Merge branch 'release' into 'master'

v5.7.0 on master

See merge request passbolt/passbolt-ce-api!468

Author: cedricalfonsi

.ddev/commands/web/spx

@@ -2,6 +2,61 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.7.0] - 2025-11-12
+### Added
+- PB-46107 As an administrator I can define the number of past secret revisions persisted in DB
+- PB-46109 As an administrator I can block the edition of the secret revisions settings with a configuration flag
+- PB-46110 As a logged-in user I can view the past secret revisions of a resource
+- PB-45059 As an administrator I can see in the healthcheck if zero knowledge is activated and the server has access to the key
+- PB-45496 As an administrator I can run a clean-up task to delete metadata private keys entries of soft & hard-deleted users
+- PB-45567 As an administrator I can run a passbolt user_index command to list all users
+- PB-45567 As an administrator I can run a passbolt user_promote_to_administrator command to promote users to administrators
+- PB-45567 As an administrator I can run a passbolt mfa_user_settings_disable command to disable MFA for a given user
+- PB-46146 As an administrator I can hide the warning on commands run as non web-user with a configuration flag
+
+### Security
+- PB-45158 Adds frame-ancestors:none and form-action:self to the CSP header
+
+### Fixed
+- PB-45479 Azure SSO providing an invalid_tenant id should not trigger a 500
+- PB-45567 The arguments --username and --fingerprint of the passbolt truncate_account_recovery_tables command are now mandatory but their validation can be skipped with --no-verify
+- PB-44259 Users directory synchronisation should synchronise group memberships of suspended users
+- PB-44623 The API should return a 400 instead of 500 on /auth/jwt/logout.json when refresh_token isn't a UUID
+- PB-45760 Fixes a translation in setup recover abort email reported by community
+- PB-45262 Prevent activity log from showing secret creation during resource share as a secret update
+
+### Maintenance
+- PB-45731 As a developer I can ensure by unit tests that all Crowdin translations are parsable
+- PB-45788 Updates sessions.sql file as per the latest cakephp skeleton
+- PB-43742 Updates PHPUnit vendor to v11
+- PB-45829 Upgrades Passbolt API Web Installer to use OpenPGP.js version 6
+
+## [5.7.0-test.1] - 2025-11-11
+### Added
+- PB-46107 As an administrator I can define the number of past secret revisions persisted in DB
+- PB-46109 As an administrator I can block the edition of the secret revisions settings with a configuration flag
+- PB-46110 As a logged-in user I can view the past secret revisions of a resource
+- PB-45059 As an administrator I can see in the healthcheck if zero knowledge is activated and the server has access to the key
+- PB-45496 As an administrator I can run a clean-up task to delete metadata private keys entries of soft & hard-deleted users
+- PB-45567 As an administrator I can run a passbolt user_index command to list all users
+- PB-45567 As an administrator I can run a passbolt user_promote_to_administrator command to promote users to administrators
+- PB-45567 As an administrator I can run a passbolt mfa_user_settings_disable command to disable MFA for a given user
+- PB-46146 As an administrator I can hide the warning on commands run as non web-user with a configuration flag
+
+### Security
+- PB-45158 Adds frame-ancestors:none and form-action:self to the CSP header
+
+### Fixed
+- PB-44623 The API should return a 400 instead of 500 on /auth/jwt/logout.json when refresh_token isn't a UUID
+- PB-45760 Fixes a translation in setup recover abort email reported by community
+- PB-45262 Prevent activity log from showing secret creation during resource share as a secret update
+
+### Maintenance
+- PB-45731 As a developer I can ensure by unit tests that all Crowdin translations are parsable
+- PB-45788 Updates sessions.sql file as per the latest cakephp skeleton
+- PB-43742 Updates PHPUnit vendor to v11
+- PB-45829 Upgrades Passbolt API Web Installer to use OpenPGP.js version 6
+
 ## [5.6.1] - 2025-11-04
 ### Security
 - PB-45919 Fix security issue in query generation for CakePHP

CHANGELOG.md

@@ -1,9 +1,55 @@
-Release song: https://youtu.be/SUu9aEoQOL8
+Release song: https://youtu.be/fMnh5Tn8aeM
 
