Merge branch 'release' into 'master'

v5.3.2

See merge request passbolt/passbolt-ce-api!413

Author: cedricalfonsi

.ddev/commands/host/analyze

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+## Description: Runs CS check & static analysis commands
+## Usage: analyze
+## Example: "ddev analyze"
+
+set -eo pipefail
+
+ddev composer stan
+ddev composer psalm
+ddev composer cs-check # give coding style lower priority

.ddev/commands/host/init_passbolt

@@ -8,7 +8,7 @@
 
 set -eo pipefail
 
-ddev composer install
+ddev composer install --no-interaction
 ddev create_passbolt_db
 if [ ! -f config/jwt/jwt.key ] || [ ! -f config/jwt/jwt.pem ]; then
     ddev cake passbolt create_jwt_keys

.ddev/commands/host/refresh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+## Description: Run this command after changing the branch to get up-to-date state
+## Usage: refresh
+## Example: "ddev refresh"
+
+set -eo pipefail
+
+ddev composer install --no-interaction
+ddev cake migrations migrate
+ddev cake cache clear_all

.ddev/config.yaml

@@ -14,6 +14,7 @@ composer_version: "2"
 web_environment:
   - DEBUG=true
   - APP_FULL_BASE_URL=https://passbolt-pro-api.ddev.site
+  - PASSBOLT_SELENIUM_ACTIVE=true
   - DATASOURCES_DEFAULT_HOST=db
   - DATASOURCES_DEFAULT_USERNAME=db
   - DATASOURCES_DEFAULT_PASSWORD=db

.gitlab-ci/jobs/php_unit_tests/sequential/php_unit_tests.yml

@@ -73,7 +73,6 @@
     DATASOURCES_DEFAULT_PASSWORD: $POSTGRES_PASSWORD
     DATASOURCES_DEFAULT_PORT: 5432
     DATASOURCES_DEFAULT_ENCODING: "utf8"
-    DATASOURCES_DEFAULT_SCHEMA: "public"
     # Test
     DATASOURCES_TEST_DRIVER: Cake\Database\Driver\Postgres
     DATASOURCES_TEST_HOST: 127.0.0.1
@@ -82,7 +81,6 @@
     DATASOURCES_TEST_PASSWORD: $POSTGRES_PASSWORD
     DATASOURCES_TEST_PORT: 5432
     DATASOURCES_TEST_ENCODING: "utf8"
-    DATASOURCES_TEST_SCHEMA: 'public'
 # TO BE REPLACED WITH
 #  before_script:
 #    - apt-get update

CHANGELOG.md

@@ -2,6 +2,28 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.3.2] - 2025-07-16
+### Fixed
+- PB-43910 As an administrator installing passbolt on postgres, the default postgres schema should be public
+- PB-43956 Fix OpenPGP_PHP behavior discrepancy for keys with multiple self-signed key signatures with different expiry times
+- PB-43746 A metadata key should be shareable with new users even if the administrator who created the key is soft-deleted
+- PB-37106 As an administrator running healthCheck, I should see the right path to the logs if the directory permissions are not correct
+
+### Maintenance
+- PB-43966 Selenium specific endpoints should be enabled for local testing with ddev
+- PB-43480 Writes stack traces in logs on metadata key validation 500 errors
+
+## [5.3.2-test.1] - 2025-07-15
+### Fixed
+- PB-43910 As an administrator installing passbolt on postgres, the default postgres schema should be public
+- PB-43956 Fix OpenPGP_PHP behavior discrepancy for keys with multiple self-signed key signatures with different expiry times
+- PB-43746 A metadata key should be shareable with new users even if the administrator who created the key is soft-deleted
+- PB-37106 As an administrator running healthCheck, I should see the right path to the logs if the directory permissions are not correct
+
+### Maintenance
+- PB-43966 Selenium specific endpoints should be enabled for local testing with ddev
+- PB-43480 Writes stack traces in logs on metadata key validation 500 errors
+
 ## [5.3.1] - 2025-07-09
 ### Fixed
 - PB-43748 Users are unable to save a new standalone custom field resource

RELEASE_NOTES.md

@@ -1,9 +1,27 @@
-Release song: https://www.youtube.com/watch?v=h7V36waLN0M
+Release song: https//www.youtube.com/watch?v=-GxmblM_jss
 
-This hot-fix resolves a regression introduced in v5.3.0 that blocked the creation of standalone Custom Fields content types. A validation error in the API prevented these resources from being saved. With v5.3.1, the validation logic has been corrected, so users can now create and test Custom Fields content types as intended.
+Passbolt v5.3.2 is a security release designed to strengthen the security posture of your organization. It introduces a
+clipboard flushing feature and addresses issues related to encrypted metadata.
 
