You are browsing the documentation for iTop 2.7 which is not the current version.

Consider browsing to iTop 3.1 documentation

iTop Change Log


  • N°7062 - Add unit test to ensure that setup SCSS is compiled correctly
  • N°7056 - Limit unnecessary unsafe-inline content in content-security-policy http header
  • N°7042 - Fix check to write error when setting a ext. key programmatically on the end-users portal
  • N°7023 - Fix check to write error when adding an item on a n:n relation (eg. contact) on a new object (eg. user request) on the end-users portal
  • N°7005 - Fix portal stylesheets not being re-compiled when outdated
  • N°6989 - CVE-2023-48710 Limit pages/exec.php script to PHP files
  • N°6951 - CVE-2023-48709 Fix CSV injection in Excel from an iTop CSV export file
  • N°6889 - Cannot backup on localhost with MariaDB >= 10.6.1 since iTop 2.7.9 as iTop is now forcing tcp connection instead of socket
  • N°6887 - Fix excessive OQL requests to display user's grant matrix
  • N°6886 - Add OAuth tests folder to removable directories list
  • N°6791 - Remove setup/install directory from iTop package
  • N°6777 - Fix XSS vulnerability in dashboard title
  • N°6754 - PHP unit tests: Add local PHPUnit XML files to .gitignore
  • N°6738 - UI:RunQuery:Error uses inconsistencies with Dict::Format
  • N°6606 - CVE-2023-44396 XSS vulnerabilities in dashlet ajax operations
  • N°6600 - Portal attachment download : whole SQL query displayed on non existing attachment id error
  • N°6560 - CVE-2023-43790 XSS in friendlyname in object details
  • N°6458 - CVE-2023-45808 Prevent objects creation in non allowed org by forging http query in both Console and Portal
  • N°6097 - Enable PHP unit tests on a custom DataModel
  • N°5621 - Add not managed JS dependencies to NPM to get updates on vulnerabilities
  • N°5491 - Fix UI crash due to missing placeholders in dictionaries entries
  • N°5136 - Fix “Select All objects” adding obsolete objects even if “show obsolete data” param. not activated
  • N°4368 - Send X-Content-Type-Options in HTTP headers
  • N°3715 - Fix export above 1000 entries with obsolete data
  • N°2909 - Fix search on Enum, Date, TagSet,… with index
  • N°938 - Improve print of portal object page and portal dashboard page


New behaviors

  • N°541 - Dashlets: Improve readability when to much labels (pie chart) or too long labels (bar chart)
  • N°6039 - OAuth: Adapt internal mechanism to support Microsoft Graph instead of Azure AD Graph
  • N°6019 - Increase PHP min version to 7.1.3 to enable dependencies update
  • N°6247 - Add accessibility meta data for title on “Actions” and “Toolkit” menus
  • N°6217 - Add accessibility meta data for title on “Power menu”
  • N°6436 - Integrate Performance Audit pre requisite in iTop Pro 2.7.9
  • N°5893 - Implement error handling on triggers part I (minor version branches)

Bug fixes

  • N°6098 - updateLicenses.php : check requirements before launch
  • N°4698 - setup/phpinfo.php : handle iTop not yet installed
  • N°6427 - PHPMail can misfunction in function of SMTP software used
  • N°6340 - Fix permission refused when sending an email and renewing Auth token in synchronous mode
  • N°6173 - \HTMLSanitizer::Sanitize : Fix handling only svg_sanitizer
  • N°6123 - Warnings when launching a backup on MariaDB > v10.6.1 with localhost
  • N°6112 - Dashboard: Improve robustness by trimming dashlet ID returned by server
  • N°5797 - Use LoadConfig method in all Email children classes
  • N°5865 - DoCheckToWrite does not have the same behaviour in the console and the portal
  • N°5729 - Fix disabled button in bulk update/transition when picking a value in a drop-down list
  • N°5765 - Setup: Never cache folder permissions test response


  • N°6548 - Hide DBHost and DBUser in log
  • N°6396 - CVE-2023-34443 CSRF vulnerability in the run_query.php page
  • N°6359 - Cross-site Scripting (XSS) - DOM XSS in activity panel
  • N°6358 - CSRF (Cross Site Request Forgery) on API Rest
  • N°6351 - CVE-2023-34444 XSS vulnerability on pages/ajax.searchform.php
  • N°6350 - CVE-2023-34445 XSS vulnerability on pages/ajax.render.php
  • N°6238 - guzzlehttp/psr7 vulnerability
  • N°6017 - CVE-2021-46743: Firebase PHP-JWT key/algorithm type confusion


New behaviors

  • N°5758 - Change setup test for GDPR consent
  • N°5523 - Setup wizard : use the ITOP_APPLICATION constant instead of hardcoded “iTop” string
  • N°5235 - Setup : check temp dir permissions
  • N°5553 - OAuth authentication : Hide Client Secret
  • N°5430/N°5333 - OAuth authentication : add capability to customize redirect landing URL
  • N°5414 - Improve debug log for invalid notification placeholders
  • N°5155 - Allow to send email by SMTP with self-signed certificate
  • N°5685 - Upgrade apereo/phpcas lib to fix vulnerability

Bug fixes

  • N°5431 - OAuth authentication : fix dict key missing in redirect page
  • N°5611 - OAuth authentication : Fix missing composer files
  • N°5216 - Fix Error “Invalid ID given” when sending ActionEmail using cron on a system with french locale
  • N°4947 - Fix Email always picking “production” env config file
  • N°5356 - Fix “fieldForm is null” JS error when modifying Server.location
  • N°2244 - Fix image attributes not being visible in PDF exports
  • N°5724 - CVE-2022-31403 : XSS vulnerability via /itop/pages/ajax.render.php


  • N°5741 - Portal security improvement
  • N°5725 - Portal security improvement
  • N°4449 - Export security fix


New behaviors

  • N°5102 - Allow to send emails (eg. notifications) using GSuite SMTP and Office365 SMTP with OAuth2
  • N°5129 - Disable buttons in transition form while loading AttributeExternalFields
  • N°4479 - Impact analysis : Display and apply filter before display impact analysis graphical
  • N°5114 - Increase file access protection in iTop packages
  • N°5037 - Setup: Request user agreement at installation for personal data collection.
  • N°5035 - Setup: Remove tracking image at the end of the setup
  • N°5090 - Setup: Improve missing dependencies message
  • N°4666 - Core update now install new mandatory modules (specified in install.xml)
  • N°4642 - Core Update : limit the usage of this function to minor version upgrade
  • N°5109 - PHP min version jumped from 5.6 to 7.0.8 for iTop 2.7.7

Bug fixes

  • N°4530 - Fix regression with multi-classes OQL, working for admin only.
  • N°4284 - Fix regression: Object modification: Attribute value lost if not allowed to be seen
  • N°4057 - Fix regression: Custom Translation for Custom Tab is not inherited by instanciable Classes
  • N°4898 - Reflected XSS on enums modification
  • N°4867 - Fix “Twig content not allowed” error with “extkey search icon” in user portal
  • N°5215 - Portal security improvement
  • N°5211 - Application upgrade install new modules in datamodel/2.x
  • N°5168 - Portal security hardening for self profil modification
  • N°5002 - Fix memory leak after object creation in popup
  • N°4998 - Fix display of AttributeDuration in transition forms
  • N°4976 - Add CSRF token in the csv import page
  • N°4920 - Fix “undefined index” notice in user rights
  • N°4900 - Sanitize dashlets to prevent XSS injection
  • N°4899 - Reflected XSS on revert_dashboard operation
  • N°4872 - Fix ticket creation in resolved status, loosing its Inline images
  • N°4558 - Remove PHP notice in \CMDBSource::StartTransaction
  • N°4538 - Fix display on dashlet Groupby an ExternalKey with special character
  • N°4488 - Remove cmdbAbstractObject::GetSetAsHTMLSpreadsheet() from usable API methods
  • N°4714 - New ITOP_CORE_VERSION constant


  • N°4486: Fix DataSynchro replica errors due to CMDBChange not found
  • N°4213: EnumSet can be displayed in read mode in user portal
  • N°2510: Fix expand Log entry in list view in console
  • N°4463: Enable trigger even on objects that the user cannot see
  • N°3635: Update spanish translations thanks to Miguel Turrubiates


  • N°4399: Fix memory error on setup when lots of attachments in DB
  • N°4335: Fix export crashing on PHP < 7.0
  • N°4298: Fix .maintenance file isn't removed anymore by setup
  • N°4286: Can download again backup at the end of the setup


  • N°4162: Portal exception page : restore exception message
  • N°4202: Setup memory_limit check : clearer message
  • N°4126: Improve `max_allowed_packet` checks messages
  • N°4125: When apcu cache does not return what is expected, an error is added to the error_log in a dedicated channel. The cache is not emptied, the error is user visible on purpose as the administrator must fix the wrong APCU version.


