions (#5103 by @guerricv)

Folders created during import now inherit permissions from their parent, preventing imported folders from being invisible in the UI after import.

AD group-to-role mapping (#3956)

  • The binary objectGUID returned by Active Directory was not normalised to a formatted string before comparison, breaking automatic role assignment at login.
  • DB::count() replaced with a null check on queryFirstRow() for reliable group-to-role mapping display.
  • A JS guard (isNaN instead of === '') prevented invalid role IDs from being submitted.
  • Upgrade script: deduplicates ldap_groups_roles, purges rows corrupted by the former INT(12) column bug, and adds a UNIQUE KEY on ldap_group_id.

Utilities — null variable initialisation

$missingUser and $inactiveUser are initialised to 0 (integer) instead of null, preventing type errors in the orphan sharekey counter.

Improvements

Files Integrity Check — permission error reporting

Folders that cannot be parsed due to filesystem permission errors are now listed with a warning inside the Files Integrity Check modal instead of being silently skipped. A shortlink from the System Health card in the admin dashboard now points directly to this modal.

Full Changelog

3.1.6.10...3.1.6.11

Last important topics

  • 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
  • 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
  • 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
  • 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Check out latest releases or
releases around nilsteampassnet/TeamPass 3.1.6.11

Don't miss a new TeamPass release

NewReleases is sending notifications on new releases.

Get notifications