Development release — no release notes yet. See unreleased changes.

Changes in 8.0.3

Summary

• Enhancement - Bump go to 1.25.10: #12306
• Enhancement - Bump libvips to 8.18.2: #12301

Table of Contents

• Changelog for 8.0.2

Changes in 8.0.2

Summary

• Bugfix - Fix OCM share permission change notification: #12190
• Bugfix - Fix the internal links: #12231
• Bugfix - Return 200 OK for WOPI Lock requests in read-only and view-only modes: #12257
• Bugfix - Fix space management middleware removing users from spaces on download: #12285
• Enhancement - Add spaceid to REPORT: #12241
• Enhancement - Allow multiple objectClasses on group creation: #12242
• Enhancement - Add SpaceEditorWithoutVersionsWithoutTrashbin space membership role: #12245
• Enhancement - Bump libvips to 8.18.2: #12301.
• Enhancement - Bump Web to 12.3.3: #13705

Details

• Bugfix - Fix OCM share permission change notification: #12190

  Fix the OCM share permission change notification handling.

  #12190

• Bugfix - Fix the internal links: #12231

  We fixed the internal links access control

  #12231

• Bugfix - Return 200 OK for WOPI Lock requests in read-only and view-only modes: #12257

  OnlyOffice sends a WOPI Lock request when opening any document, even when the
  user only has read access. The WOPI Lock handler was attempting to acquire a CS3
  write lock regardless of the view mode, causing a permission error for read-only
  tokens that OnlyOffice displayed as an error message on load.

  The Lock handler now returns 200 OK immediately for READ_ONLY and VIEW_ONLY view
  modes without attempting to acquire a lock, consistent with the WOPI spec.

  #12257

• Bugfix - Fix space management middleware removing users from spaces on download: #12285

  The space management middleware ran on every authenticated request, including
  signed URL requests used for file downloads. Since signed URL auth does not
  carry OIDC claims, the middleware interpreted the absence of claims as "user
  should have no space access" and removed the user from all project spaces. On
  the next OIDC request the user was re-added, causing an oscillating add/remove
  cycle that led to intermittent download failures and transient "space not found"
  errors.

  The middleware now skips reconciliation entirely when no OIDC claims are present
  in the request context.

  #12285
  #12285

• Enhancement - Add spaceid to REPORT: #12241

  Added the spaceid to the REPORT responses. This is aligning the REPORT
  method with the PROPFIND method.

  #12241

• Enhancement - Allow multiple objectClasses on group creation: #12242

  Added support for configuring additional LDAP objectClasses when creating
  groups. The new OCIS_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES /
  GRAPH_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES environment variable accepts a list
  of extra objectClasses that are set alongside the primary
  GRAPH_LDAP_GROUP_OBJECTCLASS when a new group is created in LDAP.

  #12242

• Enhancement - Add SpaceEditorWithoutVersionsWithoutTrashbin space membership role: #12245

  Added a new space membership role "Can edit"
  (SpaceEditorWithoutVersionsWithoutTrashbin) that grants full editor permissions
  (create, upload, download, edit, move, delete) on a space without access to file
  versions or the trashbin.

  #12245

• Enhancement - Bump libvips to 8.18.2

  Bumped libvips to 8.18.2 in all Docker images to pick up the fix for a stack buffer overflow.

  #12301

• Enhancement - Bump Web to 12.3.3: #13705

  • Bugfix owncloud/web#13638: Share
    button not usable when role dropdown text is too long - Bugfix
    owncloud/web#13667: Shared with
    does not show members - Bugfix
    owncloud/web#13680: Escape strings
    when returned from server

  owncloud/web#13705
  https://github.com/owncloud/web/releases/tag/v12.3.3

Table of Contents

• Changelog for 8.0.2

Changes in 8.0.2

Summary

• Bugfix - Fix OCM share permission change notification: #12190
• Bugfix - Fix the internal links: #12231
• Bugfix - Return 200 OK for WOPI Lock requests in read-only and view-only modes: #12257
• Enhancement - Add spaceid to REPORT: #12241
• Enhancement - Allow multiple objectClasses on group creation: #12242
• Enhancement - Add SpaceEditorWithoutVersionsWithoutTrashbin space membership role: #12245
• Enhancement - Bump Web to 12.3.3: #13705

Details

• Bugfix - Fix OCM share permission change notification: #12190

  Fix the OCM share permission change notification handling.

