v8.1.0-rc.1

Pre-release

Pre-release

github-actions released this 22 May 22:36

· 23 commits to master since this release

1b1496a

Table of Contents

Changelog for 8.1.0-rc.1

Changes in 8.1.0-rc.1

Summary

Security - Add X-XSS-Protection header: #12092
Security - Upgrade libvips to 8.18.2: #12301
Security - Fix signing-key to public share guests: #12332
Bugfix - Fix postprocessing resume command --restart flag: #11692
Bugfix - Don't use hardcoded groupOfNames in group creation: #11776
Bugfix - Translation for some email notifications: #11979
Bugfix - Rework monitoring in the ocis_full deployment example: #11995
Bugfix - Extract metadata from oversized files and fix ISO field: #12000
Bugfix - Make tag unassignment idempotent and handle publish failures: #12001
Bugfix - Expose the signature-auth attribute: #12016
Bugfix - Fix CSP blocking bundled KaTeX font: #12070
Bugfix - Fix case-sensitive photo metadata search: #12078
Bugfix - Prevent incomplete Tika extractions from permanently blocking re-index: #12095
Bugfix - Use O(1) document lookup instead of full search during reindexing: #12096
Bugfix - Fix IDP build on FreeBSD by disabling absolute Babel runtime: #12114
Bugfix - Always descend into directories during space reindexing: #12119
Bugfix - Don't index failed uploads: #12121
Bugfix - Avoid superfluous GetPublicShare call when deleting space permissions: #12122
Bugfix - Fix CreateHome cache: #12128
Bugfix - Return 200 OK for WOPI Lock requests in read-only and view-only modes: #12257
Bugfix - Fix typo in README: #12263
Bugfix - Fix space management middleware removing users from spaces on download: #12285
Bugfix - Search no longer disabled when OCIS_DISABLE_PREVIEWS=true: #12303
Bugfix - Stable order for user search attributes: #12337
Bugfix - Cache compiled rego policies to avoid recompiling on every request: #12345
Bugfix - SpaceEditorWithoutTrashbin roles now correctly allow file editing: #12346
Bugfix - Skip indexing of files still in postprocessing: #12350
Enhancement - Add web extensions deployment configuration: #11940
Enhancement - Add AI-assisted development guide: #11941
Enhancement - Bump Web to 12.3.1: #12015
Enhancement - Add space ID to incoming shares: #12024
Enhancement - Add spaceid to REPORT: #12028
Enhancement - Bump Reva version: #12051
Enhancement - Add ResourceID field to UploadReady event: #12060
Enhancement - Support numeric range queries in KQL: #12094
Enhancement - Add blobstore CLI commands to storage-users service: #12102
Enhancement - Optimize search index after bulk reindexing: #12104
Enhancement - Add vault storage with MFA-protected access: #12108
Enhancement - Retry and abort on repeated extraction failures during indexing: #12111
Enhancement - Log effective data and config paths at startup: #12117
Enhancement - Allow resetting IDM service user passwords: #12118
Enhancement - Update images in the ocis_full deployment example: #12123
Enhancement - Add ocis search optimize CLI command: #12136
Enhancement - Add Keycloak to the ocis_full deployment example: #12139
Enhancement - Allow multiple objectClasses on group creation: #12229
Enhancement - Add SpaceEditorWithoutVersionsWithoutTrashbin space membership role: #12261
Enhancement - Add vault capabilities to the OCS capabilities endpoint: #12283
Enhancement - Disable public link sharing for vault resources: #12321
Enhancement - Update web-extension images in ocis_fuill: #12324
Enhancement - Bump dependencies: #12325
Enhancement - Add VaultMode permission: #12328
Enhancement - Add vault themes: #12329
Enhancement - Bump Web to 12.3.3: #13705
Enhancement - Bump Web to 12.4.0: #13809

Details

Security - Add X-XSS-Protection header: #12092

Added the X-XSS-Protection header set to "0" to explicitly disable the
deprecated browser XSS filter, which can introduce side-channel vulnerabilities.
Modern XSS protection is provided through the Content-Security-Policy header.

This change addresses security audit findings requiring explicit configuration
of HTTP security headers per OWASP recommendations.

#12092
Security - Upgrade libvips to 8.18.2: #12301

Bumped libvips to 8.18.2 in all Docker images to pick up the fix for a stack
buffer overflow.

#12301
Security - Fix signing-key to public share guests: #12332

The /ocs/v[12].php/cloud/user/signing-key endpoint was reachable through a
public share session. The endpoint public-token is no longer allowed by the
public-share resource scope in reva.

#12332
owncloud/reva#608
Bugfix - Fix postprocessing resume command --restart flag: #11692

The --restart / -r flag for ocis postprocessing resume was broken due to a
flag name mismatch (retrigger vs restart) and silently did nothing. This has
been fixed and the command now prints a confirmation message on success.

