Merge branch 'feature/PB-47506_52-Publish-production-API' into 'master'

PB-47506 Publish production API (v5.8.0)

See merge request passbolt/passbolt-ce-api!488

Author: cedricalfonsi

CHANGELOG.md

@@ -2,6 +2,106 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.8.0] - 2025-12-22
+### Added
+- PB-46972 As an administrator I can create a new custom role
+- PB-46973 As an administrator I can update a custom role
+- PB-46968 As an administrator I can soft delete custom roles
+- PB-46971 As an administrator I can list roles including deleted ones via filter
+- PB-47169 As a user I receive an email notification when my role is changed
+- PB-47345 As an administrator I receive an email notification when a role is created or updated
+- PB-46975 As an administrator I can list RBACs including Actions
+- PB-46976 As an administrator I can update RBACs for Actions
+- PB-47006 As a logged-in user my role is fetched on every request to reflect role changes immediately
+- PB-47083 As a user with appropriate RBAC permissions I can create groups
+- PB-47196 As an administrator I can run the healthcheck command in POSIX mode
+- PB-47274 As an administrator I can run a command to populate created_by and modified_by fields in secrets
+- PB-47275 As an administrator I can run a command to populate secret revisions for existing secrets
+
+### Fixed
+- PB-46374 As first admin I should not receive emails regarding encrypted metadata enablement during the first setup
+- PB-46613 Fix web installer not working in HTTP when not in secure context
+- PB-46640 Fix warnings in mfa_user_settings_reset_self.php email template
+- PB-46645 Optimize action logs purge command dry run query
+- PB-46913 Fix MfaUserSettingsDisableCommand to support case sensitive username comparison
+- PB-46935 Fix 500 error on /metadata/session-keys/{uuid}.json endpoint when the request is sent twice
+- PB-47236 Reduce the PHP memory load of the V570PopulateSecretRevisionsForExistingSecrets migration
+
+### Security
+- PB-46890 Upgrade js-yaml dependency (Medium severity)
+
+### Maintenance
+- PB-45979 Add CACHE_CAKETRANSLATIONS_CLASSNAME environment variable for _cake_translations_ cache config
+- PB-46388 Fix PHPUnit 11 deprecations
+
+## [5.8.0-test.3] - 2025-12-17
+### Fixed
+- PB-47625 As an administrator I cannot recreate a role deleted previously
+
+## [5.8.0-test.2] - 2025-12-12
+### Added
+- PB-46972 As an administrator I can create a new custom role
+- PB-46973 As an administrator I can update a custom role
+- PB-46968 As an administrator I can soft delete custom roles
+- PB-46971 As an administrator I can list roles including deleted ones via filter
+- PB-47169 As a user I receive an email notification when my role is changed
+- PB-47345 As an administrator I receive an email notification when a role is created or updated
+- PB-46975 As an administrator I can list RBACs including Actions
+- PB-46976 As an administrator I can update RBACs for Actions
+- PB-47006 As a logged-in user my role is fetched on every request to reflect role changes immediately
+- PB-47083 As a user with appropriate RBAC permissions I can create groups
+- PB-47196 As an administrator I can run the healthcheck command in POSIX mode
+- PB-47274 As an administrator I can run a command to populate created_by and modified_by fields in secrets
+- PB-47275 As an administrator I can run a command to populate secret revisions for existing secrets
+
+### Fixed
+- PB-46374 As first admin I should not receive emails regarding encrypted metadata enablement during the first setup
+- PB-46613 Fix web installer not working in HTTP when not in secure context
+- PB-46640 Fix warnings in mfa_user_settings_reset_self.php email template
+- PB-46645 Optimize action logs purge command dry run query
+- PB-46913 Fix MfaUserSettingsDisableCommand to support case sensitive username comparison
+- PB-46935 Fix 500 error on /metadata/session-keys/{uuid}.json endpoint when the request is sent twice
+- PB-47236 Reduce the PHP memory load of the V570PopulateSecretRevisionsForExistingSecrets migration
+
+### Security
+- PB-46890 Upgrade js-yaml dependency (Medium severity)
+
+### Maintenance
+- PB-45979 Add CACHE_CAKETRANSLATIONS_CLASSNAME environment variable for _cake_translations_ cache config
+- PB-46388 Fix PHPUnit 11 deprecations
+
+## [5.8.0-test.1] - 2025-12-11
+### Added
+- PB-46972 As an administrator I can create a new custom role
+- PB-46973 As an administrator I can update a custom role
+- PB-46968 As an administrator I can soft delete custom roles
+- PB-46971 As an administrator I can list roles including deleted ones via filter
+- PB-47169 As a user I receive an email notification when my role is changed
+- PB-47345 As an administrator I receive an email notification when a role is created or updated
+- PB-46975 As an administrator I can list RBACs including Actions
+- PB-46976 As an administrator I can update RBACs for Actions
+- PB-47006 As a logged-in user my role is fetched on every request to reflect role changes immediately
+- PB-47083 As a user with appropriate RBAC permissions I can create groups
+- PB-47196 As an administrator I can run the healthcheck command in POSIX mode
+- PB-47274 As an administrator I can run a command to populate created_by and modified_by fields in secrets
+- PB-47275 As an administrator I can run a command to populate secret revisions for existing secrets
+
+### Fixed
+- PB-46374 As first admin I should not receive emails regarding encrypted metadata enablement during the first setup
+- PB-46613 Fix web installer not working in HTTP when not in secure context
+- PB-46640 Fix warnings in mfa_user_settings_reset_self.php email template
+- PB-46645 Optimize action logs purge command dry run query
+- PB-46913 Fix MfaUserSettingsDisableCommand to support case sensitive username comparison
+- PB-46935 Fix 500 error on /metadata/session-keys/{uuid}.json endpoint when the request is sent twice
+- PB-47236 Reduce the PHP memory load of the V570PopulateSecretRevisionsForExistingSecrets migration
+
+### Security
+- PB-46890 Upgrade js-yaml dependency (Medium severity)
+
+### Maintenance
+- PB-45979 Add CACHE_CAKETRANSLATIONS_CLASSNAME environment variable for _cake_translations_ cache config
+- PB-46388 Fix PHPUnit 11 deprecations
+
 ## [5.7.2] - 2025-11-17
 ### Fixed
 - PB-46826 As an administrator running the cleanup task, the server metadata private key entry should not be deleted