  • N°4231: CVE-2021-32610 Update pear/archive_tar lib to 1.4.14
  • N°4289: CVE-2021-41245 : CSRF tokens aren't locked to one session
  • N°4304: Can browse all of the server InlineImage
  • N°4356: Portal : attachment downloads are opened in the browser
  • N°4359: Dashboard export : can load multiple files and URL
  • N°4360: XSS by uploading malicious SVG file as user portal profile picture
  • N°4363: RCSS in ajax.render.php?operation=save_dashboard
  • N°4365: RCSS in the dashboard editor
  • N°4367: RCSS in /pages/ajax.render.php?operation=objectSearchForm
  • N°4384: CVE-2022-24780 - “Twig content not allowed” error when use the extkey widget search icon in the user portal
  • N°4414: Security issue with Database Error
  • N°4478: Update dataTables lib. to 1.11.3 in iTop 2.7
  • N°4491: XSS in “Header with statistics” dashlet
  • N°4492: XSS in Advanced search locked criteria
  • N°4493: XSS in tagset spreadsheet export
  • N°4495: XSS in Advanced search external key criteria
  • N°4499: XSS in export-v2 on OQL error
  • N°4501: XSS in attachment list on uploader name


  • 2.7.5-2 : Fix setup wizard when DB connection is using TLS
  • 2.7.5-1 : Community release. Fix Empty Managed Brick generating an Oups!.

Only 2.7.5-1 was published to the Community


  • Increase nb of supported UNION in OQL query from ~40 to more than 450
  • Add ability to skip the rebuild of hierarchical key during setup
  • An echo command present in the code, has been removed.
  • Loader is now displayed immediately before building the items for the tree/mosaic modes, to ensure it is displayed.
  • Fix mutex being silently released after connection timeout, it's no more released.
  • During setup, separate “modify fields” and “create index” in db request.
  • Add \utils::SetMinMemoryLimit
  • Portal database transaction removed.
  • Portal: fix the Notice “Undefined index: max_display_limit” (bug introduced in 2.7.1)


  • Specific traces added (option) on cmdbsource log channel. UserId added in the error.log file.
  • New error messages added in case of failure of object creation or update“
  • Add test if ajax call is canceled
  • Portal : fix modification of field in order to hide another one
  • Better formatting of the details and reports (1 line requests)
  • Add new logs for object lists in portal (debug level, 'portal' channel)
  • List order : add a log when data are invalid


  • CVE-2021-32664 - Reflected XSS with Administrator credentials]]
  • Update pear/archive_tar lib to 1.4.13
  • The file index.php is now protected with a token that prevent accessing the setup in an uncontrolled way.
  • Mask the Password database in the setup process
  • Prevent the mysql password to appear on misconfigured servers


  • 2.7.4-2 Portal: Loader icon is displayed in tree/mosaic modes, visible with large amount of data (fixed in 2.7.3-2)
  • 2.7.4-1 Portal: fix the Notice “Undefined index: max_display_limit” (fixed in 2.7.3-1)

Reverse Proxy

  • Products only: explicit message in case of misconfigured proxies for ITSM Designer connection.
  • Fix improper redirection to the homepage when iTop is behind a reverse proxy:
  • app_root_url: now handle reverse proxies during the setup and preserve existing configuration during an upgrade,

Setup & performance

  • Setup: Prevent usage of “Application upgrade” if a file integrity problem is detected
  • Setup: support for 'auto_select' and extension.xml has been fixed,
  • Setup performance: clean orphan CMDBChange records limited to 100K,
  • Setup performance: orphan attachments deletion is limited to 30s max,
  • Garbage collection of used transaction id, done less often (new config parameter: transactions_gc_threshold)


  • Restore Portal headers labels on CSV export (regression introduced in 2.7.2)
  • Support parenthesis in enumeration codes,
  • OQL: Fix join on another class than the corresponding external key target,
  • OQL: Fix count on union with conditions on multi-column attributes,
  • Customization: Fix HTML displayed in Login window
  • Dictionary: missing translation when initial_state_path is used
  • Dictionary: missing translation for background tasks status and errors on asynchronous tasks


  • Security: fix validation of CSRF token in the portal
  • Security: fix command injection vulnerability in the Setup Wizard
  • Security: Fixed a bug preventing deletion of used token on windows servers,
  • Security on “group by” dashlets : access right is controlled and password attributes are not usable


  • 2.7.3-2 Portal: Loader icon is displayed in tree/mosaic modes, visible with large amount of data
  • 2.7.3-1 Portal: fix the Notice “Undefined index: max_display_limit” (bug introduced in 2.7.1)

Regressions fixes

  • Restore support of :current_contact→code in OQL queries (bug introduced in 2.7.2)
  • Restore preview of Document file (bug introduced in 2.7.2)
  • Restore UI behavior: first tab is selected when mandatory field is missing (bug introduced in 2.7.0)
  • Fix setup with Chrome v87 (bug generated by a Chrome upgrade)
  • Fix modal created without an ID in the Portal (bug introduced in 2.7.0)


  • 2.7.2-1 Fix 2.7.2 regression: console exports failing with “missing token” error.

New behaviors

  • Enable CSV import of iTop Users by non admin users (as long as they are allowed by Admin Tools Delegation)
  • Background task: fix issue with tasks not always executed (Notify on Expiration for eg.)
  • Add Trigger information to the error log when an Action fails
  • Fix creation of objects containing AttributeImage on PHP 7.4 with warnings activated
  • Avoid PHP notices on DBObject core code, during transitions
  • PHP notice has been removed when creating a new FULLTEXT index in the database (TagSet attribute)
  • Removed default admin phone number which was invalid for mysql in strict mode
  • Changing Color of Brick Search on Portail with extension Custom is now easier
  • Fix alias problem in portal scopes. Warning: If you have duplicate itop-portal-base, BrowseBrickController.php code must be updated, cf commit on Git.


