Song: https://www.youtube.com/watch?v=LQUXuQ6Zd9w
Presenting the latest update of passbolt, version 4.1.0.
This release introduces role-based access control user rights, enabling administrators to control the accessibility of passbolt features to their users.
Among various improvements, such as a performance increase in folder sharing, passbolt now remembers your favourite MFA provider, improving the user experience while logging in.
On the security side, a configurable number of wrong attempts at MFA authentication will now automatically log the user out. A feature flag now enables the admins to remove the risk of email enumeration when self-registration is enabled.
A big thank you to the community for the contributions and feedback. Stay tuned for the next release candidate!
[4.1.0] - 2023-06-29
Added
- PB-24259 As an administrator I can define with role based access control users' rights
Improved
- PB-24744 As a LU the date time format in the response always display the time zone
- PB-24929 As a LU with multiple MFA providers setup, the latest provider used is proposed by default
- PB-24488 Non-JSON request should return a 404 if JSON is required
- PB-24617 As LU I want improved performance while sharing a folder with a user
Security
- PB-25030 As an admin I can set a feature flag to prevent user email enumeration
- PB-24273 As an admin I can disable the GET auth/logout.json endpoint (enabled by default)
- PB-19510 As a user I should be redirected to HTTPS if SSL FORCE configuration is true
- PB-24566 As an admin the email settings password should be masked in the test email command log output
- PB-23591 As a user authenticating I can perform a limited amount of TOTP MFA attempts
Fixed
- PB-24658 As an admin I should see no false warning in the email notification configuration section
- PB-25275 As an admin I should see the option page during installation after creating the server GPG keys
- PB-25276 As an admin on installation SSL force option should be set to true if the installation is launched over https
- PB-25274 Set force SSL config to false by default
Maintenance
- PB-24925 Updates the fixture factories to its latest version
- PB-24913 Removes "type" from required JSON schema definition for TOTP resource types
- PB-24305 Recovery and register legacy routes are not used in emails and commands outputs
- PB-21604 Extract composer audit task from checkstyle job and make it non-blocking
- PB-21641 Rename check-style job to static-analysis and make it blocking