RELEASE_NOTES.md

@@ -1,11 +1,62 @@
-Release song: https://youtu.be/t12nOxmB278
+Release song: https://www.youtube.com/watch?v=F5uXomY94w8
 
-Passbolt 5.7.2 fixes an issue introduced in v5.7.0 that affected the health check when it was run after the cleanup command.
-The bug caused the server metadata private key to be incorrectly deleted, resulting in health check failures.
-This has now been resolved, and the cleanup process works as expected.
+Passbolt 5.8.0 introduces dynamic role management, allowing organizations to define additional roles that better align with internal policies, compliance requirements, and operational needs. This release also adds drag & drop user assignment to groups, simplifying day-to-day user and group management.
 
-We thank the community again for reporting this issue!
+**Warning**: Ensure that all users have updated their browser extension to at least version 5.8 before assigning new roles. Otherwise, they will not be able to connect to Passbolt.
+
+## Dynamic role management
+
+As was already the case with the default User role, Passbolt allows administrators to restrict what users can do by limiting access to specific capabilities. With version 5.8, this model is extended beyond the default Admin and User roles, making it possible to create additional roles and assign them to users for more granular control.
+
+Dynamic roles also enable the delegation of administrative responsibilities. Rather than granting full administrative access, administrators can now assign selected capabilities to custom roles and distribute operational tasks across multiple users. Initial support covers group creation, as well as handling account recovery requests in Passbolt Pro.
+
+At this stage, dynamic role management comes with a defined scope and set of constraints.
+
+- The default Admin and User roles keep fixed names and cannot be renamed or deleted.
+- As before, the User role can be restricted, but it cannot be assigned delegated administrative responsibilities.
+- The Admin role, by contrast, always retains access to all capabilities and cannot be restricted.
+- Custom roles are currently limited to two per instance and support a first set of administrative capabilities.
+
+This scope will be expanded progressively as additional needs and use cases are identified by the community.
+
+## Drag & drop users to groups
+
+Managing group membership often requires repetitive actions when working with large teams or frequently changing group structures. With Passbolt 5.8, administrators can now add users to a group by dragging them directly onto it from the Users & Groups workspace. This removes the need to open and edit each group individually and makes day-to-day group management faster and more fluid.
+
+## Miscellaneous improvements
+
+As usual, this release includes fixes and smaller improvements intended to improve the overall experience. For the full list of changes, please refer to the changelog.
+
+Many thanks to everyone who provided feedback and helped refine these features.
+
+## [5.8.0] - 2025-12-22
+### Added
+- PB-46972 As an administrator I can create a new custom role
+- PB-46973 As an administrator I can update a custom role
+- PB-46968 As an administrator I can soft delete custom roles
+- PB-46971 As an administrator I can list roles including deleted ones via filter
+- PB-47169 As a user I receive an email notification when my role is changed
+- PB-47345 As an administrator I receive an email notification when a role is created or updated
+- PB-46975 As an administrator I can list RBACs including Actions
+- PB-46976 As an administrator I can update RBACs for Actions
+- PB-47006 As a logged-in user my role is fetched on every request to reflect role changes immediately
+- PB-47083 As a user with appropriate RBAC permissions I can create groups
+- PB-47196 As an administrator I can run the healthcheck command in POSIX mode
+- PB-47274 As an administrator I can run a command to populate created_by and modified_by fields in secrets
+- PB-47275 As an administrator I can run a command to populate secret revisions for existing secrets
 