  • Fixes two typos in German translations
  • Fix spelling typo on iTop welcome page
  • Spelling mistakes fixed
  • Fix use of application constants in Dutch translations

Security fixes

  • Fix session fixation issue - CVE-2020-15220
  • Sanitize breadcrumb entries - CVE-2020-15221
  • Don't display error details (error details remain logged) - CVE-2020-15219
  • HTTP headers have been added - CVE-2020-15218
  • Better control of the transaction_id parameter - CVE-2020-16842
  • Portal user could export more datas than his portal scope (CVE-2020-4079)
  • Hide MySQL Password from error.log in case of MySQL connection error

2.7.x regressions fixes

  • import csv : Fix display, previousely showning confusing html tags
  • Fixed OQL: Fix malformed UNION queries in portal scopes
  • Fix standard Global Search feature which was only searching on last word
  • Fix bug on mass update: blocking message “Please wait while updating fields”
  • Fix regression in notification when using placeholder like $current_user→attribute_code$
  • Fix internal regexp no more compatible starting from PHP 7.3
  • Restore log KPI calls in Portal
  • Fix notifications on threshold not sent when trigger is created on iTop 2.7.1
  • Portal: fix incompatibility between ignore_silo=true and nested query in scopes
  • Portal: Multi-word search has been fixed for ManageBrick in lazy mode.
  • Portal Filters is now executed on visible values and not on html code of cells
  • Fix empty tabs being displayed (misuse of the API or user rights)
  • Fix rendering of an ExternalField on a Text with XML content
  • Configure this list : missing sort icon, replaced by fontawesome character
  • Fix backup download: Stop capturing output before sending backup file (avoid memory problem)
  • Fix corrupted backups when a file has a size which is a multiple of 512 bytes
  • Dashlet: fix invalid filter parameter, when using & (ampersand) in the query
  • Fix cron.php creating a new CMDBChange for every BackgroundProcess
  • Login screen support HTML for dictionary entry: 'UI:Login:About'
  • DataModel - LifeCycle visualization: fix open and close buttons no more working
  • Fix wrong count of related objects due to Obsolete & Archived
  • Fix variable evaluation in ListExpression to avoid double parenthesis.


New behaviors

  • Portal: Total count on Managed Brick is now accurate even when objects are in multiple tabs.
  • An attribute File can now be emptied by the user.
  • Auto-complete on external key takes into account obsolescence user preference
  • Search on Text containing “_” now possible without being used as a wildcard.
  • End user Wiki explains how to search for ”%“ character using “\%”, otherwise ”%“ matches any string
  • Dashlet Header statistic on ExternalKey, now displays friendlynames and no more ids
  • All Dashlet Title uses now Left alignment.
  • “Configure this list” shows obsolete data only if required by user preferences.
  • Providing an empty file as attachment is no more allowed (it was crashing iTop)
  • Improve user feedback on invalid transition: Silent or simple warning -yellow banner-, rather than error. A double click on a transition, or a browser back and force, no more generates any fatal error.
  • Limit searchable classes in a tree, to those allowed to the user, in a SearchMenuNode
  • Files integrity is controlled in the first screen of “Application upgrade” and a warning is displayed when the install is not conform
  • Align creation and update message on portal to console message
  • Allow to set return-path with \EMail::AddToHeader

Bug fixes

  • Fix “cron” case in labels
  • Fix Export of html fields such as in Notification Actions
  • Portal : autocomplete keep selected value and use 'max_display_limit' instead of 'max_combo_length'.
  • Prevent object form submission while a filter on depending field is under computation (to prevent saving of incoherent object)
  • Fix search on external key, when using the magnifier and a filter in the pop-up
  • Export of EventIssue object is now possible
  • History of AttributeEncryptedString no more interprets HTML tags
  • Fix OQL scopes generating malformed SQL query (corner case with UNION)
  • Add TLs Options on database restore command
  • Add mbstring as optional extension in setup
  • Fix infinite loops when logging with a Contact having a non empty TagSet field
  • Copy characters after a ”<“ character in a Copy operation on a Transition
  • dbClick to exit the “description” field when creating an incident on the portal
  • Fatal errors now log into error.log instead of setup.log
  • Backoffice theme: Add variable for menu group background color
  • ApplyStimulus: Rollback the object values when an action fails
  • GetAttributeFlag taken into account on form refresh with dependent field
  • Fix: GetTrackOrigin() now returns 'csv-interactive' value during csvimport
  • Fix error in file light-gray.scss
  • Clearer messages when an object update fails


  • Provisioning for hybrid auth fails
  • Fix “Undefined index: login_mode” Notice
  • Added support for REDIRECT_HTTP_AUTHORIZATION in basic authentication.

Security Fixes

  • CVE-2020-12777
  • CVE-2020-12778
  • CVE-2020-12779
  • CVE-2020-12780
  • CVE-2020-12781

Compatibility IE11

  • Third dashlet added in the same dashboard cell under IE was crashing
  • Portal Filter Brick input was ignored under IE11
  • Applying a transition no more ends with blank page under IE

Fix regressions

  • Portal can again display more 10 attachments
  • OQL syntax error displayed in place of the widget (no more fatal error)
  • Fix syntax error with PHP 5.6 and TCPDF 6.3.4
  • Fix missing fulltext index for all AttributeSet on table creation (i.e. install from scratch) and update (migration).
  • Fix setup crash when having enum with values containing parenthesis
  • Fix filtering of unions with parent class
  • Fix backup not executed anymore
  • The AttributeDefinition::IsSearchable() method has been fixed to check complex attributes like External Fields.
  • Fix unsaved dashlet added on a dashboard
  • Fix alias renaming when already exists in one OQL of an UNION
  • “Printer Friendly Version” screen: Tabs now display labels instead of codes
  • Fix deletion of a single replica within a list


  • 2.7.0-2: Fix regressions introduced by 2.7.0:
    • Fix: RenameAlias: alias 'L-1-1' already used in one OQL of an UNION
    • Fix: Dashlet added on a dashboard are gone when coming back to the dashboard
    • Fix: Provisioning for hybrid auth fails, fixed by changing the Tracked Origin
    • Fix: Can't send attachment added before saving using “Send updates by email”
    • Fix: Global Search doesn't search in external fields
    • Fix: Backup triggered by cron were not executed anymore
  • 2.7.0-1: Fix regressions introduced by 2.7.0:
    • Fix: iTop not working with MYSQL 5.6
    • Fix: Fix DataModel Viewer not supporting special chars in class name (eg. ”)

New behaviors

  • During Setup, Move to production, Hub installation… iTop is set in ACCESS_READONLY
  • After Setup, the configuration parameter access_mode is set to ACCESS_FULL
  • Debug OQL for search is accessible directly for the administrators
  • Replaced first name by last name in default person list view
  • Don't display organization name in menu bar if it's the only one
  • Prevent trigger creation without friendlyname
  • Add applicable contexts on Trigger
  • Track field Comment in core/delete - API REST

Authentication & security

  • Authentication extensibility: Allow login, logoff screens customization through an extension
  • Security extensibility: Add hooks for iTop login security hardening
  • Security extensibility: New fields on UserLocal for an extension to handle password expiration
  • Security: Add a user password complexity constrains on new users and password change
  • Security: Every OQL selected classes are checked against allowed organizations.
  • Security: Fix issue with user creation by a non administrator
  • Security: Prevent search to retrieve users belonging to not allowed Org
  • Security: Global search now ignore fields of type “AttributePassword”
  • Security: Prevent Password Autocomplete in Browser. But most browsers ignore this tag.
  • Security: Restrict access to assets into env-*, extensions and datamodels
  • Security: config.php access rights have been forced to 0440 in creation instead of 0444.
  • Security: Fix CVE-2019-19821
  • Password policy: change password page: add feedback during the password typing
  • Password policy: Enable password expiry

Look & Feel

  • Markup extensibility: Add meta informations and hooks
  • Markup extensibility: Introduce custom themes for iTop's console
  • Markup extensibility: Add markup hooks on BrowseBrick and ManageBrick tables
  • Markup extensibility: Add support for both code AND title in admin. console tabs
  • Markup extensibility: Add password attributes to exclude list in metadata
  • Markup extensibility: Rework some SCSS variables
  • Markup extensibility: Add one additional theme for the backoffice, for test instances
  • Change breadcrumb icons color to black instead of Combodo's orange
  • Fix style for input's feedback on “change password” page
  • Login page : add autofocus attribute to the id field
  • Attachments: Update MS Office and OpenOffice file icons with more modern versions