#11692
#12002
Bugfix - Don't use hardcoded groupOfNames in group creation: #11776

Formerly, when creating a group with a different objectClass, it will always use
groupOfNames instead of the one provided in the config. Now, the server creates
groups using the objectClass defined in the config.

#11776
Bugfix - Translation for some email notifications: #11979

Some email notifications showed a wrong translated message that shouldn't
appear. It's fixed so that message won't appear anymore.

#11979
Bugfix - Rework monitoring in the ocis_full deployment example: #11995

The ocis_full deployment example has been basically reworked for how to provide
monitoring.

We now have: - a singe place for the definition of the tracing envvars for all
ocis related container services - an easy and modular setup defining which
sources should be inlcuded in monitoring via .env - comments describing the
setup for the ease extending it - the monitoring definition in .env has been
moved to the bottom and the compose_file assembly has monitoring as last entry
now to guarantee nothing gets overwritten by accident

#11995
Bugfix - Extract metadata from oversized files and fix ISO field: #12000

Two issues were found in the Tika content extractor:
1. Files exceeding SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT (default 20MB) were
  skipped entirely — no EXIF, no photo metadata, no image dimensions were
  extracted. This particularly affected Pixel Motion Photos (.MP.jpg) which
  embed an MP4 video making them 3-9MB. Since EXIF metadata lives in the JPEG
  header (first few KB), a truncated stream is sufficient. The extractor now wraps
  the download in io.LimitReader instead of skipping Tika, sending only the
  first N bytes for metadata extraction.
2. The ISO speed field was read from "Base ISO", a Canon-specific Tika field
  (sensor base sensitivity). Most cameras — Pixel, iPhone, Samsung — provide
  ISO via the standard "exif:IsoSpeedRatings" field. The extractor now checks
  exif:IsoSpeedRatings first and falls back to Base ISO for Canon
  compatibility.
#12000
Bugfix - Make tag unassignment idempotent and handle publish failures: #12001

The DELETE tags endpoint now returns success when the requested tag is already
absent from the file's metadata, instead of returning HTTP 400 with a misleading
error message. The TagsRemoved event is always published so the search index
stays in sync even when file metadata and the search index are out of sync. If
event publishing fails, the metadata change is rolled back and HTTP 500 is
returned to avoid leaving the system in an inconsistent state.

#12001
Bugfix - Expose the signature-auth attribute: #12016

Expose the "oc:signature-auth" attribute for the subfolders in the public link
propfinds. This is a necessary change to be able to support archive downloads in
password protected public links.

#12016
Bugfix - Fix CSP blocking bundled KaTeX font: #12070

The default Content Security Policy blocked the bundled KaTeX math font (used by
the md-editor) because it is inlined as a data: URI in the Web UI CSS. Added
data: to the font-src directive to resolve the console error on every page
load. Users with custom CSP files (PROXY_CSP_CONFIG_FILE_LOCATION) will need
to add data: to their font-src directive manually.

#12070
Bugfix - Fix case-sensitive photo metadata search: #12078

Searching for photo metadata fields like camera make/model was case-sensitive,
so searching for "google" would not match a camera make stored as "Google".
Changed the photo string field analyzer from keyword to lowercaseKeyword so
both indexed values and search terms are lowercased. Existing Bleve indexes need
to be rebuilt after this change.

#12078
Bugfix - Prevent incomplete Tika extractions from permanently blocking re-index: #12095

When Tika returned HTTP 200 but its child processes (OCR, ImageMagick) failed
due to resource limits, the search index received metadata but no content. The
document was written to Bleve with the correct mtime, and subsequent reindexes
skipped it because the id+mtime check passed. This left files permanently stuck
as "indexed" with no searchable content.

Two fixes are applied:
1. Validate Tika responses: if MetaRecursive() returns an empty metadata list,
  it is now treated as an extraction error so the document is not written to the
  index.
2. Add an Extracted field to indexed resources. It is set to true only after
  successful extraction. The reindex skip check now requires Extracted:true, so
  incompletely indexed documents are automatically re-processed on the next
  reindex run.
Note: existing search indexes will trigger a full re-extraction on the next
reindex because documents written before this change lack the Extracted field.

#12093
#12095
Bugfix - Use O(1) document lookup instead of full search during reindexing: #12096

The IndexSpace bulk reindexer was using a full KQL search query per file to
check whether re-extraction was needed. On large indexes this query took
600–950ms each, making a 61,000-file space take ~13.5 hours just to walk.
Replaced the per-file Search() call with an O(1) Lookup() using Bleve's
DocIDQuery, then comparing mtime and extraction status in memory. This reduces
per-file check time from ~800ms to <1ms.

