Skip to content

v111.0.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 Jun 14:04
· 0 commits to develop since this release
v111.0.0
59f6a94
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

111.0.0 (2026-06-28)

⚠ BREAKING CHANGES

  • JWT tokens now include organizationId field. Clients should handle the new token structure.

  • fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector

Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.

  • fix(migration): remove UNIQUE constraint on userId in SQLite UP migration

Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).

The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.

  • fix(context): merge duplicate currentOrganizationId methods with proper fallback

Consolidate two currentOrganizationId() methods into one with priority:

  1. JWT token organizationId (most secure)
  2. User's employee organizationId (fallback for old tokens)
  3. Request header organization-id (legacy backward compatibility)

This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.

  • fix(auth): inject organizationId from JWT into user with fallback

Make organizationId follow the same pattern as employeeId:

  • jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
  • request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
    with fallback to user.employee.organizationId and header for backward compatibility

This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.

  • fix(auth): validate organization access in JWT strategy
  • Add UserOrganizationService to validate user has access to organization
  • Remove unvalidated header fallback from currentOrganizationId()
  • organizationId is now only accepted from validated JWT tokens
  • fix(employee): catch specific NotFoundException and validate input
  • Catch only NotFoundException instead of all errors
  • Add validation for input.user.email before accessing it
  • fix(ui): add await for async selectOrganization calls
  • Make updateOrganization, deleteOrganization, selectOrganizationById async
  • Properly await selectOrganization to prevent race conditions
  • Mark initialize() as deprecated with JSDoc
  • Clean up comments in applyOrganizationData()
  • docs(auth): clarify refresh token organization behavior
  • Add note explaining refresh token is organization-specific
  • Document that /auth/switch-organization should be used to change org
  • refactor(ui): use inject() function instead of constructor injection
  • Replace constructor parameter injection with inject() function
  • Follow Angular modern DI pattern
  • fix(auth): include organizationId in refresh token
  • Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
  • Ensures refresh token contains same organization context as access token
  • fix(auth): add cross-validation between employeeId and organizationId in JWT
  • Validate that employee.organizationId matches the claimed organizationId
  • Prevents JWT token manipulation attacks
  • fix(employee): use BadRequestException and check for existing employee
  • Use BadRequestException instead of generic Error for proper HTTP 400
  • Check if employee already exists for user+organization to prevent duplicates
  • fix(ui): validate response fields before applying to store
  • Check token and user exist before updating store
  • Return false and show error if validation fails
  • fix(auth): update user.lastOrganizationId in memory after DB update
  • Ensures returned user object has fresh lastOrganizationId value
  • fix(employee): load role relation when finding existing user
  • Use findOneByOptions with relations: { role: true }
  • Fixes 'Cannot read properties of undefined (reading name)' error
  • addUserToOrganization requires user.role.name for SUPER_ADMIN check

What's Changed

  • fix(ci): unblock prod Electron builds (snapcraft 7.x + Python 3.11 for native rebuild) by @evereq in #9765
  • feat(plane): proxy 0.1.3 + shared/custom UI + SSO + email fix + pm.* env by @evereq in #9766
  • release(stage): Plane 0.1.3 SSO/A1A3/email + pm.* + CI electron fixes by @evereq in #9767

Full Changelog: v110.0.0...v111.0.0

Contributors

evereq and deprecated
Assets 2
Loading