-Thank you to everyone in the community who spotted the issue so quickly and helped us verify the fix!
+The new clipboard flush timer lets you copy secrets just long enough to use them; clipboard data is automatically cleared
+when the countdown (30s) expires, significantly reducing the risk of accidental exposure or leaks from forgotten clipboard content.
 
-## [5.3.1] - 2025-07-09
+This update also resolves several encrypted metadata issues, moving the feature closer to general availability.
+Organizations can now enable encrypted metadata even if users have imported their own more complex keys
+(e.g. keys that were set to expire at some point), streamlining adoption for advanced users. Admin changes are smoother
+too: if the original metadata-enabling administrator leaves, newly invited users will still receive the metadata key automatically,
+removing the need for manual distribution. Lastly, users who owned shared resources using the new encrypted metadata format can now
+be deleted without issue, as ownership transfer is now handled correctly during the deletion process.
+A big thank you to all testers who helped refine these features. If you’re new to any of them, we welcome your feedback on the community
+forum or through your usual support channels!
+
+## [5.3.2] - 2025-07-16
 ### Fixed
-- PB-43748 Users are unable to save a new standalone custom field resource
+- PB-43910 As an administrator installing passbolt on postgres, the default postgres schema should be public
+- PB-43956 Fix OpenPGP_PHP behavior discrepancy for keys with multiple self-signed key signatures with different expiry times
+- PB-43746 A metadata key should be shareable with new users even if the administrator who created the key is soft-deleted
+- PB-37106 As an administrator running healthCheck, I should see the right path to the logs if the directory permissions are not correct
+
+### Maintenance
+- PB-43966 Selenium specific endpoints should be enabled for local testing with ddev
+- PB-43480 Writes stack traces in logs on metadata key validation 500 errors

composer.json

@@ -91,7 +91,7 @@
         "phpunit/phpunit": "^10.1.0",
         "cakephp/cakephp-codesniffer": "^5.0",
         "passbolt/passbolt-selenium-api": "dev-cakephp5#0d46ae337ba71659191e7625c96ff2f861da44d1",
-        "passbolt/passbolt-test-data": "dev-master#e0e3771",
+        "passbolt/passbolt-test-data": "dev-master#be1fe75",
         "vierge-noire/cakephp-fixture-factories": "^v3.0",
         "cakephp/localized": "^5.0",
         "cakedc/cakephp-phpstan": "^3.2",

composer.lock

@@ -338,7 +338,7 @@
             'username' => env('DATASOURCES_DEFAULT_USERNAME', ''),
             'password' => env('DATASOURCES_DEFAULT_PASSWORD', ''),
             'database' => env('DATASOURCES_DEFAULT_DATABASE', ''),
-            'schema' => env('DATASOURCES_DEFAULT_SCHEMA', ''),
+            'schema' => env('DATASOURCES_DEFAULT_SCHEMA', 'public'),
             'ssl_key' => env('DATASOURCES_DEFAULT_SSL_KEY', ''),
             'ssl_cert' => env('DATASOURCES_DEFAULT_SSL_CERT', ''),
             'ssl_ca' => env('DATASOURCES_DEFAULT_SSL_CA', ''),
@@ -371,7 +371,7 @@
             'username' => env('DATASOURCES_TEST_USERNAME', 'my_app'),
             'password' => env('DATASOURCES_TEST_PASSWORD', 'secret'),
             'database' => env('DATASOURCES_TEST_DATABASE', 'my_app'),
-            'schema' => env('DATASOURCES_TEST_SCHEMA', ''),
+            'schema' => env('DATASOURCES_TEST_SCHEMA', 'public'),
             'ssl_key' => env('DATASOURCES_TEST_SSL_KEY', ''),
             'ssl_cert' => env('DATASOURCES_TEST_SSL_CERT', ''),
             'ssl_ca' => env('DATASOURCES_TEST_SSL_CA', ''),