  #12190

• Bugfix - Fix the internal links: #12231

  We fixed the internal links access control

  #12231

• Bugfix - Return 200 OK for WOPI Lock requests in read-only and view-only modes: #12257

  OnlyOffice sends a WOPI Lock request when opening any document, even when the
  user only has read access. The WOPI Lock handler was attempting to acquire a CS3
  write lock regardless of the view mode, causing a permission error for read-only
  tokens that OnlyOffice displayed as an error message on load.

  The Lock handler now returns 200 OK immediately for READ_ONLY and VIEW_ONLY view
  modes without attempting to acquire a lock, consistent with the WOPI spec.

  #12257

• Enhancement - Add spaceid to REPORT: #12241

  Added the spaceid to the REPORT responses. This is aligning the REPORT
  method with the PROPFIND method.

  #12241

• Enhancement - Allow multiple objectClasses on group creation: #12242

  Added support for configuring additional LDAP objectClasses when creating
  groups. The new OCIS_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES /
  GRAPH_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES environment variable accepts a list
  of extra objectClasses that are set alongside the primary
  GRAPH_LDAP_GROUP_OBJECTCLASS when a new group is created in LDAP.

  #12242

• Enhancement - Add SpaceEditorWithoutVersionsWithoutTrashbin space membership role: #12245

  Added a new space membership role "Can edit"
  (SpaceEditorWithoutVersionsWithoutTrashbin) that grants full editor permissions
  (create, upload, download, edit, move, delete) on a space without access to file
  versions or the trashbin.

  #12245

• Enhancement - Bump Web to 12.3.3: #13705

  • Bugfix owncloud/web#13638: Share
    button not usable when role dropdown text is too long - Bugfix
    owncloud/web#13667: Shared with
    does not show members - Bugfix
    owncloud/web#13680: Escape strings
    when returned from server

  owncloud/web#13705
  https://github.com/owncloud/web/releases/tag/v12.3.3

Development release — no release notes yet. See unreleased changes.

Table of Contents

• Changelog for 8.0.1

Changes in 8.0.1

Summary

• Bugfix - Don't use hardcoded groupOfNames in group creation: #11776
• Bugfix - Expose the signature-auth attribute: #12052
• Bugfix - Don't write empty externalID to LDAP: #12085
• Enhancement - Bump Web to 12.3.2: #12074
• Enhancement - Bump reva: #12097

Details

• Bugfix - Don't use hardcoded groupOfNames in group creation: #11776

  Formerly, when creating a group with a different objectClass, it will always use
  groupOfNames instead of the one provided in the config. Now, the server creates
  groups using the objectClass defined in the config.

  #11776

• Bugfix - Expose the signature-auth attribute: #12052

  Expose the "oc:signature-auth" attribute for the subfolders in the public link
  propfinds. This is a necessary change to be able to support archive downloads in
  password protected public links.

  #12052

• Bugfix - Don't write empty externalID to LDAP: #12085

  When creating new users in the graph service, the externalID attribute was being
  written to LDAP even when it was empty. Now, the externalID attribute is only
  written when it has a non-empty value.

  #12085

• Enhancement - Bump Web to 12.3.2: #12074

  • Enhancement
    owncloud/ocis#11963: Use
    signature auth

  #12074
  https://github.com/owncloud/web/releases/tag/v12.3.2

• Enhancement - Bump reva: #12097

  Bumped reva to the latest version. This includes a refactoring of the scope
  expansion and verification logic, as well as a fix for the signature-auth
  propfind attribute that now correctly supports archive downloads in
  password-protected public links.

