Merge branch 'release' into 'master'

Release v5.2.0

See merge request passbolt/passbolt-ce-api!396

Author: gmougenel

CHANGELOG.md

@@ -2,6 +2,80 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.2.0] - 2025-06-11
+### Added
+- PB-42861 As a user I can use passbolt in Slovenian language
+- PB-42986 As a user I can use passbolt in Ukrainian language
+- PB-42878 Add User GPG key policies (ECC by default) support behind a feature flag
+- PB-41966 As a resource owner I should receive a notification on the day that my resources expire
+
+### Improved
+- PB-42706 Alias POST /metadata/keys/privates.json endpoint to POST /metadata/keys/private.json
+
+### Fixed
+- PB-42800 The check metadata key presence in the healthcheck should not fail if no metadata key is required
+- PB-42701 Fixes the contain of missing metadata key on view user endpoint
+- PB-42592 Add missing attribute in ldap default configuration file
+- PB-42574 Fix LDAP Typed property error
+
+### Security
+- PB-42687 Security alert emails should display user IP and user agent only if configured
+- PB-42379 PBL-13-004 - Fixes HTML injections in email notifications
+
+### Maintenance
+- PB-42935 Upgrade API babel dev dependency
+- PB-42893 Upgrade API lock-link-api dev dependency
+- PB-42923 refactor code to remove warning in selenium execution context
+
+## [5.2.0-rc.1] - 2025-06-04
+### Added
+- PB-42861 As a user I can use passbolt in Slovenian language
+- PB-42986 As a user I can use passbolt in Ukrainian language
+- PB-42878 Add User GPG key policies (ECC by default) support behind a feature flag
+- PB-41966 As a resource owner I should receive a notification on the day that my resources expire
+
+### Improved
+- PB-42706 Alias POST /metadata/keys/privates.json endpoint to POST /metadata/keys/private.json
+
+### Fixed
+- PB-42800 The check metadata key presence in the healthcheck should not fail if no metadata key is required
+- PB-42701 Fixes the contain of missing metadata key on view user endpoint
+
+### Security
+- PB-42687 Security alert emails should display user IP and user agent only if configured
+- PB-42378 PBL-13-001 - Fixes open redirect on MFA step in login
+- PB-42379 PBL-13-004 - Fixes HTML injections in email notifications
+- PB-43115 Fix XSS in email footer where the full base URL was not escaped or sanitized
+
+### Maintenance
+- PB-42935 Upgrade API babel dev dependency
+- PB-42893 Upgrade API lock-link-api dev dependency
+- PB-42923 refactor code to remove warning in selenium execution context
+
+## [5.2.0-test.1] - 2025-06-03
+### Added
+- PB-42861 As a user I can use passbolt in Slovenian language
+- PB-42986 As a user I can use passbolt in Ukrainian language
+- PB-42878 Add User GPG key policies (ECC by default) support behind a feature flag
+- PB-41966 As a resource owner I should receive a notification on the day that my resources expire
+
+### Improved
+- PB-42706 Alias POST /metadata/keys/privates.json endpoint to POST /metadata/keys/private.json
+
+### Fixed
+- PB-42800 The check metadata key presence in the healthcheck should not fail if no metadata key is required
+- PB-42701 Fixes the contain of missing metadata key on view user endpoint
+
+### Security
+- PB-42687 Security alert emails should display user IP and user agent only if configured
+- PB-42378 PBL-13-001 - Fixes open redirect on MFA step in login
+- PB-42379 PBL-13-004 - Fixes HTML injections in email notifications
+
+### Maintenance
+- PB-42935 Upgrade API babel dev dependency
+- PB-42893 Upgrade API lock-link-api dev dependency
+- PB-42923 refactor code to remove warning in selenium execution context
+
 ## [5.1.1] - 2025-05-22
 ### Fixed
 - PB-42701 Fix the contain of missing metadata key on view user endpoint

RELEASE_NOTES.md

@@ -1,12 +1,43 @@
-Release song: https://www.youtube.com/watch?v=Nbav4oWMqEY
+Release song: https://www.youtube.com/watch?v=ZA2JknKrCbM
 
-This is a maintenance release to fix reported issues from Pro customers where directory synchronization was returning various type errors. It also includes a security fix to only include user’s IP & browser agent information if enabled via configuration.
+Passbolt 5.2 introduces the first features built on encrypted metadata, enhancing resource management and customisation.
+This update lays the groundwork for future improvements and delivers practical everyday benefits.
 
