16 Nov 2021

The release 1.16 was published in November 2021.

Attention before upgrading

Remember that release 1.15:

List of notable changes

  • Weekly “quick-entry” form
  • Allow to set 24 hour format as user preference
  • Default team for new users / adjusted “create user” form
  • Update Preview & Save buttons after “invoice template” selection
  • Added new “canceled” invoice status
  • Improve export filename
  • Allow to delete invoice documents

Security issues

Some possible CSRF and XSS attacks were found and patched. Thanks for the disclosure go out to the huntr.dev community, especially to @Haxatron and @Asura-N and @tdozbun-reno and @noobpk.

If you use Kimai in a multi-user environment, you are urged to update as soon as possible.

Thank you!

Thanks to all of you for using and supporting Kimai, especially:

  • all clients and donors who help me to keep up the work for Kimai
  • the developers who contributed their time
  • the translators at Weblate
  • the security researcher at huntr.dev, who privately disclose any issue
  • everyone else contributing at GitHub, too many to name you all

Thanks for being part of the Kimai community ❤️

Want to upgrade? Click here to find out how.

Full changelog

You can find all commits here.

Implemented enhancements

  • Extend orderNumber string to 50 characters (#2824) #2828 - thanks @iusgit
  • Extend length of project orderNumber string #2824
  • default team for new users #2802
  • Update “Preview”/ “Save” buttons after invoice template (re)selection #2749
  • Reporting - choose which type of times #2575
  • improve error handling during invoice generation #2932
  • submit invoice search after changing the template #2931
  • added new invoice status: canceled #2922
  • Translations update from Weblate #2915 #2850 (weblate)
  • added resname for tool compatibility #2912
  • change data filter on project month report #2911
  • Fetch user preferences via API #2905
  • optimizations #2904
  • prevent empty migration warning #2901
  • composer upgrade #2900
  • added invoice replacer for currently logged-in user #2899
  • activate bleeding edge rules for phpstan and fix problems #2898
  • fix weekly view day format #2893
  • simplify building theme independent plugins #2888
  • include roles and teams in user create form #2849
  • Weekly “quick-entry” form #2793
  • allow to set 24 hour format as user preference #2789
  • added ProjectConstraint to add dynamic project validation #2747 thanks @pkaltenboeck
  • PDF memory optimizations #2736
  • workflow to trigger event for docker build #2882 thanks @Apfelwurm
  • include calendar week in week chooser #2933
  • improve export filename #2958
  • allow to delete invoice documents from within kimai #2968

Fixed bugs

  • Time records marked as exported even when invoice is not saved due to duplicate invoice numbers #2917
  • Error on Install: “Call to undefined method Doctrine\DBAL\Statement::fetchAll()” #2885
  • Request via API with X-AUTH-USER invalidates all other sessions for the (LDAP) user #2873 thanks @handcode
  • improve csrf handling #2936
  • link to doctor #2930
  • do not reset password for LDAP and SAML users unless needed #2916
  • use token in invoice delete route #2889
  • fixes for new quick-entry week form #2887
  • optional csrf token name, fixes detail pages for teamleads #2941
  • Filtering the administrative project list by Visible=Both results in 500 Server Error #2941
  • drop default value to prevent error when server version is not set #2769 #2796 #2943
  • csrf tokens for multiple actions - thanks @haxatron
  • CSRF Tokens are not properly refreshed on some form submissions #2947 #2948 - thanks @tdozbun-reno
  • escape customer, project and activity name in javascript #2959
  • escape data in calendar popover #2960
  • make sure that markdown uses safe mode #2961
  • improve permission handling in invoice screen #2965