github nilsteampassnet/TeamPass 3.1.7.3
on GitHub

4 hours ago

What's Changed

Bug Fixes

Item editing

  • Fixed custom fields from previously visited folders accumulating in the new/edit form when switching folders without a page reload. All category fields are now properly hidden before revealing only those belonging to the current folder (#5147).
  • Fixed subfolders not being displayed after saving an item. groupe_id is now normalized with parseInt() before being passed to displaySubfolders().
  • Fixed password field in edit form not loading the actual password when opening the edit view via the pencil icon from the item list (#5144 by @guerricv).
  • Restore password modal display for local user password generation flows (#5143 by @guerricv).
  • Improve user attribution in the task manager for several background task types that were displayed as anonymous (#5143 by @guerricv).
  • Fix unusable Select2 dropdowns in the folder edit right sidebar (#5140 by @guerricv).
  • Persist the selected folder depth filter on the folders page for the current browser session (#5140 by @guerricv).
  • Fix item password complexity refresh/generation consistency and list duplicate refresh after deletion (PR #5141 by @guerricv) (Fix #5138, #5139.

Docker / restricted PHP environments

  • Fixed a fatal error during upgrade prerequisites check when exec() is disabled via disable_functions in php.ini (e.g. Docker). The call is now guarded with function_exists('exec') and gracefully reports missing optional extensions instead of crashing. (#5137)
  • Fixed CSRF cookie Secure flag being forced to true during installation on HTTP deployments (Docker without a reverse proxy). The flag is now derived from the configured URL protocol, preventing silent login failures. (#5137)
  • Fixed a fatal error in background task handler (triggerBackgroundHandler) when exec() is disabled, and corrected an early-return issue in step99 that could prevent task completion. (#5127)

Access rights & sharekeys

  • Fix users admin panels visibility/authorization and notify admins on account lock (PR #5135 by @guerricv)
  • Fixed access rights check during copy_item and move_item operations. getItemFolderIdFromDb() was silently overriding the caller's $treeId, causing incorrect permission evaluation on the target folder.
  • Fixed deleteUserObjetsKeys() incorrectly cleaning up file sharekeys: object_id in sharekeys_files references files.id, not items.id. The query now uses the correct files JOIN items join.

Performance

  • Eliminated a duplicate get_complixity_level backend request when opening item edition. The edit form now reads complexity/visibility data from the store already populated by getPrivilegesOnItem().
  • Cached SHOW COLUMNS results in EnsurePersonalItemHasOnlyKeysForOwner() with a static variable; schema discovery queries now execute once per PHP process instead of on every call.

Improvements

Password field UX in edit form (#5141 by @guerricv)

  • Added a loading spinner in the password field while the encrypted password is being fetched and decrypted.
  • Password fetch and privilege check now run in parallel, reducing total latency when opening the edit form.

Version badge (admin panel) (#5146 by @guerricv)

  • Version badge now reads the release cache from ConfigManager (already in memory) instead of issuing separate DB queries.
  • Added a DNS pre-flight check (checkdnsrr()) before any GitHub API call; the check is skipped entirely on air-gapped servers.
  • Added a browser-side sessionStorage cache (4h TTL) to avoid redundant AJAX calls on subsequent page loads within the same session.

Enhancement: enforce Network ACL on API entry point (#5142 by @guerricv)

  • The web UI ACL is already enforced early in the application bootstrap. This change applies the same ACL evaluation logic to the API so that blocked IPs cannot: request an authorization token, call authenticated API endpoints, and bypass the web ACL by using the API directly.

Security badge on passwords

  • Item detail panel now displays a green Secure or red Not secure badge next to the password label, based on an OWASP ASVS-aligned policy (minimum length ≥ 12 and complexity score ≥ 70).

Database integrity

  • Added a UNIQUE KEY on teampass_misc(type, intitule) to prevent duplicate settings rows.
  • All INSERT statements targeting teampass_misc are now idempotent (INSERT IGNORE / ON DUPLICATE KEY UPDATE).

Documentation

  • Improved server migration guide.
  • Updated GitHub issue report template with a more structured format.

Full Changelog

3.1.7.2...3.1.7.3

Important

  • Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Check out latest releases or
releases around nilsteampassnet/TeamPass 3.1.7.3

Don't miss a new TeamPass release

NewReleases is sending notifications on new releases.

Get notifications