Skip to content

Cerebrate v1.37

Choose a tag to compare

View all tags
@iglocska iglocska released this 10 Jun 16:53
· 3 commits to main since this release
v1.37
This tag was signed with the committer’s verified signature.
iglocska Andras Iklody
GPG key ID: BEA224F1FEF113AC
Verified
Learn about vigilant mode.
9a308a1
This commit was signed with the committer’s verified signature.
iglocska Andras Iklody
GPG key ID: BEA224F1FEF113AC
Verified
Learn about vigilant mode.

Cerebrate v1.37

A rapid bug fix and security release following v1.36. Updating is recommended for all instances, particularly those with self-registration enabled or
multiple administrator tiers.

Security

  • Mass assignment of id in CRUD operations — Passing an "id" key in a POST body could redirect an add/edit save() onto an unrelated record on entities
    that did not explicitly protect their primary key (user settings, roles, local tools, and others — /user_settings/edit was reachable by any authenticated
    user). The primary key is now stripped from request input in CRUDComponent::add()/edit() and blocked globally at the entity layer via
    AppModel::$_accessible, which also hardens custom patchEntity() paths (inbox/outbox, importer, connectors). Reported by Jeroen Pinoy.
  • Registration password hash exposure in the inbox — When self-registration is enabled, the request lands in the site admins' inbox with the registrant's
    (hashed) password embedded in the message payload, which was visible in the inbox index/view API responses, the HTML view, and the message's audit log
    entry. Credential fields in inbox payloads are now redacted everywhere they are displayed (the stored value is untouched, so processing registrations is
    unaffected), and the audit log behavior now also redacts sensitive keys nested inside JSON column values. Reported by an external contributor.

Bug fixes

  • Users: self-edit and change-password via the API work again (regression from the v1.36 ACL hardening), and editing a nonexistent user returns a 404
    instead of a 500.
  • User settings: editing a nonexistent setting returns a 404 instead of a 500; fixed an operator-precedence bug that made the validation gate in
    /user_settings/add reject even valid input.
  • Alignments: individual_id was not correctly passed to save() when creating alignments.
  • Individuals: assorted view fixes.
  • Keycloak: fixed a 500 on users/view when building org attributes (getTableLocator() called on the table instance instead of the static registry).

Improvements

  • Keycloak sync failures are no longer silent — per-user sync errors and non-2xx Keycloak responses (e.g. a service account lacking privileges) were only
    written to audit logs while the UI reported success. They are now surfaced in the sync results, written to the error log, and users/edit shows a "saved,
    but could not push to Keycloak" warning. The keycloak_sync CLI output gains an errors row.

Test infrastructure

  • PHPUnit runs no longer inherit the local instance's config.json, so suite results are independent of local configuration; the test role fixtures were
    updated for the post-AdminPermissionSplit permission model. Full-suite failures drop from 37 to 10 (the remainder are pre-existing and tracked).
Assets 2
Loading