  • OQL: Supports nested queries such as: SELECT Team WHERE id NOT IN (SELECT…)
  • OQL: Supports: ISNULL(NULL) OR (`ServiceSubcategory`.`request_type` = NULL)
  • OQL: Enhance performance of Count() by ignoring external keys
  • OQL: Improve OQL performance
  • OQL: Optimize generation of SQL from OQL, removing useless JOIN.
  • OQL: Spread the finalclass column on all the DB tables except finalclass table it-self. Migration done automatically at Setup.
  • OQL: Transactions added to fix deadlock during concurrent access and guarantee Database integrity
  • OQL: Transactions used for creation of object with class hierarchy, as it generate entries in multiple tables.
  • OQL: Export DBSearch to JSON (for a future OQL graphical editor)
  • ORM: Allow to force a WebPageMenu to open its url in a new window
  • ORM: Access to object modifications in \iApplicationObjectExtension::OnDBUpdate and in \DBObject::AfterUpdate
  • ORM: Delegate definition of the ticket reference format to each sub-classes
  • ORM: Change visibility of \DBObject::GetReferencingObjects internal method from public to protected
  • Allow params “limit” and “page” in REST-API (Dennis Lassiter)
  • Updated wiki for \DBBackup::CreateZip removal


  • Portal: Show confirmation dialog when closing forms with unsaved data
  • Portal: Add an icon to copy object name and url next to the form title
  • Portal: Add support for abstract classes creation in browse brick
  • Portal: Add support for columns sorting in ManageBrick's “lazy” mode
  • Portal: Hide silently sub-bricks not allowed to the user, when displaying an Aggregate Brick .
  • Portal: External keys in form allow to open the associated object if user scopes allows it.
  • Portal: Introduce navigation rules in Portal, to specify where to go on closing a form
  • Portal: action_rules query without filter will now throw an exception
  • Portal: Add option to display ManageBrick's current tab description as the brick subtitle.
  • Portal: Every brick can display a subtitle if they populate the sBrickSubtitle variable in the template.
  • Portal: Add option to show/hide linkedsets out of user's scopes in portal
  • Portal: Add parameter to set default list length in ManageBrick and BrowseBrick
  • Portal: Allow n:n links for Browse Brick's levels
  • Portal: Browse brick actions are now ordered following a rank tag
  • Portal: Filter linkedsets on remote object scopes
  • Portal: Form submission do NOT include hidden fields anymore, unless they have a dependency to an editable field.
  • Portal: Enable use of a dedicated end-users portal without having to install the standard portal
  • Portal: Make portal denial based on user profiles work again
  • Portal: Manage and Browse brick filters apply on subclasses fields in lazy mode
  • Portal: Migrate end-users portal framework from Silex to Symfony 3.4 🚀 .
  • Portal: Fix filter on external key when coming from filter brick
  • Portal: Increase navigation rules checks robustness
  • Portal: Display attachments count in section title, updated on each add/delete
  • Portal: Fix origin modal not closing when switching to editing of an object
  • Portal: Better display of success messages on form validation
  • Portal: Support for AttributeEnumSet
  • Improve modal backdrop UX
  • Introduce “CombodoPortalToolbox”, helpers to ease JS manipulations especially through the iPopupMenuExtension
  • Increase blur effect on portal modal backdrop
  • Warning: Remove legacy end-user portal
  • Warning: All your portal extensions needs to be migrated, see migration notes

Setup & system

  • Setup: New feature to allow micro versions update, as long as the module list does not change.
  • Setup: New file .maintenance in data directory to prevent iTop or cron to interfer with an application upgrade
  • Setup: hide table prefix option by default.
  • Setup: php-gd is now mandatory on setup
  • Setup: Remove useless alter table queries generated by setup & Toolkit on MariaDB >= 10.2
  • Setup: Add real autoloader for framework files in /core and /application
  • Setup: iTop classes are now loaded with an autoloader
  • Supportability: Maintenance mode (Better setup, CRON, REST and export message)
  • Backup: archive creation errors are now displayed
  • Backup during Setup are stored in data/backups/manual/setup-YYYY-MM-DD-HH-mm.tar.gz (thanks to Hipska - PR #61)
  • System: Change cron.cmd to use arguments instead of fixed paths
  • System: Generic method to check path validity
  • System: New log level “debug” and logs filterable
  • System: PHP dependencies managed by a composer.json

User interface

  • UI: Reorganize admin console menus
  • UI: Attachments are displayed as table with their meta data
  • UI: Add code snippets with syntax highlighting to CaseLog/HTML fields
  • UI: Autocomplete: Harmonize accents handling for better robustness
  • UI: New DroidSansFallback font and 'export_pdf_font' config param for PDF export
  • UI: Trigger description is now required because it is used as friendlyname
  • UI: Center tag is back in default sanitizer white list

Code upgrade

  • Upgrade Archive_Tar lib from 1.4.4 custom to 1.4.7
  • Upgrade bootstrap to v3.4.1
  • Upgrade CKEditor to v4.11.4
  • Upgrade Font Awesome from v4 to v5.12.0
  • Upgrade jQuery to v3.4.1
  • Upgrade ScssPHP to v1.0.6
  • Upgrade SwiftMailer to v5.4.12
  • Upgrade ArchiveTar to v1.4.9


  • Update cron.cmd to have better defaults and remove references to old php version
  • Make setup backup location and name similar as other backups (Thomas Casteleyn)
  • Add status.php for getting iTop's status (Guy Couronné)
  • Add support to optionally mention username in password reset mail (Thomas Casteleyn)
  • Make ticket reference generation working with new sub-classes
  • Add KPI on API Rest (Guy Couronné)
  • Only set Ticket ref if not yet present via import or synchro (Thomas Casteleyn)
  • Move expression cache files in a dedicated directory
  • Add
  • Handle nested transactions
  • apc_clear_cache & opcache_reset are both called when resetting the cache
  • Integrate database integrity module


  • NL Dictionaries and messages (Thomas Casteleyn)
  • CN @purplegrape
  • SK Martin Kincel
  • Chinese translations
  • Spanish translations

Bug fixes

  • UI: Fix blank page when displaying a synchronized object. Simple quote not escaped before giving content to qTip lib.
  • UI: Fix dashlet edition due to duplicate ids of dashlets, by renumbering them when building in iTop pages.
  • UI: Fix 'G', 'd', 'j' DateTime format in regexp generation
  • UI: Fix GroupBy dashlet on classes with ExternalField to ExternalField
  • UI: Fix missing scroll bar in DataModel Viewer for class with large number of attributs
  • UI: Fix missing scroll bar missing in modal window “Create a new field” from Request Template
  • UI: Fix non editable dashboard when wrong attribute code used in its definition
  • UI: Fix regression on mandatory external field with only 1 possible value
  • UI: Fix regression when creating ticket in “resolved” with lnk objects
  • UI: Fix search equals 0 for integer
  • UI: Fix truncated caselog entry with large HTML table or word
  • Portal: Fix column sorting on date attributes (eg. french format)
  • Portal: Fix crash in object form having empty AttributeBlob field
  • Portal: Fix crash when having comments in some parts of the XML
  • Portal: Fix error on form submit “Attempting to set the value on the read-only attribute”
  • Portal: Fix hyperlink placeholder not working in notifications for other portals
  • Portal: Fix list tabs and on charts click when a Manage brick has a chart as default display mode
  • Portal: Fix missing scrollbar in tall form modals
  • Portal: Fix wrong “apply stimulus” form being used in a branch of classes
  • Portal: Correctly display external fields targeting an enum field
  • Setup: Fix MySQL8 incompatibilities in setup and backup
  • Setup: Fix setup crash when class has an empty zlist tag
  • Setup: fix typo in warning due to non-matching products.
  • Setup: Fix graphiz detection feedback message on Windows systems
  • Setup: Fix extremely slow page load for first user after setup
  • Setup: Fix MySQL TLS wiki URL
  • ORM: Fix “invalid numeric value” when inserting/updating AttributeDecimal
  • REST/JSON fix must_exists flag for remote object of indirect linkedset
  • Fix support of expressions (friendlyname) in different language contexts
  • Fix apc-emulation
  • Fix datepicker locale not set correctly for ZH CN and PT BR (@annProg)
  • Fix cron crash when MySQL connection lost (Thomas Casteleyn)
  • Fix images being too large in icon selector (dashboards and Designer)
  • Fix ticket ref uniqueness rule declaration (@jbostoen)
  • Fix count with Archive mode
  • Fix compiler crashing on setup due to comment in XML
  • Support Microsoft Outlook encoding of non breaking line in UTF-8
  • Fix DBSearch::Intersect (de-duplicate aliases)
  • Fix error when no cache is configured
  • Add more logs
  • Fix run_query error handling incompatible with PHP < 7.3.0
  • Fix some more PHP 7.4 incompatibilities
  • Fix AdminTools DataSynchro creation
  • Fix apply stimulus returning true when stimuli is not applicable
  • Fix ticket ref sometimes being a duplicate


