1. Knowledge base
  2. Release Notes

Release 1.63.0

Release date: April 10, 2026

Release Notes - Seatmap Platform

Version 1.63.0 - 2026-04-10

Release Focus: Admin panel UX overhaul, user role management refactoring, organization disable flags, security patch for editor-client axios

What’s New

Organization disable flags (SEAT-928)

Global admins and super admins can now disable an organization’s access in two independent ways:

  • Disable booking endpoints – blocks all booking-service API traffic (events, venues, seatmaps, booking lock/sale, and public key access) for the organization. Returns HTTP 402.
  • Disable admin logins – blocks editor login and token refresh for all users in the organization. Returns HTTP 403.

When either flag is set, autologin is also blocked.

Admin UI changes:

  • Organization list shows colored status dots next to organization names (green = enabled, red = disabled) for both booking and login flags.
  • Organization edit page has a new “Access Control” section with checkboxes for both flags.
  • Both ROLE_SUPER_ADMIN and ROLE_GLOBAL_ADMIN can toggle the flags.

Database: Flyway V101 adds booking_disabled and login_disabled boolean columns (default false) to the organization table. Backward-compatible – no action required.

What integrators should know: If your organization is disabled, booking API calls return 402 Payment Required with {"error": "ORGANIZATION_DISABLED"}. Editor login returns 403 Forbidden with the same error code. Handle these responses in your client code if you need to display a user-facing message.

User role management refactoring (SEAT-909)

The dual role storage model (global users_roles table + org-scoped user_organization.role column) has been cleaned up to eliminate ambiguity across the backend, frontend, and admin UI.

Role model cleanup:

  • ROLE_USER and ROLE_ADMIN are now exclusively org-scoped (stored in user_organization.role). They have been removed from the global users_roles junction table via Flyway V102.
  • ROLE_SUPER_ADMIN, ROLE_GLOBAL_ADMIN, and ROLE_API remain as platform-level roles in users_roles.
  • SecurityHelper.buildUserRoles() simplified – the filter that stripped org-level roles from global roles is removed since V102 makes it unnecessary.
  • The updateUser() service method no longer handles role assignment as a side effect. Role changes go exclusively through updateRoles() (platform) and updateUserRoleInOrganization() (org-scoped).
  • The roles field has been removed from UpdateUserDto on both backend and frontend.

Admin UI changes:

  • User detail page: Merged Profile and Organizations tabs into a single unified view. Profile form, platform roles, and organizations table are all visible on one page without tab switching.
  • Profile form: Uses a 2-column grid for name fields. Role checkboxes and the redundant “User Roles” display have been removed from the profile form. Roles are managed in dedicated sections.
  • Platform Roles section: Only visible to GLOBAL_ADMIN. Only the GLOBAL_ADMIN role can be toggled here (SUPER_ADMIN is tenant-scoped and managed at the tenant level).
  • Organization users table: Inline role dropdown (User/Admin) per row for immediate role changes. Row click navigates to user detail. “View” button removed.
  • CreateUserModal: Only shows org-scoped roles (User/Admin) when creating users within an organization. Platform roles removed from the creation flow.
  • Sidebar navigation: Reordered to Dashboard, Tenants, Organizations, Users with a “Tools” section below containing Image Jobs.
  • Confirm dialogs: Now close on Escape key press.
  • Navigation from org to user: Passes orgId query param so the user’s organizations table highlights and sorts the referring organization to the top.

API layer cleanup:

  • Extracted resolveUserUrl() and orgParams() helpers in userManagementApi.ts, eliminating the GLOBAL_ADMIN/SUPER_ADMIN/fallback branching pattern that was duplicated across 6+ functions.

Database: Flyway V102 removes ROLE_USER and ROLE_ADMIN entries from users_roles. Backward-compatible – these rows were already ignored by SecurityHelper.buildUserRoles().

What integrators should know: No public API changes. The UpdateUserDto no longer accepts a roles field, but this field was already ignored by the backend. Existing integrations are unaffected.

