What's Changed
Performance Improvements
- APCu config cache — ConfigManager now caches application settings in APCu shared memory (60 s TTL, key teampass_settings_v1). Cache is automatically invalidated after any write to teampass_misc, avoiding redundant DB reads on every request.
- Optional Redis session storage — SessionManager supports Redis-backed sessions via RedisSessionHandler (wrapped by EncryptedSessionProxy). Falls back to filesystem on connection failure. Session settings (host, port, prefix) are configurable from the WebSocket/Settings tab in Options.
- Batch sharekey upserts — storeUsersShareKey() now issues a single batched INSERT … ON DUPLICATE KEY UPDATE (chunked at 100 rows) instead of N individual queries, reducing DB round-trips from O(users) to O(1) per item save.
- WebSocket poll interval — Reduced from 200 ms to 500 ms to halve contention on the teampass_websocket_events table under load.
Bug Fixes
- Permissions — create right (fix(permissions)): getRoleBasedAccess() now exposes a dedicated create field. Read-only (R) permission correctly prevents item creation; write-capable roles (W, ND, NE, NDNE) allow it. The item form now checks retData.create (instead of retData.edit) when opening a new-item panel.
- Permissions — item restrictions: show_details_item and update_item now apply both user-level (restricted_to) and role-level (restriction_to_roles) checks consistently. The restricted-to select in the item form now initialises from the item's actual stored restrictions, not from folder-level option lists.
- Manager access scope: Manager-level users are now correctly limited to the health-system view and specific user views; they no longer have broader access than intended.
- CryptoManager — AES silent garbage decryption (#5065): AES-CBC decryption now detects non-UTF-8 binary output (a symptom of applying a v3 SHA-256 key to v1 SHA-1-derived data) and throws an explicit exception instead of returning corrupt plaintext.
- API — JWT rebuild query: api/index.php now builds the user's visible folders from teampass_users_groups and teampass_users_roles instead of the deprecated groupes_visibles column removed in v3.1.5.
- Installer step 5 (PR #5131): Minor fix to install step 5 logic.
New Features
Health & Install Improvements
- Installer/upgrade pre-checks now include optional checks for OPcache, PHP-FPM, APCu, and ext-redis. WebSocket table presence is verified in step 5.
- Admin health page (Utilities) adds checks for: OpenSSL, OPcache, PHP-FPM, APCu, Redis session availability, and WebSocket event-table indexes.
- Roles page: depth filter defaults to level 2 on load (instead of "all") and persists the selected value in the store.
Tests
- Added PHPUnit test suites: CryptoManagerTest, PureFunctionsTest, RateLimiterTest, WebSocket/LoggerTest.
Documentation
- Documentation expanded: custom fields, favourites, items, user profile, renewal, search, Docker, settings, tips, troubleshooting, and new performance guide.
Upgrade Notes
- Important — access rights priority change (introduced in RC4, applies from RC3 and earlier)
- The multi-role conflict resolution rule has been inverted: the least permissive type now wins instead of the most permissive (R > NDNE > ND/NE > W). Additionally, directly granted folders (per-user grants) now take priority over role-based restrictions.
- Any user assigned to two or more roles with conflicting permissions on the same folder will have their effective access reduced to the most restrictive type. Existing role configurations should be audited before deployment — use the "Visible Folders" panel in the Users admin page to inspect effective permissions per user. All active sessions must be invalidated after deployment so the new rules take effect immediately.
Full Changelog
Important
- Requires at least
PHP 8.1
Languages
Please join Teampass v3 translation project on Poeditor and translate it for your language.
Installation
Follow instructions from Documentation.
Upgrade
Follow instructions from Documentation.
Ideas and comments
Are welcome ... please use Discussions.