  • Filterable logs using log_level_min optionally per channels
  • Improve unit tests
  • Security hardening
  • Change AttributeImage methods visibility to allow overrides
  • Setup wizard backup path : larger input widget
  • Many small UI improvements
  • autoload rework for application and core directories
  • Export a DBSearch as an array/JSON structure
  • Abstract implementation for iScheduledProcess
  • Add Alexandre, Anne-Catherine, Olivier, Marie-Annette and Dimitri to the sample data to welcome them! 👋


  • Remove Config deprecated GetDB…() methods
  • Deprecated stopwatch extensivity
  • Deprecated DBObject::DB*Tracked methods (DBInsertTracked, DBInsertTrackedNoReload, DBUpdateTracked, DBDeleteTracked)
  • Removed \DBObject::RegisterCallback
  • Removed DB Config getters and charset/collation config params
  • Removed DBBackup::CreateZip
  • ORM: Deprecate \MetaModel::EnumLinksClasses and \MetaModel::EnumLinkingClasses
  • ORM: Deprecate all Config::GetDB* methods, that need to be replaced by Config::Get() calls
  • ORM: MetaModel::GetNextKey($sClass) is now deprecated in favor of ItopCounter::IncClass($sClass)
  • FontAwesome: FontAwesome v4 is deprecated, use FontAwesome v5 CSS classes instead


  • 2.6.2-2: Fix request template values lost on userrequest edition
  • 2.6.2-1: Fix Backup failing with attachment above 24MB

New behaviors

  • Search form prefill can be used when adding objects to 1:n relationship (only n:n before)
  • Enable notification placeholders to use server name in hyperlinks
  • TagSet code can now have just 3 characters instead of 4 minimum before
  • New IT translations for tickets classes
  • New PT-BR translations
  • Look & Feel: increase width of autocomplete drop-down list for readability
  • Manual backup
    • A temp file containing the password is created.
    • The access is limited to www-data user.
    • The file is removed just after the mysql dump

Bug fixes

  • Fix Portal links on documents to control them against user scope.
  • Fix warning in backups with MySQL 5.7.0 using TLS
  • Fixed iTopMutex not working when only MySQL TLS connection available
  • Fixed blinking of warning image on mandatory HTML field
  • Fix Bulk ticket assignment when only one team is in team list
  • Fix Bulk Modify : search result lost when sort on a new field
  • Fix regression: Link class attributes are correctly copied by Object Copier
  • Fix regression: Loose entered value in auto-complete selection on external key.
  • Fix regression: DataSynchro: deletion rules now applied when using synchro_exec.php
  • Fix regression: “invalid filter” error when refreshing “Requests assigned to me”
  • Fix regression: Console: browser freezes when adding related items on a tab, when having a lot of possible items
  • Fix regression: Stopwatch sub-items are now available as search criteria, timespent and overrun are searchable in seconds
  • Fix regression of CKeditor: image and table properties available even when HTML field is edited in a pop-up window.
  • Fix regression: missing dictionary entries for “Service families” menu of “Service Mgmt Provider” module


New behaviors

  • Default search criterion defined on the datamodel, are now displayed on top of any prefilled criteria.
  • API/REST: Core/Get supports pagination and limit
  • Backup will now logs using IssueLog, and the 'debug' config parameter is no longer used
  • Allow params “limit” and “page” in REST-API PR #25, code author Dennis Lassiter
  • PHP 7.3 Compatibility
  • External fields are now proposed for group-by dashlets
  • 'Schedule Backup' and 'Configuration' menus are no more available for “Admin Tools Manager” profile.
  • Datasynchro: “Full load interval” obsolete your objects after that delay (instead of immediately).
  • CSV import : can now create an object with value for field that is readonly in modification
  • Uniqueness rules: now supports rules defined on abstract class, with disabling on some children.

Bug fixes

  • CopyAttribute only copy attributes which are writable as ObjectCopier was already doing, to prevent fatal errors.
  • Fix performance issue on modification of object with a lot of relations.
  • Fixed: Text printed in white (on white) in some tables when exporting the impact analysis as a PDF.
  • If not found in the autocomplete cache, the search is done once in the database.
  • Fixed date conversion for linkset, when using custom date format
  • MetaEnum is computed at object creation time instead of being set to its default value.
  • “Group by” dashlet is no more clickable in edition
  • Setup: Fix issue when upgrading extension with an extension.xml file
  • Fix object modification locked when an n:n relation was locked by a DataSynchro
  • Fix lost of in-line images when copied from one iTop to another.
  • Fix issue with Send email which was not handling correctly the number of retries
  • On Windows: Warning during setup if database password contains % ! or “ as iTop backup will not work.
  • Fix: Tags not saved in case of error at form submission.
  • Backup will now logs using IssueLog, and the 'debug' config parameter is no longer used
  • Fix: changing Menu rights to “Admin only” was crashing.
  • Fix user rights control on applying Stimuli through URL.
  • Fix tar gz archive generation with files of size multiple of 1024 bytes
  • Fix query returning recent change on impact analysis, which was not limited to 72h
  • Fix reconciliation key issue in CSV Import of lnkCustomerContractToService with iTop in Service Management for Provider
  • BrowseBrick list pagination is now working even when filtered
  • Notification triggers on entering or leaving state, on abstract class accepts any state available on one of the children classes
  • Portal: Fix regression introduced in 2.5, better error message when user logged out
  • Portal: Fix message content in user profile when password edition is disabled
  • Portal: Wrong encoding of special chars like in dashlets (eg. “ö”, ”&“, …)
  • Fix 2.6.0 regression missing/empty error message when uploading too large attachment
  • Fix pagination issue for search with accent


  • Fix typos in EN (@jbostoen)
  • Improved CN
  • Improved RU
  • Improved DE (ITOMIG)
  • Add missing entries lost from 2.5.1
  • Improved FR


  • Security hardenings for eg.
    • prevent malicious updates of config.php,
    • XSS and CSRF weakness in multiple places
    • Tag label are sanitized to avoid HTML injection


New features

  • New attribute: dashboard contextualized to the containing object
  • New attribute: tag set
  • Triggers on object update and object delete
  • Uniqueness rules on objects


  • Fix regression on forget password feature
  • Fix regression on autocomplete and accents
  • UX: Better class and attribute selection in triggers
  • UX: Switch back and forth between a custom dashboard and the standard version
  • UX: ExternalField label standardized to key_name->label
  • Notifications: Fix incorrect use of 'from' field for test email
  • Search: Hide unknown external keys from the search criteria if previously defined in shortcut
  • Search: Fix searching a quote on a text
  • Export: Fix external attributes selection on export form
  • Export: Fix none drag-able columns in exports (Excel, CSV, …)
  • Export: Fix excel export when reconciliation key list is containing empty keys
  • Export: Fix XLSX export failing on PHP 7.1 on systems without ”/tmp“
  • Fix new empty caselog entry on bulk modification
  • Fix audit when a current organization is selected in the left menu
  • Fix auto-complete error when the friendlyname depends on other classes
  • Fix security message in the browser console (“Unsafe attempt to load URL data:image/svg+xml;utf8”)
  • Fix “Run Query” page hotkeys behavior in some configurations due to a wrong url
  • Fix ajax “request uri too long” message
  • Fix concurrent lock not released on failed transition
  • Fix dashboard edition when a bad OQL is present in dashlet 'Group By'
  • Fix integer validation in dashlet forms
  • Fix: stop historying differences on trailing 0s in decimals.
  • Fix TTR deadline if reassigned outside of coverage window
  • Fix blank Profile search on User creation with a single Organization
  • Fix non disappearing tooltip for mandatory HTML field
  • Fix edit of ExternalKey, when filter contains UNION
  • Fix lost of n:n relations during edit, when an error was displayed


