pgAdmin 4 in server mode had no data isolation between users — any
authenticated user could access other users' private servers,
background processes, and debugger state by guessing object IDs.
The shared server feature had 21 vulnerabilities including credential
leaks, privilege escalation via passexec_cmd, and owner data
corruption via SQLAlchemy session mutations.
Centralized access control:
- New server_access.py with get_server(), get_server_group(),
get_user_server_query() replacing ~20 unfiltered queries
- connection_manager() raises ObjectGone (HTTP 410) in server mode
when access is denied — fixes 155+ unguarded callers
- UserScopedMixin.for_user() on 10 models replaces scattered
user_id filters
Shared server isolation (all 21 audit issues):
- Expunge server from session before property merge to prevent
owner data corruption
- Suppress passexec_cmd, post_connection_sql for non-owners in
merge, API response, and ServerManager
- Override all 6 SSL/passfile connection_params keys from
SharedServer; strip owner-only keys; sanitize on creation
- _is_non_owner() helper centralises 15+ inline ownership checks
- SharedServer lookup uses (osid, user_id) not name
- Unique constraint on SharedServer(osid, user_id)
- Tunnel/DB password save, change_password, clear_saved_password,
clear_sshtunnel_password all branch on ownership
- Only owner can unshare (delete_shared_server guard)
- Session restore includes shared servers
- tunnel_port/tunnel_keep_alive copied from owner, not hardcoded
Tool/module hardening:
- All tool endpoints use get_server()
- Debugger function arguments scoped by user_id
- Background processes use Process.for_user()
- Workspace adhoc servers scoped to current user
Migration (schema version 49 -> 50):
- Add user_id to debugger_function_arguments composite PK
- Add indexes on server, sharedserver, servergroup
- Add unique constraint on sharedserver(osid, user_id)
* Add preference for insert with relations
Co-authored-by: Christian P. <pirnichristian@gmail.com>
* Insert tables with relations on drag and drop
Co-authored-by: Christian P. <pirnichristian@gmail.com>
* Fix test mock not returning Erd Supported Data
Co-authored-by: Christian P. <pirnichristian@gmail.com>
---------
Co-authored-by: Christian P. <pirnichristian@gmail.com>
The fromRaw formatter for the Columns field in unique constraint and
primary key properties used _.filter(allOptions, ...), which preserved
the order of allOptions (table column position) rather than the
constraint-defined column order from backendVal. Replaced with _.find
mapped over backendVal to preserve the correct constraint column order.
Added unit tests for cell and type formatter functions to verify
column ordering is preserved.
* Core infrastructure for LLM integration.
* Add support for a number of different AI generated reports on security, performance, and schema design on servers, databases, and schemas, as appropriate.
* Add a Natural Language AI assistant to the Query Tool.
* Add an AI Insights panel to the EXPLAIN tool in the Query Tool, to analyse and report on issues in query plans.
Change logging level from exception to error for OIDC profile data issues.
Refactor debug logging in OAuth2 authentication to improve clarity and consistency
Add error handling for missing OAuth2 provider and enhance claims processing logic
Enhance OIDC ID token handling by implementing JWT parsing and updating tests to mock claims extraction
Refactor ID token claims extraction for OIDC providers and update tests to mock userinfo handling
Refactor OAuth2 configuration to use get method for optional URLs
Enhance OAuth2 documentation and implement PKCE support for public clients in authentication logic
Fix typo in OAUTH2 authentication documentation
Implement Azure Entra ID Workload Identity authentication support and add corresponding tests
Co-authored-by: Paul Bourhis <paul.bourhis@bhs-consulting.com>
1. Fixed the issue where auto-update was not working for macOS x64 arch machines as pgadmin4 zip file name has x86_64 in it.
2. Improved error handling in the /upgrade_check API by replacing the static “Failed to check for update” message for Windows users with a dynamic error message.
3. Fixed the CSS issue affecting the close icon in the warning notifier.
4. Removed trailing periods from helper texts and notifier messages in the app’s auto-update workflow. #9133
2) Remove scram_client_key and scram_server_key from the connection string parameter
as it is not meant to be specified directly by users or client applications.
2) Added 'two_phase' parameter support for ALTER SUBSCRIPTION for PostgreSQL v18+.
3) Updated versioned_template_loader.py to prioritize v18+ templates.
4) Updated the default value of the streaming parameter in CREATE SUBSCRIPTION to 'parallel' in PG v18 (previously false).
Ashesh Vashi
Pravesh Sharma
Dave Page
Khushboo Vashi
Lance J.
Rohit Bhati
balodis
Murtuza Zabuawala
Akshay Joshi
Anil Sahoo
Paul BOURHIS
Yogesh Mahajan
Aditya Toshniwal