-Passbolt 5.6.1 addresses a security issue identified in the underlying CakePHP framework.
-The issue has been fully mitigated through a framework update.
-All administrators are advised to update to this version to maintain a secure environment.
+Passbolt 5.7.0 introduces secret history, a highly demanded feature that gives users visibility and control over previous
+versions of their secrets. This release also includes several usability improvements requested and bug fixes reported by the community.
+
+### Secret history
+It is now possible to access previous revisions of a secret directly from Passbolt.
+
+Secret history helps reduce the impact of human error and offers a safer way to manage evolving secrets. For instance,
+this enables users to undo an accidental update on the spot. Note that the feature is disabled by default and requires
+an administrator to enable it from the administration workspace.
+
+### User and group workspace improvements
+A new “Remove from group” action has been added to the user and group workspaces. This addition eliminates the confusion
+between permanently deleting a user and simply removing them from a specific group.
+
+Moreover, administrators can now instantly filter users that require attention via the “Attention Required” filter in
+the workspace. For instance: identifying users with a pending account recovery request to review, or missing metadata keys.
+
+### Import report
+The application now displays a summary dialog after an import, offering accurate and actionable information.
+The report precisely categorises alerts into successes, warnings and errors, providing end users with additional logs.
+
+### Miscellaneous improvements
+As usual this release is packed with improvements and bug fixes reported by the community. Notably, the reliability of autofill
+has been improved across a wider range of websites. If you find that autofill does not work on a particular website, feel free
+to open a bug report including the website details to help us identify the custom selector. For more, check out the changelog below.
+
+Many thanks to everyone who provided feedback, reported issues, and helped refine these new features.
+
+## [5.7.0] - 2025-11-12
+### Added
+- PB-46107 As an administrator I can define the number of past secret revisions persisted in DB
+- PB-46109 As an administrator I can block the edition of the secret revisions settings with a configuration flag
+- PB-46110 As a logged-in user I can view the past secret revisions of a resource
+- PB-45059 As an administrator I can see in the healthcheck if zero knowledge is activated and the server has access to the key
+- PB-45496 As an administrator I can run a clean-up task to delete metadata private keys entries of soft & hard-deleted users
+- PB-45567 As an administrator I can run a passbolt user_index command to list all users
+- PB-45567 As an administrator I can run a passbolt user_promote_to_administrator command to promote users to administrators
+- PB-45567 As an administrator I can run a passbolt mfa_user_settings_disable command to disable MFA for a given user
+- PB-46146 As an administrator I can hide the warning on commands run as non web-user with a configuration flag
 
-## [5.6.1] - 2025-11-04
 ### Security
-- PB-45919 Fix security issue in query generation for CakePHP
+- PB-45158 Adds frame-ancestors:none and form-action:self to the CSP header
+
+### Fixed
+- PB-44623 The API should return a 400 instead of 500 on /auth/jwt/logout.json when refresh_token isn't a UUID
+- PB-45760 Fixes a translation in setup recover abort email reported by community
+- PB-45262 Prevent activity log from showing secret creation during resource share as a secret update
+
+### Maintenance
+- PB-45731 As a developer I can ensure by unit tests that all Crowdin translations are parsable
+- PB-45788 Updates sessions.sql file as per the latest cakephp skeleton
+- PB-43742 Updates PHPUnit vendor to v11
+- PB-45829 Upgrades Passbolt API Web Installer to use OpenPGP.js version 6

RELEASE_NOTES.md

@@ -88,7 +88,7 @@
         "psy/psysh": "@stable",
         "cakephp/debug_kit": "^5.0.0",
         "cakephp/bake": "^3.0.0",
-        "phpunit/phpunit": "^10.1.0",
+        "phpunit/phpunit": "^11.0",
         "cakephp/cakephp-codesniffer": "^5.0",
         "passbolt/passbolt-selenium-api": "dev-cakephp5#861bc4fe19b5ed58e50dd9a9c52909c997f2934a",
         "vierge-noire/cakephp-fixture-factories": "^v3.0",
@@ -123,6 +123,7 @@
             "Passbolt\\TotpResourceTypes\\": "./plugins/PassboltCe/TotpResourceTypes/src",
             "Passbolt\\Rbacs\\": "./plugins/PassboltCe/Rbacs/src",
             "Passbolt\\PasswordPolicies\\": "./plugins/PassboltCe/PasswordPolicies/src",
+            "Passbolt\\SecretRevisions\\": "./plugins/PassboltCe/SecretRevisions/src",
             "Passbolt\\Metadata\\": "./plugins/PassboltCe/Metadata/src",
             "Passbolt\\UserKeyPolicies\\": "./plugins/PassboltCe/UserKeyPolicies/src"
         }
@@ -152,6 +153,7 @@
             "Passbolt\\TotpResourceTypes\\Test\\": "./plugins/PassboltCe/TotpResourceTypes/tests",
             "Passbolt\\Rbacs\\Test\\": "./plugins/PassboltCe/Rbacs/tests",
             "Passbolt\\PasswordPolicies\\Test\\": "./plugins/PassboltCe/PasswordPolicies/tests",
+            "Passbolt\\SecretRevisions\\Test\\": "./plugins/PassboltCe/SecretRevisions/tests",
             "Passbolt\\Metadata\\Test\\": "./plugins/PassboltCe/Metadata/tests",
             "Passbolt\\UserKeyPolicies\\Test\\": "./plugins/PassboltCe/UserKeyPolicies/tests"
         }