-Thank you for the valuable feedback and patience!
+Resources using encrypted metadata now support multiple URIs. For example, addresses like app.example.com and admin.example.com
+can be linked to the same credential, helping the browser extension recognise credentials across multiple domains.
+
+Icons and colours can now be set for resources with encrypted metadata, using a method compatible with KeePass for easy
+import and export. This visual distinction helps users quickly navigate large workspaces.
+
+A new density setting is available to adjust grid spacing, providing a clearer, more comfortable view.
+Users can easily toggle this in the workspace column settings as needed.
+
+The Passbolt interface now supports Ukrainian and Slovenian languages, enabling native speakers to use the tool comfortably without relying on English.
+
+Additionally, resource owners now receive notifications on the day their passwords expire, supporting teams in managing rotation policies effectively.
+
+This update includes several bug fixes and maintenance improvements based on community feedback.
+Thanks to everyone who contributed by reporting issues and suggesting improvements.
+
+## [5.2.0] - 2025-06-11
+### Added
+- PB-42861 As a user I can use passbolt in Slovenian language
+- PB-42986 As a user I can use passbolt in Ukrainian language
+- PB-42878 Add User GPG key policies (ECC by default) support behind a feature flag
+- PB-41966 As a resource owner I should receive a notification on the day that my resources expire
+
+### Improved
+- PB-42706 Alias POST /metadata/keys/privates.json endpoint to POST /metadata/keys/private.json
 
-## [5.1.1] - 2025-05-22
 ### Fixed
-- PB-42701 Fix the contain of missing metadata key on view user endpoint
+- PB-42800 The check metadata key presence in the healthcheck should not fail if no metadata key is required
+- PB-42701 Fixes the contain of missing metadata key on view user endpoint
 
 ### Security
 - PB-42687 Security alert emails should display user IP and user agent only if configured
+- PB-42379 PBL-13-004 - Fixes HTML injections in email notifications
+
+### Maintenance
+- PB-42935 Upgrade API babel dev dependency
+- PB-42893 Upgrade API lock-link-api dev dependency
+- PB-42923 refactor code to remove warning in selenium execution context

bin/cron

@@ -7,3 +7,9 @@ set -euo pipefail
 DIR=$(dirname "$(readlink -f "$0")")
 
 "$DIR"/cake passbolt email_digest send
+
+
+currenttime=$(date +%H:%M)
+if [ "$currenttime" = "08:00" ]; then
+    "$DIR"/cake passbolt notify_about_expired_resources
+fi

composer.json

@@ -129,7 +129,8 @@
             "Passbolt\\TotpResourceTypes\\": "./plugins/PassboltCe/TotpResourceTypes/src",
             "Passbolt\\Rbacs\\": "./plugins/PassboltCe/Rbacs/src",
             "Passbolt\\PasswordPolicies\\": "./plugins/PassboltCe/PasswordPolicies/src",
-            "Passbolt\\Metadata\\": "./plugins/PassboltCe/Metadata/src"
+            "Passbolt\\Metadata\\": "./plugins/PassboltCe/Metadata/src",
+            "Passbolt\\UserKeyPolicies\\": "./plugins/PassboltCe/UserKeyPolicies/src"
         }
     },
     "autoload-dev": {
@@ -155,7 +156,8 @@
             "Passbolt\\TotpResourceTypes\\Test\\": "./plugins/PassboltCe/TotpResourceTypes/tests",
             "Passbolt\\Rbacs\\Test\\": "./plugins/PassboltCe/Rbacs/tests",
             "Passbolt\\PasswordPolicies\\Test\\": "./plugins/PassboltCe/PasswordPolicies/tests",
-            "Passbolt\\Metadata\\Test\\": "./plugins/PassboltCe/Metadata/tests"
+            "Passbolt\\Metadata\\Test\\": "./plugins/PassboltCe/Metadata/tests",
+            "Passbolt\\UserKeyPolicies\\Test\\": "./plugins/PassboltCe/UserKeyPolicies/tests"
         }
     },
     "scripts": {

config/default.php

@@ -315,6 +315,9 @@
                 // Feature flag to allow client to tune behavior for backward compatibility
                 'enabled' => true
             ],
+            'userKeyPolicies' => [
+                'enabled' => filter_var(env('PASSBOLT_PLUGINS_USER_KEY_POLICIES_ENABLED', false), FILTER_VALIDATE_BOOLEAN),
+            ],
         ],
 
         // Activate specific entry points for selenium testing.

config/version.php

@@ -1,8 +1,8 @@
 <?php
 return [
     'passbolt' => [
-        'version' => '5.1.1',
-        'name' => 'One Love',
+        'version' => '5.2.0',
+        'name' => 'Something\'s Got a Hold on Me',
     ],
     'php' => [
         'minVersion' => '8.2',

crowdin.yml

@@ -16,4 +16,6 @@ export_languages:
   - ro
   - ru
   - sv
+  - sl
+  - uk
 commit_message: '[skip-ci]'