  • Nicer display on background errors
  • date/time picker: first day of the week now based on user language
  • Security hardening
  • Fix wrong pictogram placement on email & tel attributes in the ManageBrick
  • Fix default image of image attributes in object forms
  • Fix “UTF-8 Characters Malformed” error when using Spanish language
  • Fix attachment preview during Ticket creation
  • Fix regression, icons not displayed in service catalog
  • Fix service catalog items not collapsed / expended as expected
  • Fix inline images being displayed too large sometimes in forms
  • Add HTML hooks in object forms to know object's class and ID (useful for CSS /JS hacks)


  • Portal: Add support for SCSS files through the PortalUIExtension API (only CSS were supported)
  • API: New method DBObject::SetIfNull() to set an attribute value only if it is not set
  • Fix MetaModel class not found when calling utils method


  • New Dashboard Attribute on Organization class
  • Add Uniqueness rules on Model, Brand and Person classes.
  • New TagSet attribute and class FAQ
  • Search: Add default criteria for FAQ, FAQCategory & KnownError classes.
  • ResolveFrom method now set only unset mandatory Ticket attributes.
  • Show resolution_date in resolved problem details

Web services

  • Remove PHP notice on Ticket Export for tickets created before release 2.0.0
  • Backup: Move check_ticket_itop command line parameter into itop_backup_incident module parameter of itop_backup in the Config file.


  • New dictionary entry for 'Page' tag on PDF export Core:BulkExport:PDF:PageNumber
  • Update German dictionaries (Thanks to Lars Hippler)
  • Update English dictionaries for notification
  • Update Dutch dictionaries (Thanks to Thomas Casteleyn and Jeffrey Bostoen)
  • Update Spanish translations (Thanks to Miguel Turrubiates)
  • Update Russian translations (Thanks to Vladimir Kunin)
  • Update Chinese translations (Thanks to purplegrape)
  • Fix duplicated french label 'Demandeur' on Change class


  • Setup: Add log in case of missing extension
  • Setup: Fix blocking error on backup failure
  • Setup: Clear the caches when switching environment
  • Setup: Fix setup for PHP 5.5
  • Fix PHP 7.2 compatibility issue
  • Fix bug that caused memory_limit=-1 to lead to 'not enough memory'
  • Add new automatic tests
  • Add replacement for mcrypt removal in PHP 7.2, added stronger encryption options
  • Better feedback on fatal errors
  • Upgrade to JQuery v3.3.1
  • Upgrade to tcpdf v6.2.17
  • Strengthen the SQL creation from OQL
  • Strengthen password management
  • The filter parameter in url no more serialized but in JSON format
  • Add warning on setup for unsupported MySQL 8+ versions (MariaDB & Percona not affected)
  • Fix loss of inline images and attachments when user has been logged off
  • Fixed bug that caused memory_limit=-1 to lead to 'not enough memory'
  • Fix integer validation in dashlet edit form
  • Session id regeneration on login
  • Title field XSS vulnerability solution
  • Refactoring in AttributeImage URL generation
  • AttributeImage : add css classes to be able to style
  • Optimize SQL generation from OQL depending on objective, counting or object details
  • Do not refresh search on closing an empty criterion
  • Add the user_id to the log_kpi instead of *
  • Display error log instead of fatal error in case of Exception when modifying an object in console
  • Improves backup/check-backup (fix check-backup sample cli, better error on check-backup invalid check_ticket_itop cli parameter)
  • Change default attachments (and inline images) lifetime to 1 day instead of 1 hour
  • Datamodel viewer: Fix an issue where OQL Filters were truncated
  • Cosmetics on setup (Licenses prompt)


See iTop Change Log
All changes are also described just above in 2.6.2


See iTop Change Log
All changes are also described just above either in 2.6.0 or in 2.6.1


  • Fix hard-coded translation in search page when the form has not been automatically submitted.
  • Fix broken search form when user has no read right on objects.
  • Fix request uri too long
  • Fix removing last criterion on a 'or' line resulted in 'OR 1'
  • Fix operator forced to ”=“ on some attributes (indexed ones)
  • Fix external field label not displayed
  • Fix an error when using search form from an union
  • Fix a bug when selecting foreign keys would not add items (#1656)
  • Organization criterion from selected silo is now read-only


  • Fix dashboard edition when a bad OQL is present in dashlet 'Group By'
  • Fix new empty caselog entry on bulk modification of objects.
  • Fix bulk transition integrity exception when “org_id” was not checked.
  • Form prefill: Add possibility to change attributes flag on the fly
  • Fix external attributes selection on export form
  • Fix security message in the browser console (“Unsafe attempt to load URL data:image/svg+xml;utf8”)
  • Fix “Run Query” page hotkeys behavior in some configurations.
  • Fix ajax request uri too long on auto-complete
  • Fix auto-complete error on some attributes (“A DBUnionSearch must be made of at least one search”)


  • Security hardening
  • Fix default image of image attributes not correctly displayed in object forms
  • Fix “UTF-8 Characters Malformed” exception when using spanish language


  • Setup: Fix blocking error on backup failure
  • Setup: Change iTop 2.6 MySQL requirements from 5.5.3 to 5.6
  • Setup: Fix setup for PHP 5.5
  • Fix 'forgot your password?' link
  • Fix reset password link broken in emails (dictionary entries had wrongly escaped characters)
  • Fix Excel web queries import warnings. (JS script error popups)
  • Fix going back to ITSM Designer from a move to test
  • Fix audit when a current organization is set and there is an audit rule with valid=true
  • Update german translations


  • Fix PHP 7.2 compatibility issues
  • API: DBObject→GetOriginal() hardening (now support attributes not set: for example sla_tto_passed for UserRequest until it is closed)


New features

  • Deep rework of the search forms:
    • GUI to select a date range
    • Consistent feedback of the filter currently set
    • Possibility to search for Defined/Undefined values
    • Possibility to search on any field of a class
  • Dashlet Group By supports sum, average, min and max. Support of grouping on stop watches has been added.
  • Datamodel viewer entirely rewritten:
    • class selection tool (autocomplete)
    • graphical representation of the class and its neighbours
    • simplification of the list of attributes
    • re-sizable life-cycle graph
  • Export ongoing and closed tickets from the portal


  • Fix DataSynchro Group to allow management of DataSynchros through WebServices for non admin users
  • Fix CSV import : check if user has rights on imported class
  • Restrict the access to the REST/JSON web services to users having the profile “REST Services User”
  • Enabling search and access control by organization on User class
  • Supporting MySQL/SSL connections

Data corruption

  • Fix: the use of some Emoji, depending on you MySQL server settings, could cause your data to be truncated (e.g. losing an entire case log).