-## [5.7.2] - 2025-11-17
 ### Fixed
-- PB-46826 As an administrator running the cleanup task, the server metadata private key entry should not be deleted
+- PB-46374 As first admin I should not receive emails regarding encrypted metadata enablement during the first setup
+- PB-46613 Fix web installer not working in HTTP when not in secure context
+- PB-46640 Fix warnings in mfa_user_settings_reset_self.php email template
+- PB-46645 Optimize action logs purge command dry run query
+- PB-46913 Fix MfaUserSettingsDisableCommand to support case sensitive username comparison
+- PB-46935 Fix 500 error on /metadata/session-keys/{uuid}.json endpoint when the request is sent twice
+- PB-47236 Reduce the PHP memory load of the V570PopulateSecretRevisionsForExistingSecrets migration
+
+### Security
+- PB-46890 Upgrade js-yaml dependency (Medium severity)
+
+### Maintenance
+- PB-45979 Add CACHE_CAKETRANSLATIONS_CLASSNAME environment variable for _cake_translations_ cache config
+- PB-46388 Fix PHPUnit 11 deprecations

config/Migrations/20251127112629_V580AddDeletedToRoles.php

@@ -0,0 +1,41 @@
+<?php
+declare(strict_types=1);
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         5.8.0
+ */
+
+use Migrations\AbstractMigration;
+
+class V580AddDeletedToRoles extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * More information on this method is available here:
+     * https://book.cakephp.org/migrations/4/en/migrations.html#the-change-method
+     *
+     * @return void
+     */
+    public function change(): void
+    {
+        $this
+            ->table('roles')
+            ->addColumn('deleted', 'datetime', [
+                'default' => null,
+                'limit' => null,
+                'null' => true,
+                'after' => 'description',
+            ])
+            ->save();
+    }
+}

config/Migrations/20251127142638_V580InsertRbacsControlledActions.php

@@ -0,0 +1,41 @@
+<?php
+declare(strict_types=1);
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         5.8.0
+ */
+
+use Cake\Log\Log;
+use Migrations\AbstractMigration;
+use Passbolt\Rbacs\Service\Actions\RbacsControlledActionsInsertService;
+
+class V580InsertRbacsControlledActions extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * More information on this method is available here:
+     * https://book.cakephp.org/migrations/4/en/migrations.html#the-change-method
+     *
+     * @return void
+     */
+    public function change(): void
+    {
+        try {
+            (new RbacsControlledActionsInsertService())->insertRbacsControlledActions();
+        } catch (Throwable $e) {
+            $msg = 'There was an error in V580InsertRbacsControlledActions.';
+            $msg .= ' ' . $e->getMessage();
+            Log::error($msg);
+        }
+    }
+}

config/Migrations/20251128071117_V580AddByFieldsToRoles.php

@@ -0,0 +1,56 @@
+<?php
+declare(strict_types=1);
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         5.8.0
+ */
+
+use Migrations\AbstractMigration;
+
+class V580AddByFieldsToRoles extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * More information on this method is available here:
+     * https://book.cakephp.org/migrations/4/en/migrations.html#the-change-method
+     *
+     * @return void
+     */
+    public function change(): void
+    {
+        $this
+            ->table('roles')
+            ->addColumn('created_by', 'uuid', [
+                'default' => null,
+                'null' => true,
+                'encoding' => 'ascii',
+                'collation' => 'ascii_general_ci', // required for FK, needs to be same as reference table (i.e. users)
+                'after' => 'deleted',
+            ])
+            ->addColumn('modified_by', 'uuid', [
+                'default' => null,
+                'null' => true,
+                'encoding' => 'ascii',
+                'collation' => 'ascii_general_ci', // required for FK, needs to be same as reference table (i.e. users)
+                'after' => 'created_by',
+            ])
+            ->addColumn('deleted_by', 'uuid', [
+                'default' => null,
+                'null' => true,
+                'encoding' => 'ascii',
+                'collation' => 'ascii_general_ci', // required for FK, needs to be same as reference table (i.e. users)
+                'after' => 'modified_by',
+            ])
+            ->save();
+    }
+}

config/Migrations/20251203112523_V580InsertRbacsForActions.php

@@ -0,0 +1,48 @@
+<?php
+declare(strict_types=1);
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         5.8.0
+ */
+
+use Cake\Log\Log;
+use Migrations\AbstractMigration;
+use Passbolt\Rbacs\Service\Actions\RbacsControlledActionsInsertService;
+use Passbolt\Rbacs\Service\Rbacs\InsertRbacsForActionsService;
+
+class V580InsertRbacsForActions extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * More information on this method is available here:
+     * https://book.cakephp.org/migrations/4/en/migrations.html#the-change-method
+     *
+     * @return void
+     */
+    public function change(): void
+    {
+        try {
+            (new InsertRbacsForActionsService())->add([
+                // actions to add
+                RbacsControlledActionsInsertService::NAME_GROUPS_ADD,
+                RbacsControlledActionsInsertService::NAME_ACCOUNT_RECOVERY_REQUESTS_INDEX,
+                RbacsControlledActionsInsertService::NAME_ACCOUNT_RECOVERY_REQUESTS_VIEW,
+                RbacsControlledActionsInsertService::NAME_ACCOUNT_RECOVERY_RESPONSES_CREATE,
+            ]);
+        } catch (Throwable $e) {
+            $msg = 'There was an error in V580InsertRbacsForActions.';
+            $msg .= ' ' . $e->getMessage();
+            Log::error($msg);
+        }
+    }
+}