Product Enhancements
Application Upgrade Notice After Each SaaS Upgrade
ID #1421080
FOIAXpress now displays an in-app Application Upgrade Notice banner after each successful SaaS deployment, so you immediately know when a new version is available and can review what changed. The banner appears once per upgrade, is non-blocking, and disappears as soon as you acknowledge it.
The banner is shown at the top of the application on your first login after an upgrade and remains visible across all pages until you act on it. It displays the application name, the current version number, and the upgrade date, and it provides two actions:
● View Release Notes — opens the release notes for the new version in a new browser tab and dismisses the banner.
● Close — dismisses the banner and shows a brief "Upgrade acknowledged" confirmation message.
Once dismissed, the banner does not reappear for that version on any subsequent login. If multiple upgrades occur between your sessions, only the banner for the most recent version is displayed. New users see the banner the first time they log in after an upgrade. If your session ends without acknowledgement, the banner reappears at your next login until you act on it.
NOTE: The Application Upgrade Notice is shown to FOIAXpress application users only. Collaboration Portal and PAL Portal users do not see the banner. If a Downtime banner and an Upgrade banner are triggered at the same time, both are displayed as a vertical stack and can be dismissed independently.
Accurate Client IP Logging for User Logins
#ID 1458707
Previously, the user logins report displayed only a single IP address for all login attempts. This was due to the system recording the reverse proxy IP rather than the actual client IP, making it difficult to trace the originating address of individual users.
FOIAXpress now correctly resolves and records the real client IP address by utilizing the X-Forwarded-For header. When a user logs in from the login page, the system updates the log to reflect the true client IP, ensuring greater accuracy in tracking login activity and enhancing audit trail reliability.
Collaboration Configuration Auto-Fill for Web Service Password
#ID 1426954
The Collaboration Configuration screen now auto-fills the saved Web Service Password in a masked format, so administrators no longer need to re-enter the password each time another setting on the screen is updated. The stored credential is never displayed in plain text.
To change settings, go to Administration and choose Collaboration Room. If you have already saved your credentials, you'll see masked characters in the Web Service Password box. You can update other options by editing any field on the screen such as Contact Mapping Type, Collaboration Room URL, Web Service User Name, or the Enable RFD and Enable Consultation checkboxes and then clicking Save. The system will apply your changes without needing you to re-enter your password. If you want to update the stored password, simply type a new one in the Web Service Password field and click Save.
When no Web Service Password has been configured yet, the field remains mandatory and must be supplied before the configuration can be saved.
SAML configuration certificate management improvements
ID #1421080
The Collaboration Configuration screen now auto-fills the saved Web Service Password in a masked format, so administrators no longer need to re-enter the password each time another setting on the screen is updated. The stored credential is never displayed in plain text.
When you open the SAML Configuration page, the application now evaluates the available certificate sources and displays a Click here to download the certificate button when at least one valid source is found. The certificate is delivered as a .cer file using the following priority order:
1. Signature Certificate — if a signature certificate is configured, it is downloaded. No further checks are performed.
2. Certificate Serial Number — if a signature certificate is not available, the system uses the configured serial number to retrieve and download the certificate.
3. Certificate Thumbprint — if neither a signature certificate nor a serial number is available, the system uses the configured thumbprint to retrieve and download the certificate.
If none of the three sources (Signature Certificate, Serial Number, or Thumbprint) are configured, the Click here to download the certificate button is hidden from the SAML Configuration page. No changes are made to the underlying SAML configuration file (SAML.config) when downloading.
Generate Annual Report Exports as Background Jobs
ID #1452858, #1470888, #1449484, #1368051
You can now generate the Annual Report and its supporting raw data exports as background jobs, allowing large reports to run asynchronously without blocking your session. The Annual Report PDF, the Annual raw data CSV, the Annual raw data XLSX, and the DOJ Components raw data exports each now run as their own background job. You can continue working in FOIAXpress while the report processes, receive an email notification when the job completes or fails, and download the finished file from the Jobs view.
NOTE: The DOJ Components raw data export, which previously failed for some configurations, is now generated reliably as part of this background-job workflow. Email notifications use your standard FOIAXpress notification settings. Make sure your account email is current so you do not miss the completion notice.
Security Updates
We’ve made the following security updates in this version of FOIAXpress:
ID | Description |
|---|---|
1458565 | Resolved an authorization bypass vulnerability in PermissionsView.aspx and ReportPrivileges.aspx by enforcing server-side access controls to prevent low-privileged users from enumerating other users' IDs, permissions, and roles. |
1458588 | Upgraded the Bootstrap UI framework to the latest stable release to pick up upstream security fixes. |
1458994 | Upgraded the Pl upload file-upload library to the latest stable release, eliminating known vulnerabilities in the prior version. |
1458622 | Enforced server-side derivation of the From email address on SendMail.aspx, ensuring it is sourced exclusively from the authenticated session/configuration and no longer trusts the client-submitted field, preventing sender spoofing and user impersonation. |
Bug Fixes
We’ve addressed the following bugs in this version of FOIAXpress:
ID | Description |
|---|---|
1471441 | Fixed an issue where the Enter key no longer triggered actions (e.g., searching for a requester), requiring users to click the search button instead. |
1335245 | Resolved an accessibility issue on the Document Management page where the Up and Down arrow keys did not move the selection within the page tree after a page had been moved. Keyboard navigation now stays focused on the tree, and users can move between selected pages reliably without using the mouse. |
1394005 | Fixed an issue where, when two redaction codes shared the same code name across different request types, automated actions such as Find and Redact and AI Redaction Templates could apply the wrong code. Codes are now matched against the request type, so only codes that belong to the active request type are eligible to be applied. |
1439772 | Fixed an issue in the Request Detailed Report where the Release Format field always showed a single format (Paper) even when multiple release formats had been selected when closing the request. The report now lists every release format selected for the request as a comma-separated list. |
1445221 | Resolved an issue in the Correspondence letter template editor where pressing the Tab key moved focus to the Save button instead of inserting a tab space. The Tab key now inserts a space within the editor as expected, allowing users to indent and format letter text without losing focus. |
1449476 | Fixed display issues in the French version of the application where some labels and visuals appeared cropped or unclear. Affected screens have been adjusted so that French text is fully visible and properly aligned. |
1478842 | Resolved an issue where the FOIAXpress scheduler used the default Windows temporary directory for processing files, which could cause jobs to fail with a "Not Enough Space on Disk" error in environments with limited system drive capacity. The scheduler now uses the configured temporary path, preventing disk-space failures during scheduled processing. |