github nilsteampassnet/TeamPass 3.1.7.1
on GitHub

9 hours ago

What's Changed

This is a patch release that builds directly on 3.1.7.0, delivering security hardening, new admin notifications, and a number of install/upgrade reliability fixes.

Security

  • Network ACL — privilege escalation fix (PR #5134 by @guerricv): All six Network ACL AJAX actions (network_get_rules, network_save_settings, network_save_rule, network_delete_rule, network_toggle_rule, network_add_special_rule) were missing an admin privilege check. Any authenticated user could previously read or modify firewall rules. The check is now enforced on every action.
  • Users panel access hardening (PR #5135 by @guerricv): The inactive-users and deleted-users panels, as well as LDAP/OAuth2 sync actions, are now restricted to administrators only, both on the page and in the backend query handler.

New Features

  • Admin notification on account lockout (PR #5135 by @guerricv): When the anti-brute-force mechanism locks a user account, all administrator accounts with a valid email address now automatically receive a notification email containing the locked username, name, email, source IP, and scheduled unlock time.
  • Network ACL enforcement in core request flow: The Network ACL rules are now evaluated in sources/core.php before any page is served. A blocked IP receives an HTTP 403 with a localised error page instead of reaching the login screen.

Bug Fixes

  • Fresh-install missing tables (PR #5133 / #5134): The network_acl table and its five default settings (network_blacklist_enabled, network_whitelist_enabled, network_security_mode, network_security_header, network_trusted_proxies) were only created by the upgrade path, not the installer. Fresh installs now create them correctly in step 5 (run.step5.php, check57).
  • Missing installer tables (#5133): users_options_favorites and encryption_migration_stats tables were absent from the installer's step-5 checklist. The install step sequence has been corrected (checks 54–58).
  • Duplicate JS function definitions (PR #5134): norm01(), applyToggleState(), and bindToggleFix() were declared twice in options.js.php (once globally, once inside the tpNetworkAcl IIFE), causing potential redeclaration errors. The duplicates have been removed.

Full Changelog

3.1.7.0...3.1.7.1

Important

  • Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Check out latest releases or
releases around nilsteampassnet/TeamPass 3.1.7.1

Don't miss a new TeamPass release

NewReleases is sending notifications on new releases.

Get notifications