Releases: ever-co/ever-gauzy
v67.0.6
Contributors
Assets 2
v67.0.5
Contributors
Assets 2
v67.0.4
v67.0.3
67.0.3 (2026-02-12)
Bug Fixes
- theme: resolve tabler icons module configuration (2818563)
- theme: resolve tabler icons module configuration (eadf45b)
What's Changed
- fix(theme): resolve tabler icons module configuration by @rahul-rocket in #9453
Full Changelog: v67.0.2...v67.0.3
Contributors
Assets 2
v67.0.2
67.0.2 (2026-02-12)
Full Changelog: v66.0.2...v67.0.2
v67.0.1
67.0.1 (2026-02-11)
What's Changed
- [Feat] Extend knowledge base for collaborative articles by @GloireMutaliko21 in #9420
- [Feat(auth)] Return new refresh token along with access token on refresh by @adkif in #9438
- fix(auth): update refresh token during authentication refresh by @adkif in #9441
- [Fix ] Cannot use import statement outside a module by @rahul-rocket in #9443
- Stage by @evereq in #9445
- fix(ui): job employees plugin data table browser tab by @rahul-rocket in #9444
- Stage by @evereq in #9446
- [Refactor] Auto logout logic in angular interceptors by @adkif in #9440
- Stage by @evereq in #9447
- [Fix] Upgrade Ngx Translation by @rahul-rocket in #9424
- fix: close unused window and init window when in use by @syns2191 in #9436
- Stage by @evereq in #9450
- Stage by @evereq in #9451
Full Changelog: v63.0.1...v67.0.1
Contributors
Assets 2
v67.0.0
67.0.0 (2026-02-11)
⚠ BREAKING CHANGES
-
JWT tokens now include organizationId field. Clients should handle the new token structure.
-
fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector
Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.
- fix(migration): remove UNIQUE constraint on userId in SQLite UP migration
Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).
The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.
- fix(context): merge duplicate currentOrganizationId methods with proper fallback
Consolidate two currentOrganizationId() methods into one with priority:
- JWT token organizationId (most secure)
- User's employee organizationId (fallback for old tokens)
- Request header organization-id (legacy backward compatibility)
This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.
- fix(auth): inject organizationId from JWT into user with fallback
Make organizationId follow the same pattern as employeeId:
- jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
- request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
with fallback to user.employee.organizationId and header for backward compatibility
This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.
- fix(auth): validate organization access in JWT strategy
- Add UserOrganizationService to validate user has access to organization
- Remove unvalidated header fallback from currentOrganizationId()
- organizationId is now only accepted from validated JWT tokens
- fix(employee): catch specific NotFoundException and validate input
- Catch only NotFoundException instead of all errors
- Add validation for input.user.email before accessing it
- fix(ui): add await for async selectOrganization calls
- Make updateOrganization, deleteOrganization, selectOrganizationById async
- Properly await selectOrganization to prevent race conditions
- fix(ui): add @deprecated to initialize() method
- Mark initialize() as deprecated with JSDoc
- Clean up comments in applyOrganizationData()
- docs(auth): clarify refresh token organization behavior
- Add note explaining refresh token is organization-specific
- Document that /auth/switch-organization should be used to change org
- refactor(ui): use inject() function instead of constructor injection
- Replace constructor parameter injection with inject() function
- Follow Angular modern DI pattern
- fix(auth): include organizationId in refresh token
- Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
- Ensures refresh token contains same organization context as access token
- fix(auth): add cross-validation between employeeId and organizationId in JWT
- Validate that employee.organizationId matches the claimed organizationId
- Prevents JWT token manipulation attacks
- fix(employee): use BadRequestException and check for existing employee
- Use BadRequestException instead of generic Error for proper HTTP 400
- Check if employee already exists for user+organization to prevent duplicates
- fix(ui): validate response fields before applying to store
- Check token and user exist before updating store
- Return false and show error if validation fails
- fix(auth): update user.lastOrganizationId in memory after DB update
- Ensures returned user object has fresh lastOrganizationId value
- fix(employee): load role relation when finding existing user
- Use findOneByOptions with relations: { role: true }
- Fixes 'Cannot read properties of undefined (reading name)' error
- addUserToOrganization requires user.role.name for SUPER_ADMIN check
What's Changed
- [Fix] Upgrade Ngx Translation by @rahul-rocket in #9424
- fix: close unused window and init window when in use by @syns2191 in #9436
- Stage by @evereq in #9450
Full Changelog: v66.0.0...v67.0.0
Contributors
Assets 2
v66.0.2
Contributors
Assets 2
v66.0.1
66.0.1 (2026-02-11)
What's Changed
- [Fix] Upgrade Ngx Translation by @rahul-rocket in #9424
Full Changelog: v65.0.3...v66.0.1
Contributors
Assets 2
v66.0.0
66.0.0 (2026-02-10)
⚠ BREAKING CHANGES
-
JWT tokens now include organizationId field. Clients should handle the new token structure.
-
fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector
Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.
- fix(migration): remove UNIQUE constraint on userId in SQLite UP migration
Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).
The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.
- fix(context): merge duplicate currentOrganizationId methods with proper fallback
Consolidate two currentOrganizationId() methods into one with priority:
- JWT token organizationId (most secure)
- User's employee organizationId (fallback for old tokens)
- Request header organization-id (legacy backward compatibility)
This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.
- fix(auth): inject organizationId from JWT into user with fallback
Make organizationId follow the same pattern as employeeId:
- jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
- request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
with fallback to user.employee.organizationId and header for backward compatibility
This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.
- fix(auth): validate organization access in JWT strategy
- Add UserOrganizationService to validate user has access to organization
- Remove unvalidated header fallback from currentOrganizationId()
- organizationId is now only accepted from validated JWT tokens
- fix(employee): catch specific NotFoundException and validate input
- Catch only NotFoundException instead of all errors
- Add validation for input.user.email before accessing it
- fix(ui): add await for async selectOrganization calls
- Make updateOrganization, deleteOrganization, selectOrganizationById async
- Properly await selectOrganization to prevent race conditions
- fix(ui): add @deprecated to initialize() method
- Mark initialize() as deprecated with JSDoc
- Clean up comments in applyOrganizationData()
- docs(auth): clarify refresh token organization behavior
- Add note explaining refresh token is organization-specific
- Document that /auth/switch-organization should be used to change org
- refactor(ui): use inject() function instead of constructor injection
- Replace constructor parameter injection with inject() function
- Follow Angular modern DI pattern
- fix(auth): include organizationId in refresh token
- Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
- Ensures refresh token contains same organization context as access token
- fix(auth): add cross-validation between employeeId and organizationId in JWT
- Validate that employee.organizationId matches the claimed organizationId
- Prevents JWT token manipulation attacks
- fix(employee): use BadRequestException and check for existing employee
- Use BadRequestException instead of generic Error for proper HTTP 400
- Check if employee already exists for user+organization to prevent duplicates
- fix(ui): validate response fields before applying to store
- Check token and user exist before updating store
- Return false and show error if validation fails
- fix(auth): update user.lastOrganizationId in memory after DB update
- Ensures returned user object has fresh lastOrganizationId value
- fix(employee): load role relation when finding existing user
- Use findOneByOptions with relations: { role: true }
- Fixes 'Cannot read properties of undefined (reading name)' error
- addUserToOrganization requires user.role.name for SUPER_ADMIN check
What's Changed
Full Changelog: v65.0.0...v66.0.0