User Experience

  • Autocomplete is activated by default after 2 characters now (it used to be 3 by default)
  • Form prefill : Included Contract case in the datamodel.
  • Add support of AttributePhoneNumber which allows launch of phone application on click.
  • Set default search criteria for objects
  • Notification GUI: fix cosmetic issue and save state for the current browser (in the session)
  • When global searching with needles smaller than 'full_text_needle_min', exclude these needles from the search instead of stopping it
  • Exports (csv, xslx, pdf) “Localize Output” option lost when the export has more thant one chunk
  • Related objects count (tab title) not in line with the displayed list (always counting obsolete objects)
  • Failing to bulk delete whenever the scope query contains the % character
  • Added a conf params 'email_default_sender_address' and 'email_default_sender_label' that will be used if a mail has no sender set, to cope with Anti-SPAM systems
  • Could not add a second link (condition: have a date attribute on the link ; regression introduced in 2.4)
  • Portal: Ongoing tickets should be listed the same way as in the console
  • Portal: List of closed tickets not filtered as expected (high cardinality)
  • Portal: Added an information about file max size on forms
  • Portal: Fail to reset password when navigating from an email (hyperlink)


  • MariaDB: the backup could not be used (setup)
  • New requirements: PHP 5.6.0 and MySQL 5.5.3 (fix for the emoji causing data corruption)
  • Support of PHP 7.2
  • MySQL strict mode compatibility (5.7 - null replaced 0000-00-00 00:00:00 for DateTime).


  • Added an index on the ticket ref
  • Dashlet “Header with statistics” requiring less queries to be displayed
  • Now uses one count + group by query instead of one count query per grouping value
  • Avoid multiple count requests in the core API (DBObjectSet::Count)
  • Impact analysis: much better (and faster) processing of graphs containing loops
  • Suppression of obsolesence condition on Ticket (was impacting the performance)

Data model

  • Suppression of obsolesence condition on Ticket (See the chapter on performance)
  • Added “approved” state to the tto (time to own) active states


  • Setup: Display the XML errors on the screen
  • Make the deletion of a Synchro Data Source a bit more robust, in case of a missing or already deleted data table.
  • Dashboards: Unknown dashlets (eg. from an uninstalled extension) no longer raise an exception, a fallback is displayed and the XML configuration is still available in editor.
  • Setup on Windows systems: workaround for random behavior of rmdir sometimes failing though the directory is empty
  • Fix application being wrongly set to Archive Mode when it fails to retrieve an object from the database.
  • Cron automatically re-orders its tasks to make sure that every tasks get some time to run, even if a task crashes repeatidly or uses all the time slice to process a big backlog.


  • Update German translations, thanks to Lars Hippler from Itomig
  • Dictionnary error 'criticity' replaced by 'criticality'
  • Update portugues (brazilian) translations, thanks to Pedro Beck and Anderson Cardoso!
  • Update spanish translations, thanks to Miguel Turrubiates!
  • Reworking the list of User account fields displayed in Details and List
  • Run query : add shortcut in submit title
  • Configuration editor: add shortcut in submit button title
  • Documentation shown upon setup completion (Completing the iTop installation for workflow management): the file cron.params has been renamed into cron.distrib
  • Rich text editor: allow merging table cells (regression introduced in 2.3)
  • Portal: Remove copyright (iTop) from page footer


  • HTMLSanitizer : add wiki ref to white lists
  • Upgrade Silex library to 2.2 (Which is possible as iTop 2.5 requirements are now PHP 5.6+!)
  • Updated swiftmailer to v5.4.9: security fixes
  • Use only hashed server side information as the local storage identifier.
  • jQuery modernization : updated jquery to 1.12.4, jquery-ui to 1.11.4 and jquery-migrate to 1.4.1
  • Rename core english dictionary files to match standard convention.
  • Display of links now support both DBObjectSet and ormLinkSet
  • Enhancement of the data collection for iTop Hub: better detection of the web server version.
  • Linked JS scripts can now be used in ajax pages. This is useful for IPopupMenu extensions which depend on a JS script and are loaded asynchronously when a list of objects changes (for example when changing the target class for a search)
  • Proper use of the “304” (Not modified) HTTP header for InlineImages. Seems that FastCGI is more sensitive to incorrect HTTP headers than MPM…
  • PHPunit is now integrated through composer (inside the directory /test)
  • Portal: Update table's filter hotkeys to prevent unnecessary ajax calls


  • Form prefill : Allow to overload new methods in order to prefill search forms, creation forms and transition forms
  • Customizable access to the 'Admin Tools' (delegating administrative roles)
  • Add functions, order by and limits to the API DBSearch::MakeGroupByQuery()
  • New portal capabilities :
    • AggregatePageBrick: create subpage under the portal home page
    • ManageBrick enhancements: statistics added to the tile, set of data presented as charts (bars, pie) or a badge
  • Refined the user rights management (added the 'grant_by_profile' category) to enable the development of a user account management portal
  • Transition form: file not uploaded (blob attribute)
  • Portal: Add XML comments to document the standard portal design
  • Portal: Make sure the FilterBrick will be correctly displayed with default settings
  • Portal: Default object forms are now more like in the administration console instead of just having their fields one after another
  • Portal: ManageBrick lists are now ordered as specified in the datamodel definition (like in the console)
  • Portal: Error in ManageBrick (ongoing tickets) when grouping tabs on an attribute (instead of sub OQLs)
  • Portal: Allow for the customization of Contact scope (collision on XML ids)


This version has not been published as a Community package, but its fixes are included in the 2.5.0


  • CSV import : check if user has rights on imported class. Thanks to Vladimir Ivanov (from Positive Technology) who has revealed the weakness.


  • Portal: OQL optimization in ManageBrick when several UNIONs are used.


  • Performance enhancements for auto-complete widgets (speeds up both the display in search forms, and the response on usage)
  • Fix 2.4.0 regression when creating an object with a lifecycle, directly in a state other than the default one.
  • Audit: Performance optimization for AuditRule with valid_flag=true and lots of negative records
  • Header with statistics Dashlet: performance improvements


  • Restore compatibility with the data sharing extension



  • Portal: Support for MUST_CHANGE flag on CaseLog attributes in transitions.
  • Portal: Objects and external keys in linkedsets (forms) now have hyperlinks if access is authorized regarding the user's scopes.
  • Portal: Exception raised in BrowseBrick when one of the levels had no scope.
  • Portal: Add CSS/JS hooks on object forms for the current state: CSS class on <form> tag: form_object_state_<STATE_CODE>. HTML attribute on <form> tag: data-object-state=”<STATE_CODE>“

Console UI

  • Enable WYSIWYG feature in CaseLog / HTML attributes on transition.
  • Fix MUST_CHANGE flag behavior on CaseLog attributes in the console.
  • Allow email links (mailto) in HTML attributes.
  • Allow BLOCKQUOTE tag in HTML attributes.
  • Console UI improvements in details forms: Columns size optimization.
  • Tooltip on (none empty) String attribute so long value can be seen without scrolling to the end of the input.
  • OQL attribute displayed as Text/HTML attributes.”
  • Better ergonomics for “Add To Dashboard” popup window.
  • In console dashlets add a scrolling bar on list, if not enough width for content.
  • Restore Organization selector adaptive width
  • Fix AttributeEnum display as vertical radio buttons in console UI.
  • Fix dictionary typo in Notification header text.
  • Show/Hide Obsolete data in Audit based on user preference
  • Show/Hide Obsolete data in CSV export based on user preference
  • Include Archived data in dashlets when in archived mode


  • New configuration parameter (disable_attachments_download_legacy_portal) to disable attachments download from the legacy portal. Default is “true”!
  • Setup : add checks on PHP and MySQL version to warn for deprecated versions.
  • Enable data synchronization for applications classes (such as Localized Data).
  • Fixed losing the additional links attributes values during impact analysis update. The issue was only visible when attributes were added to the links (FunctionalCIs and Contacts).
  • Fix impact analysis relation upstream description.
  • Show “delete” and “bulk delete” rights in user's grant matrix.
  • New Context Tag on CRON background tasks.
  • Fix TemplateFieldsHandler::IsNull() for EmailNotification with no RequestTemplate selected.
  • Add ArchivedObjectException on MetaModel:GetObject().
  • Add ContextTag on CRON background tasks (eg. “CRON:Task:<CLASS_NAME_OF_THE_CURRENT_TASK>”). Introduced for the “Mail to ticket automation” extension, so we know when a Ticket is created/updated from an email.“
  • Regression introduced in iTop 2.4 : Unable to notify when a template was used with a linkset ($this→functionalcis_list$).
  • Fix regression in 2.4.0 where GET_LOCK is called with a name length greater than 64 characters on MySQL > 5.7.5.
  • Fixed “Notice: undefined index 0” in the portal. UserRequest/Incident::ComputePriority() was failing when attributes impact was still undefined.