  #12097

Table of Contents

• Changelog for 8.0.0

Changes in 8.0.0

Summary

• Bugfix - Fix user light creation: #11765
• Bugfix - OCM Specification Compliance: #11773
• Bugfix - Remove leading dot before checking disabled extension: #11814
• Bugfix - Support pointer types in config environment variable decoding: #11815
• Bugfix - Replace obsolete docker image in the deployment example: #11828
• Bugfix - Fix error code when a user can't disable a space: #11845
• Bugfix - Fix Sharingroles: #11898
• Bugfix - Fix the error handling for empty name on space update: #11933
• Bugfix - Fix group creation in ocis-multi example: #12019
• Change - Remove deprecated OCIS_SHOW_USER_EMAIL_IN_RESULTS: #11942
• Enhancement - Bump Reva: #460
• Enhancement - Set Referrer-Policy to no-referrer: #11722
• Enhancement - Bump Reva: #11748
• Enhancement - Support disabling editors by extensions: #11750
• Enhancement - Add CLI to move stuck uploads: #11762
• Enhancement - Use externalID in Provisioning API: #11799
• Enhancement - Add CLI to clean orphned grants: #11804
• Enhancement - Bump Reva: #11808
• Enhancement - Bump Web to v12.2.0: #11834
• Enhancement - Introduce claims for multi-instance-ocis: #11848
• Enhancement - Update the ocis_full deployment example images: #11860
• Enhancement - Implement brute force protection for public links: #11864
• Enhancement - Update the ocis_full deployment example traefik image: #11867
• Enhancement - Added a graph endpoint alias: #11871
• Enhancement - Force Strict-Transport-Security: #11880
• Enhancement - Relocate Transifex resources: #11889
• Enhancement - Update the ocis_full deployment example images: #11890
• Enhancement - Allow sharing between instances: #11893
• Enhancement - Add photo EXIF metadata to search index and WebDAV results: #11912
• Enhancement - Update the traefik image for some deployment examples: #11915
• Enhancement - Add users instances: #11925
• Enhancement - Introduce external shares permission: #11931
• Enhancement - Update to go 1.25: #12004
• Enhancement - Bump Web to 12.3.1: #12016
• Enhancement - Bump Web to 12.3.0: #13519

Details

• Bugfix - Fix user light creation: #11765

  When trying to switch a user to user light before they logged in for the first
  time, an error would occur. The server now correctly handles this case and
  allows switching to user light even before the first login.

  #11765

• Bugfix - OCM Specification Compliance: #11773

  OCM Specification Compliance

  #11773

• Bugfix - Remove leading dot before checking disabled extension: #11814

  We have fixed a bug where the leading dot was not removed before checking if an
  extension is disabled. The original behavior would have caused the
  COLLABORATION_WOPI_DISABLED_EXTENSIONS config to be ignored.

  #11814

• Bugfix - Support pointer types in config environment variable decoding: #11815

  Added support for decoding pointer types (*bool, *int, *string, etc.) in the
  envdecode package, allowing configuration fields to distinguish between unset
  (nil) and explicitly set values. Changed WEB_OPTION_EMBED_ENABLED from string
  to *bool type to enable explicit false values.

  #11815

• Bugfix - Replace obsolete docker image in the deployment example: #11828

  In the ocis_ldap deployment example, we were using the bitnami/openldap docker
  image. This image isn't available any longer, so the example couldn't be
  deployed as intended.

  We've replaced the docker image with the osixia/openldap image and we've
  adjusted some of the configuration of the openldap image.

  #11828

• Bugfix - Fix error code when a user can't disable a space: #11845

  Previously, if the user couldn't disable a space due to wrong permissions, the
  request returned a 404 error code, as if the space wasn't found even though the
  space was visible. Now it will return the expected 403 error code.

  #11845

• Bugfix - Fix Sharingroles: #11898

  Sharing roles were inconsistent, now they are fixed.

  #11898

• Bugfix - Fix the error handling for empty name on space update: #11933

  Fix the error handling for empty name on space update.

  #11887
  #11933

• Bugfix - Fix group creation in ocis-multi example: #12019

  Group creation was not working in ocis.ocm instance

  #12019

• Change - Remove deprecated OCIS_SHOW_USER_EMAIL_IN_RESULTS: #11942

  Deprecated OCIS_SHOW_USER_EMAIL_IN_RESULTS environment variable was removed from
  frontend service config. Use OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES instead to
  control which user attributes are displayed in search results.

  #11942

• Enhancement - Bump Reva: #460

  This updates the ownCloud Reva dependency to include brute force protection for
  public links. The feature implements rate-limiting that blocks access to
  password-protected public shares after exceeding a configurable maximum number
  of failed authentication attempts within a time window.

  owncloud/reva#460

• Enhancement - Set Referrer-Policy to no-referrer: #11722

  Change the Referrer-Policy from 'strict-origin-when-cross-origin' to
  'no-referrer' to enhance user privacy and security.

  Previously, the origin was sent on cross-origin requests. This change completely
  removes the Referrer header from all outgoing requests, preventing any potential
  leakage of browsing information to third parties. This is a more robust approach
  to protecting user privacy.

