4.7.3

2025-12-12

patch

Version 4.7.3 fixes a critical regression from v4.7.2 affecting systems that experienced the historical eventstore precision bug (fixed in v2.68). The fix is applied automatically via migration and requires no manual intervention.

Security 1

Fix authorization issue causing denial of legitimate access (#11178, #8863) medium

Addresses a permission system malfunction where missing membership roles caused the authorization system to incorrectly deny access to legitimate users. While not granting unauthorized access, this issue resulted in overly restrictive access control for affected members.

permissions authorization

Bug Fixes 1

Sync membership roles from projections to fix empty user lists (#11178, #8863) critical

Fixes a critical regression introduced in v4.7.2 where the switch to permission v2 framework for user APIs exposed missing membership roles in the fields table. This issue affected systems running since before v2.68 that were impacted by a historical eventstore precision bug.The precision bug (fixed in v2.68) caused certain events to be skipped during projection, resulting in missing membership roles in the fields table. When affected members executed queries, the permission system found no matching memberships and returned empty user lists.The fix synchronizes the correct membership roles from legacy membership projections into the fields table using a single transaction with table lock to ensure data consistency.

fields permissions projections eventstore

Contributors 1

M @muhlemmer

Upgrade Warnings

• The migration uses a table lock during synchronization to ensure data consistency
• Systems not affected by the historical precision bug will see no changes