  • Fix Backup very long to generate.
  • PHAR is not used anymore for the backup/restore feature.
  • The disk space necessary to create a backup is now limited to the size of the uncompressed archive + the size of the compressed archive.
  • All the temporary files are now stored into ”“web/data/backup/tmp”“ folder to avoid access rights issues on temporary folders.
  • Fixed check_backup reporting non existing file.
  • More logs added in case of error during the cron backup.”
  • Fix regression: check_backup.php always returning “missing backup file” in 2.4.0.



  • New Ticket Lifecycle: Enable a field to be requested or changed only on a particular transition, instead of on all transitions ending on a given state.
  • Move the “must_change” flag on transitions if you don't want the user to be forced to change a field on every edition in a state.
  • Display stimulus codes in the Datamodel page tab:Lifecycle
  • Fix Fatal error on transition with AttributeBlob or AttributeCaseLog

CSV import

  • Images and File documents can now be exported using CSV and Excel formats (the export provides an URL (with iTop authentication required) where to download the actual image/document).
  • CSV import of documents and images via URLs is supported (including URLs pointing to iTop itself). Administrators can also provide directly the path to a local file on the server.“
  • CSV Import now supports friendlynames as reconciliation keys.
  • Enable CSV import of request template fields
  • Fix: Ticket from emails: duplicated dictionary entries which was an issue on CSV import.


  • Email notification: new placeholder to provide the current user name in the body of the email, so the person who is triggering the notification who may not be the agent nor the caller.
  • Fix Notification: Date & time format is now applied when using a date(time) attribute in a placeholder (eg. Notifications). Note: $this→raw(attcode)$ can be used to display value in SQL format like before.

Conf & Setup

  • New configuration parameter 'allow_menu_on_linkset' (boolean, default value false) to display actions in linkset in view mode (new, modify, delete, …).
  • Setup: After a succesfull Setup, XML files are stored under /data with the complete view of the datamodel with and without delta.
  • Setup: Store user selection on setup, so AboutBox is much clearer for users, providing User selection instead of cryptic module names.
  • Setup: supports now changes of Configuration parameter: config db_charset.
  • Setup: New hook available after data load (ModuleInstaller::AfterDataLoad())


  • Backup: Backup files could not exceed 4Gb (technology limitation). The fix consists in archiving the backup as a tar.gz instead of a zip. As a consequence, installing iTop now requires TWO additional PHP modules: phar/zlib. The zip module remains mandatory because it is used in other places. The restore utility accepts both legacy zip files and brand new tar.gz files. DBBackup::CreateZip is deprecated in favor of DBBackup::CreateCompressedBackup. DBRestore::RestoreFromZip is deprecated in favor of DBRestore::RestoreFromCompressedFile (which autodetects the format for backward compatibility).
  • Backup: Allow database write access during a backup (can still be slow).


  • Support of PHP7, which divides by two the load on the web server
  • Internal emulation of apc(u), to divide by 5 the load on the web server (varies a lot, depending on the page, and cache hit ratio)


  • DataSynchro: Enable bulk deletion of Data Synchro Replica
  • DataSynchro: Creation and edition was broken due to the new object set API from ormLinkSet. Backward compatible method have been introduce to ensure plugins and modules compatibility. That being said they are already flagged as deprecated and should not be used. New: Using those deprecated methods will raise a PHP deprecated error.


  • Security: Portal OpenSans font embedded in iTop instead of fetching from google servers.
  • Rework on ormLinkSet BC with DBObjectSet. PHP notice are not thrown anymore, see PHPDoc instead. GetColumnAsArray() introduced.
  • Portal: Refactoring of const DEFAULT_COUNT_PER_PAGE in several modules
  • Reentrance issue on cmdbAbstractObject when coming from an extension implementing iApplicationObjectExtension.
  • Added an index to prevent a slow down when a lot of tickets have been validated by the mean of an approval process
  • Designer Connector has been revamped to avoid MTP temporary errors, diseappearing at the following Setup.
  • #1499: Regression in 2.4.0 beta: setup was failing with the message “cannot redeclare class XXXXXXX_0” when loading some extensions modules.
  • Fix: PHP Warning on not initialized variable $sHTMLValue in cmdbAbstractObject::GetFormElementForField().


  • The main menu “Helpdesk” could not be moved upward/downward by the mean of an XML delta (designer)
  • Internal: LoginWebPage title defaultvalue is now a dictionary entry ('UI:Login:Title')
  • Limitation: an a class having too many external keys, the update query fails with message “too many tables”
  • Cleaned up old datamodel (1.x) as it was no longer maintained and could not be upgraded.
  • Show product name on branding logo title instead of a generic “iTop” text.

Portal possibilities

  • Allowed portals are now displayed in the console user menu.
  • Portal: New “mosaic” browse mode for BrowseBrick.
  • Portal: Form layout optimizations
  • Portal: ExternalField support in forms has been improved. For example, email and url links were not displayed as proper HTML.
  • Portal: Only editable fields are now passed in forms submit, fixing issue where a portal user could unwillingly change the UserRequest status if a Support Agent had assign the ticket while the portal user was editing.
  • Portal: New filter brick that pre-filters a Browse or Manage brick results from the home page.
  • Portal: Linkset widget opening was throwing a warning message on IE9.
  • Portal: ExternalField support in forms has been improved. For example, email and url links were not displayed as proper HTML.
  • Portal: Option to display LinkedSet as opened in a form
  • Portal: Picture/Preferences/Password forms can now be disabled in the user profile
  • Portal: Notification URLs poiting to a portal were not working when several portal instances were configured.
  • Portal: Tabs in ManageBrick display the objects count.
  • Portal: Autocomplete fields were not showing all items when result count was below autocomplete display limit (eg. Showing only 2 elements out of 18 when display limit set to 20)
  • Portal: Added UI extension APIs similar to those used in the console (Experimental!)
  • Portal: ManageBrick tabs could show objects that were not supposed to be shown due to a bad OQL interpretation.
  • Portal: Display / download of blob attributes and attachments in the portal was not compatible with portal configuration and silos by-passing.

Console User Interface

  • Improve UI in object details in the console.
  • CKEditor: edition of HTML source code is now available. Filtering on allowed tags by CKEditor himself then by iTop for security reasons will still apply.
  • Added some attributes to the HTML sanitizer (title for a tag, alt / title for img tag).
  • Display actions on linkset in view mode (new, modify, delete, …).
  • New option to create an object with the [+] button on external key pointing to an abstract class.
  • Existing value always kept while editing an ExternalKey field, even if not in filter.
  • Showing action in object details only when the target class is writable (Archive mode off, access mode “write”, …)
  • Impact analysis: UI Glitch in tooltip when text was too long.
  • Fixed UI in console edit forms that were going over their container sometimes.
  • Added scrollbars to modal dialog for CSV export.
  • Fix Stop displaying Ticket objects in a CI's ongoing tickets tab when the impact code is 'not impacted'.
  • Fix: Edition of an object with an ExternalKey on an object that the user is not allowed to see
  • Fix: concurrent access on n:n relationships when edited from both end of the relation or when edited from portal and console in parallel.
  • Fix: Date format handling in LinkedSetIndirect was causing fatal error on object edition.
  • Fix: Edition of an object with not allowed (silos) remote objects in a linkedset causes fatal error.
  • Fix: Hierarchy button when editing external key
2_7_0/release/change_log.txt · Last modified: 2024/01/23 13:53 (external edit)
Back to top
Contact us