  #11722

• Enhancement - Bump Reva: #11748

  This updates the ownCloud Reva dependency to commit
  82c22e954c1cdabb62a14fbe5c1a4ec3e1dabd45. Changelog:
  owncloud/reva@cb98fe5...82c22e9

  #11748

• Enhancement - Support disabling editors by extensions: #11750

  We have extended the configuration of collaboration service to support disabling
  editors for specific file extensions.

  #11750

• Enhancement - Add CLI to move stuck uploads: #11762

  In some cases of saturated disk usage ocis metadata may get stuck. This command
  relieves this case.

  #11762

• Enhancement - Use externalID in Provisioning API: #11799

  This PR adds the externalID as optional parameter to the Provisioning API that
  can be used as the primary identifier. It also contains a switch to enable this
  setting.

  #11799

• Enhancement - Add CLI to clean orphned grants: #11804

  Add CLI ocis shares clean-orphaned-grants to find and optionally remove
  storage grants without corresponding share-manager entries.

  #11804

• Enhancement - Bump Reva: #11808

  This updates the ownCloud Reva dependency to commit
  a122a9538794530267743edfd5dc67b48aa90325. Changelog:
  owncloud/reva@751223b...a122a95...

Table of Contents

• Changelog for 7.3.2

Changes in 7.3.2

Summary

• Enhancement - Force Strict-Transport-Security: #11880
• Enhancement - Bump reva version: #11992

Details

• Enhancement - Force Strict-Transport-Security: #11880

  Added PROXY_FORCE_STRICT_TRANSPORT_SECURITY environment variable to force
  emission of Strict-Transport-Security header on all responses, including plain
  HTTP requests when TLS is terminated upstream. Useful when oCIS is deployed
  behind a proxy.

  #11880

• Enhancement - Bump reva version: #11992

  Bumps reva to newest version

  #11992

Table of Contents

• Changelog for 8.0.0-rc.1

Changes in 8.0.0-rc.1

Summary

• Bugfix - Fix user light creation: #11765
• Bugfix - OCM Specification Compliance: #11773
• Bugfix - Remove leading dot before checking disabled extension: #11814
• Bugfix - Support pointer types in config environment variable decoding: #11815
• Bugfix - Replace obsolete docker image in the deployment example: #11828
• Bugfix - Fix error code when a user can't disable a space: #11845
• Bugfix - Fix Sharingroles: #11898
• Bugfix - Fix the error handling for empty name on space update: #11933
• Change - Remove deprecated OCIS_SHOW_USER_EMAIL_IN_RESULTS: #11942
• Enhancement - Bump Reva: #460
• Enhancement - Set Referrer-Policy to no-referrer: #11722
• Enhancement - Bump Reva: #11748
• Enhancement - Support disabling editors by extensions: #11750
• Enhancement - Add CLI to move stuck uploads: #11762
• Enhancement - Use externalID in Provisioning API: #11799
• Enhancement - Add CLI to clean orphned grants: #11804
• Enhancement - Bump Reva: #11808
• Enhancement - Bump Web to v12.2.0: #11834
• Enhancement - Introduce claims for multi-instance-ocis: #11848
• Enhancement - Update the ocis_full deployment example images: #11860
• Enhancement - Implement brute force protection for public links: #11864
• Enhancement - Update the ocis_full deployment example traefik image: #11867
• Enhancement - Added a graph endpoint alias: #11871
• Enhancement - Force Strict-Transport-Security: #11880
• Enhancement - Relocate Transifex resources: #11889
• Enhancement - Update the ocis_full deployment example images: #11890
• Enhancement - Allow sharing between instances: #11893
• Enhancement - Add photo EXIF metadata to search index and WebDAV results: #11912
• Enhancement - Update the traefik image for some deployment examples: #11915
• Enhancement - Add users instances: #11925
• Enhancement - Introduce external shares permission: #11931
• Enhancement - Bump Web to 12.3.0: #13519

Details

• Bugfix - Fix user light creation: #11765

  When trying to switch a user to user light before they logged in for the first
  time, an error would occur. The server now correctly handles this case and
  allows switching to user light even before the first login.

  #11765

• Bugfix - OCM Specification Compliance: #11773

  OCM Specification Compliance

  #11773

• Bugfix - Remove leading dot before checking disabled extension: #11814

  We have fixed a bug where the leading dot was not removed before checking if an
  extension is disabled. The original behavior would have caused the
  COLLABORATION_WOPI_DISABLED_EXTENSIONS config to be ignored.