Admin panel UX overhaul (SEAT-929)

The editor admin panel received a comprehensive design and usability overhaul:

Typography and readability:

  • Admin panel base font increased from 11px to 13px with proper line-height, scoped via ThemeProvider so the editor canvas is unaffected.

Semantic color system:

  • Replaced scattered hardcoded badge colors with a unified set of semantic theme tokens (success, warning, danger, info, neutral) and role-specific colors. All badges, status indicators, and button variants now pull from the theme.

Table actions:

  • All entity tables (Users, Organizations, Tenants) now support row-click navigation to detail pages. Dedicated “Manage” and icon-only edit buttons removed in favor of the unified row-click model.
  • Action columns show only secondary actions (enable/disable, delete, switch organization).

Confirmation modals:

  • All destructive actions (user disable, org removal, tenant delete, image reset) now use styled confirmation modals with contextual messaging instead of browser-native window.confirm() dialogs. Modals use danger/warning/default variants matching the action severity.

Filters:

  • Filter controls consolidated into shared components with consistent sizing, inline labels, and always-visible layout (no more collapsible toggle).
  • “Clear all” button appears when filters are active. Search inputs no longer lose focus during data loading.
  • Full i18n coverage for all filter labels and options.

Layout:

  • Sidebar navigation now includes icons for each section.
  • Breadcrumb-to-header-to-filters vertical spacing compressed from ~210px to ~112px.
  • Table headers are sticky during scroll.
  • Pagination internationalized with improved readability.

SEO and Knowledge Base (SEAT-930)

Targeted fixes based on Google Search Console audit data:

  • Meta optimization: Fixed truncated MetaTitles and weak MetaDescriptions across 10 high-impression blog posts with low or zero CTR.
  • Keyword content: Added comparison tables and targeted keyword sections to 3 blog posts (best-seating-chart, future-of-seatmaps, seating-plan-rendering).
  • Playground SEO: Removed noindex from booking-client playground, added canonical/OG/Twitter meta tags, fixed JSON-LD schema URL and price.
  • Infrastructure: Disabled dead docs-external service in production Helm ingress, added nginx redirects for legacy /docs/ subpaths returning 5xx, improved sitemap with changefreq/priority.
  • Content deduplication: Removed duplicate blog post, added Hugo alias redirect.
  • Crawl cleanup: Blocked /docs/, /blog/tag/, /blog/author/ in robots.txt, deleted phantom KB sitemap from GSC, re-submitted main sitemap.

Security

editor-client axios bumped to 1.15.0 (SEAT-927)

The editor-client was pulling axios@1.13.6, which is affected by a critical advisory:

  • GHSA-3p68-rc4w-qgx5NO_PROXY hostname normalization bypass leading to SSRF on vulnerable versions (< 1.15.0).

axios is bumped to 1.15.0 and pinned via yarn resolutions so transitive consumers cannot pull the older copy back in. The advisory only affected the editor-client dependency tree; booking-client and converter-service do not ship axios. This is a dependency upgrade only — no call sites in the editor-client needed source changes.

What operators should know: nothing. Standard rolling upgrade. The CI Dependency Audit Editor Client job returns clean on the first build after merge.

What integrators should know: nothing. The public REST contract and embedded renderer contract are unchanged.

Migration Guide

This release is backward-compatible for every integration surface: no renderer API changes, no webhook changes, no embed changes.

Database: Two Flyway migrations run automatically on editor-service startup:

  • V101 adds booking_disabled and login_disabled boolean columns with DEFAULT false to the organization table.
  • V102 removes ROLE_USER and ROLE_ADMIN entries from the global users_roles junction table (these were already ignored by the backend).

Both are zero-downtime, backward-compatible migrations – no manual steps required.

API: New error code ORGANIZATION_DISABLED (HTTP 402 for booking, HTTP 403 for editor login) may be returned if an organization is disabled by an admin. Existing integrations are unaffected unless an admin explicitly disables their organization.

Additional Documentation

  • CHANGELOG.md — full technical changelog with commit references.

Questions? Contact the Seatmap team or check our documentation at seatmap.pro.