github nilsteampassnet/TeamPass 3.1.7.6
on GitHub

8 hours ago

What's Changed

Security Fixes

  • Access control bypass (folders): Read-only users were able to perform write operations (edit, delete, move) on folders they only had read access to. The per-folder user-read_only_folders restriction was not enforced in the folder query handler; only the global read-only flag was checked. All three operations are now guarded individually. Folder deletions now also record the responsible user in the audit log.
  • Privilege escalation (Manager role): A Manager-level user could grant the can_create_root_folder permission to other users, which is reserved for administrators. The UI toggle and the server-side handler now both restrict this option to admins.
  • Circular folder reference: Moving a folder into one of its own descendants caused an infinite loop. A cycle-detection guard is now applied before any folder move is committed.

Bug Fixes

Authentication & LDAP

  • Infinite account-disable loop on LDAP password change: When an LDAP user changed their password and had no transparent recovery data (accounts predating that feature), handleExternalPasswordChange() unconditionally disabled the account. Re-enabling via the admin panel would trigger the same failure on the next login, creating an infinite disable loop. The function now distinguishes between "no recovery data" (updates the password hash and sets special='recrypt-private-key' without disabling) and genuine decryption failures (which still disable the account).
  • Transparent recovery false-positive: AES-CBC decryption with the wrong key can produce valid-UTF-8 garbage approximately 0.4% of the time. A -----BEGIN PEM guard is now applied after decryption so SHA-256 false-positives are caught and retried with SHA-1 before failing.
  • integrity_check_failed treated as fatal: An integrity check failure (e.g. after a server key file was restored from backup) incorrectly disabled user accounts. This condition is now treated like "no recovery data"; the user is prompted to re-enter their password via the re-encryption modal rather than being locked out.
  • Wrong private_key_backup encoding: changeUserLDAPAuthenticationPassword() was storing AES(base64(PEM)) in the backup field instead of AES(PEM). On the next LDAP password change, attemptTransparentRecovery() would fail the PEM validation guard and disable the account. The missing base64_decode() call has been added, consistent with every other backup-creation site in the codebase.
  • Anti-bruteforce configuration not applied correctly (PR #5184 by @guerricv): addFailedAuthentication() was not receiving the $SETTINGS array in all call sites, causing bruteforce limits to not be evaluated. The lock duration validation logic has been simplified, default seed values for nb_bad_authentication_by_ip and bruteforce_lock_duration are now seeded via INSERT IGNORE during upgrade, and the admin panel now includes an IP blacklist management handler.

Installation & Upgrades

  • bck_script_passkey encryption during fresh install: The backup script passkey was generated in install step 5, before the encryption key was available. Generation has been moved to step 6 where $encryptionKey is defined; an empty placeholder is inserted in step 5. cryptionForInstall() is also now guarded against undefined SECUREPATH/SECUREFILE constants to prevent a fatal crash.
  • Missing show_subfolders column: The column was absent from fresh installs and was not added by 3.1.x upgrade scripts, causing database errors. It is now created during step 5 of the installer and added by the 3.1.7 upgrade script when missing.
  • Install folder not deleted after upgrade (#5183 by @guerricv): recursiveChmod() was called with file and directory permission arguments in the wrong order, causing the recursive permission change to fail silently. The clear_install_folder flag is now consumed only when deletion actually succeeds.

Items & Folders

  • Corrupted items integrity scan (PR #5182 by @guerricv): Integrated the community-contributed corrupted items scan with fixes: replaced SQL string concatenation with MeekroDB %l placeholders, fixed severity inconsistency in notice builder, added set_time_limit(0) to prevent fatal timeouts during RSA decryption on large databases, removed a redundant ALTER TABLE, and fixed a double folder-tree load on the items page. When a password is updated, the item's corrupted state is now automatically cleared.
  • Duplicate folder name check on rename: Renaming a folder to its current name was incorrectly flagged as a duplicate. Collapse/expand UI state was also not preserved correctly after a rename.
  • Items tree refresh and profile display (#5178 by @guerricv): The folder tree load strategy (lazy vs. full) was not preserved after a profile display change triggered a page refresh. Using $(this).delay().queue() to defer the refresh was also unreliable; replaced with setTimeout(). A missing break in users.queries.php was preventing a correct JSON response for empty user_profile_update payloads.

User Management

  • Manager user list filtering: When a Manager (non-admin, non-HR-manager) had no assignable roles, the SQL WHERE clause was left with a trailing AND that broke the query and could expose all users. The filter now emits AND FALSE in that case so the result is correctly empty. The roles array is also built once with array_values(array_filter(...)) and shared between the SQL filter and the PHP-side in_array check, eliminating mismatches caused by empty string entries in the session value.
  • Role and administration-role dropdowns in user edit: Admins and users with the global user-management permission now see all available roles in the role and administration-role selectors when editing a user, instead of only their own roles. Role-managers without that permission continue to see only the roles they personally hold.
  • Pagination state reset on user list: If the DataTable pagination state saved by the browser pointed beyond the total number of visible users (e.g. after a user was deleted), the list appeared empty. The offset is now reset to page 0 in that case.

Logs

  • Failed authentication log table (#5184 by @guerricv): Columns were reordered (IP address now shown before user agent), horizontal scrolling is enabled, and responsive/auto-width modes are disabled to prevent column layout issues on smaller screens.

Improvements

  • Health dashboard: The corrupted items count is now displayed as a dedicated info-box on the Health overview page.
  • Anti-bruteforce options page (#5184 by @guerricv): The bruteforce settings fields now have min=0 and step=1 attributes and improved keyword tagging for the settings search. A lock duration field has been added alongside the existing attempt count.
  • Orphan objects maintenance task.

Full Changelog

3.1.7.5...3.1.7.6

Important

  • Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Check out latest releases or
releases around nilsteampassnet/TeamPass 3.1.7.6

Don't miss a new TeamPass release

NewReleases is sending notifications on new releases.

Get notifications