  #11814

• Bugfix - Support pointer types in config environment variable decoding: #11815

  Added support for decoding pointer types (*bool, *int, *string, etc.) in the
  envdecode package, allowing configuration fields to distinguish between unset
  (nil) and explicitly set values. Changed WEB_OPTION_EMBED_ENABLED from string
  to *bool type to enable explicit false values.

  #11815

• Bugfix - Replace obsolete docker image in the deployment example: #11828

  In the ocis_ldap deployment example, we were using the bitnami/openldap docker
  image. This image isn't available any longer, so the example couldn't be
  deployed as intended.

  We've replaced the docker image with the osixia/openldap image and we've
  adjusted some of the configuration of the openldap image.

  #11828

• Bugfix - Fix error code when a user can't disable a space: #11845

  Previously, if the user couldn't disable a space due to wrong permissions, the
  request returned a 404 error code, as if the space wasn't found even though the
  space was visible. Now it will return the expected 403 error code.

  #11845

• Bugfix - Fix Sharingroles: #11898

  Sharing roles were inconsistent, now they are fixed.

  #11898

• Bugfix - Fix the error handling for empty name on space update: #11933

  Fix the error handling for empty name on space update.

  #11887
  #11933

• Change - Remove deprecated OCIS_SHOW_USER_EMAIL_IN_RESULTS: #11942

  Deprecated OCIS_SHOW_USER_EMAIL_IN_RESULTS environment variable was removed from
  frontend service config. Use OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES instead to
  control which user attributes are displayed in search results.

  #11942

• Enhancement - Bump Reva: #460

  This updates the ownCloud Reva dependency to include brute force protection for
  public links. The feature implements rate-limiting that blocks access to
  password-protected public shares after exceeding a configurable maximum number
  of failed authentication attempts within a time window.

  owncloud/reva#460

• Enhancement - Set Referrer-Policy to no-referrer: #11722

  Change the Referrer-Policy from 'strict-origin-when-cross-origin' to
  'no-referrer' to enhance user privacy and security.

  Previously, the origin was sent on cross-origin requests. This change completely
  removes the Referrer header from all outgoing requests, preventing any potential
  leakage of browsing information to third parties. This is a more robust approach
  to protecting user privacy.

  #11722

• Enhancement - Bump Reva: #11748

  This updates the ownCloud Reva dependency to commit
  82c22e954c1cdabb62a14fbe5c1a4ec3e1dabd45. Changelog:
  owncloud/reva@cb98fe5...82c22e9

  #11748

• Enhancement - Support disabling editors by extensions: #11750

  We have extended the configuration of collaboration service to support disabling
  editors for specific file extensions.

  #11750

• Enhancement - Add CLI to move stuck uploads: #11762

  In some cases of saturated disk usage ocis metadata may get stuck. This command
  relieves this case.

  #11762

• Enhancement - Use externalID in Provisioning API: #11799

  This PR adds the externalID as optional parameter to the Provisioning API that
  can be used as the primary identifier. It also contains a switch to enable this
  setting.

  #11799

• Enhancement - Add CLI to clean orphned grants: #11804

  Add CLI ocis shares clean-orphaned-grants to find and optionally remove
  storage grants without corresponding share-manager entries.

  #11804

• Enhancement - Bump Reva: #11808

  This updates the ownCloud Reva dependency to commit
  a122a9538794530267743edfd5dc67b48aa90325. Changelog:
  owncloud/reva@751223b...a122a95

  #11808

• Enhancement - Bump Web to v12.2.0: #11834

  • Bugfix owncloud/web#13177: Fix
    copying public link and password on Safari - Bugfix
    owncloud/web#13198: Fix incorrect
    translations - Bugfix
    owncloud/web#13203: Remov...

Table of Contents

• Changelog for 7.3.1

Changes in 7.3.1

Summary

• Enhancement - Bump Web to 12.1.1: #11726
• Enhancement - Bump Web to v12.1.2: #11836

Details

• Enhancement - Bump Web to 12.1.1: #11726

  This version contains only updated translations.

  #11726
  https://github.com/owncloud/web/releases/tag/v12.1.1

• Enhancement - Bump Web to v12.1.2: #11836

  • Bugfix owncloud/web#13213: Do
    not disable sharing of resources when managing spaces via claims

  #11836
  https://github.com/owncloud/web/releases/tag/v12.1.2