MOR: 2FA improvements, DID and reseller workflows, call-end webhooks, device and PJSIP settings, announcements, call forward, API fixes, Google Maps, alert logic. M4: 2FA improvements, Rate Notification exports, Minimum Spend, DID bulk actions, Hangup Cause reporting, G.729 routing, Kamailio limits.
MOR
API
- API v2 Calls filter by card number — MOR API v2 Calls supports filtering results by
s_card_number. - subscriptions_get crash — the subscriptions API no longer crashes when building user names in the XML response.
- Empty API response — fixed API endpoints that returned blank responses on affected installs.
Major Enhancements
Two-factor authentication (2FA)
- 2FA improvement — fixes crashes during two-factor setup and login, invalid-code handling, and related GUI typos in admin and user 2FA settings.
Announcements and call treatment
- Announcement to the Caller — new device dropdown selects audio played to the caller; the existing playback setting is relabeled Announcement to the Callee on device and default device forms.
- MNP caller audio — new MNP setting plays configured audio to the caller when the dialed number is in MNP.
- Call Forward PAI header — new call-forward GUI option sends PAI with the DID or device number on forwarded calls.
Webhooks
- Call-end webhook fixes —
device_updatecan setwebhook_url_for_call_end; payload adds currency; URL encoding and existing-query merge fixed; automated delivery tests added.
DIDs and resellers
- DID bulk management for reseller pool — admin can bulk-assign reseller-pool DIDs to reseller sub-users; reseller bulk management shows Add to Trunk when the global setting allows it; assigning to a sub-user and trunk preserves reseller ownership so the reseller can still edit the DID.
- DID delete on edit screen — terminated DIDs eligible for deletion can be removed directly from the DID edit page.
Devices and PJSIP
- WebRTC transport lock — enabling WebRTC on a PJSIP device forces transport to Auto and locks other transports; reload no longer shows mixed Static/Dynamic auth fields or invalid combined transport options.
- Device password masking — SIP/IAX2 secrets are masked with a reveal toggle on edit forms and device lists by default, respecting existing hide-password permissions.
Permissions and accountants
- Accountant permission groups list — permission group list shows a Users count with name tooltip, labeled Edit/Delete headers, and hides delete when users are still assigned (accountant and reseller lists).
- Last Calls provider info permission — renamed from “Last Calls – Hide Provider Data”; provider data hides only when the permission is Disabled, not when Read is enabled.
Additional Improvements
- SIP device import block — when SIP device creation is hidden in settings, bulk SIP device import is blocked so clients cannot accidentally import SIP instead of PJSIP.
- Extension conflict message — device save shows which user and device already owns a conflicting extension in the PBX pool.
- Accountant delete message — deleting an accountant who still has assigned users lists those users by name instead of a generic message.
- Form field length alignment — related GUI fields now use consistent maxlength limits on create and edit.
Bug Fix Report
- New DID detail flags not saved — AI Agent DID, Send CallerID in UUI header, and Send Call anonymously checkboxes on Add DID were dropped at confirm and not stored on create.
- Default User unlimited credit — Reseller Default User Credit “Unlimited?” failed to persist when reseller default currency differed from admin currency.
- Registration device limit — self-registration created devices without checking the admin-set Maximum devices limit on the reseller.
- New DID active dates — Active from and Active till on Add DID were lost because confirm dropped formatted date values.
- Duplicate username crash — creating a user whose username differs only by case from an existing user crashed instead of showing “Username has already been taken.”
- Send zero invoices confirm — Accounting → Invoices no longer shows a misleading “send 0 invoices” confirm when invoices match search but users lack Invoice types enabled.
- Multiserver duplicate call error — calls entering on one Asterisk server but routing via a provider on another no longer trigger duplicate-call errors on the second server.
- Device rule Add/Cut length — create and edit device rules both allow up to 40 characters in Add/Cut fields.
- Remote code execution block — blocked GUI paths that allowed shell command execution via eval-style calls on production hosts.
- Device username case check — device username uniqueness uses a binary comparison so usernames that differ only by letter case are treated as distinct.
- Google Maps on Statistics — Statistics → Google Maps renders again after a Prototype.js
Array.fromconflict with the Google Maps API was fixed. - PDD hangup on ringing — “Hangup Call if PDD is more than” now measures post-dial delay correctly instead of hanging up during normal ringing.
- SQL injection hardening — parameterized queries replace vulnerable string concatenation in affected GUI code paths.
- Alert ASR after user unblock — ASR-based alerts no longer immediately re-block a user after unblock because Failed 311 calls from the block window were still counted in ASR.
M4
Major Enhancements
Two-factor authentication (2FA)
- 2FA improvement — fixes crashes during two-factor setup and login, invalid-code handling, and related GUI typos in admin and user 2FA settings.
Billing
- Minimum Spend — User Edit and Default User gain Minimum Spend value, Block on insufficient balance, and Effective From date; validates non-negative amounts and accepts comma-decimal input.
Routing and codecs
- G.729 annexb mismatch handling — new Kamailio setting
kamailio_ignore_g729_annexb_mismatchaligns annexb between call legs when LegA and LegB negotiate different G.729 annexb variants, preventing codec strip and audio loss.
Additional Improvements
- Active DID status change feedback — bulk or CSV status changes on active DIDs report how many were skipped with reason “Active DIDs status cannot be changed” instead of showing false success.
- User list button order — swapped Edit and Hide button positions on the User List.
Bug Fix Report
- Email Log filter on pagination — Status and Email name filters persist when paginating or sorting the Email Log list.
- Hangup Cause report totals — Hangup Cause statistics count failed calls using
src_user_idconsistently with other call reports. - TP CC vs CPS hangup cause — when
tp_kamailio_limitsis enabled, reaching the CPS limit records the CPS hangup cause instead of the CC limit hangup cause in CDR. - Rate Notification full XLSX generation — large full-rate XLSX exports complete without hanging; row-style handling improved and redundant CSV write removed.
- DID bulk delete and archive — bulk delete reports blocked rows when DIDs have calls; bulk Change to Archived no longer flips Free DIDs to Reserved before archiving.
- DDOS profile lookup crash — fixed crash in
m2_get_dst_ddos_profileon affected call routing paths. - SQL injection hardening — parameterized queries replace vulnerable string concatenation in affected GUI code paths.
- Alert ASR after user unblock — ASR-based alerts no longer immediately re-block a user after unblock because Failed 311 calls from the block window were still counted in ASR.
Questions about these updates?
Whether you are planning an upgrade, need help with migration, or want to discuss how new features fit your network — our team is ready to assist.