#12093
#12096
Bugfix - Fix IDP build on FreeBSD by disabling absolute Babel runtime: #12114

The babel-preset-react-app preset defaults to absoluteRuntime: true, which
hardcodes absolute paths to @babel/runtime helpers. These paths fail to
resolve on non-Linux platforms like FreeBSD. Setting absoluteRuntime: false
makes Babel resolve the runtime relative to the source file, which works across
all platforms.

#12065
#12114
Bugfix - Always descend into directories during space reindexing: #12119

The search indexer's IndexSpace walk previously used filepath.SkipDir to
skip entire directory subtrees when the directory itself was already indexed.
After a failed or interrupted indexing run (e.g. Tika crash), this caused
thousands of unindexed files to be permanently skipped because the parent
directory's mtime had not changed. The indexer now always descends into
directories, relying on the O(1) per-file DocID lookup to skip already-indexed
files efficiently.

#12119
Bugfix - Don't index failed uploads: #12121

The search service was indexing uploads even when they failed. This caused
unnecessary index operations for incomplete or errored file transfers. The fix
skips indexing when the UploadReady event indicates the upload has failed.

#12121
Bugfix - Avoid superfluous GetPublicShare call when deleting space permissions: #12122

We fixed DeletePermission to recognise space permission IDs (prefixed with
u: or g:) by their format before making any gateway calls. Previously,
deleting a space member always triggered a GetPublicShare lookup that was
guaranteed to fail, producing a confusing error log.

#12012
#12122
Bugfix - Fix CreateHome cache: #12128

Move the CreateHome middleware cache to the proxy.

#12128
owncloud/reva#562
Bugfix - Return 200 OK for WOPI Lock requests in read-only and view-only modes: #12257

OnlyOffice sends a WOPI Lock request when opening any document, even when the
user only has read access. The WOPI Lock handler was attempting to acquire a CS3
write lock regardless of the view mode, causing a permission error for read-only
tokens that OnlyOffice displayed as an error message on load.

The Lock handler now returns 200 OK immediately for READ_ONLY and VIEW_ONLY view
modes without attempting to acquire a lock, consistent with the WOPI spec.

#12257
Bugfix - Fix typo in README: #12263

Fixed a typo in the README documentation.

#12263
Bugfix - Fix space management middleware removing users from spaces on download: #12285

The space management middleware ran on every authenticated request, including
signed URL requests used for file downloads. Since signed URL auth does not
carry OIDC claims, the middleware interpreted the absence of claims as "user
should have no space access" and removed the user from all project spaces. On
the next OIDC request the user was re-added, causing an oscillating add/remove
cycle that led to intermittent download failures and transient "space not found"
errors.

The middleware now skips reconciliation entirely when no OIDC claims are present
in the request context.

#12285
#12285
Bugfix - Search no longer disabled when OCIS_DISABLE_PREVIEWS=true: #12303

Setting OCIS_DISABLE_PREVIEWS=true removed the WebDAV REPORT routes from the
router, breaking search on /dav/files, /dav/spaces and /webdav. The search
routes are now registered independently of the preview flag.

#12303
Bugfix - Stable order for user search attributes: #12337

The attributes field returned from the user search endpoint came back in a
random order because getUsersAttributes ranged over a Go map. The function now
iterates over the configured UserSearchDisplayedAttributes slice, so the
returned attribute values follow the configured order.

#12337
Bugfix - Cache compiled rego policies to avoid recompiling on every request: #12345

The policies service was reading and compiling .rego files from disk on every
request, causing unnecessary memory pressure and per-request latency. The
compiled PreparedEvalQuery is now cached per query string so compilation happens
at most once per query string over the lifetime of the service.

#12345
Bugfix - SpaceEditorWithoutTrashbin roles now correctly allow file editing: #12346

Fixed a bug where the *WithoutTrashbin space editor roles were rendered as
read-only in the Web frontend. The OCS PermissionWrite bit was not set for these
roles because the RoleFromResourcePermissions round-trip required
RestoreRecycleItem, which these roles intentionally omit.

#12346
Bugfix - Skip indexing of files still in postprocessing: #12350

When the search service re-indexed a space in response to an UploadReady event,
the walker visited sibling nodes whose blobs were not yet finalized in the
blobstore. Content extraction for those in-flight nodes triggered spurious
storage-users error logs (S3 NoSuchKey). The walker now skips nodes marked as
processing; they are indexed when their own UploadReady event arrives.

#12350
Enhancement - Add web extensions deployment configuration: #11940

We added deployment configuration for the photo-addon and advanced-search web
extensions to the ocis_full example. This includes Docker compose files for both
extensions and CSP configuration for OpenStreetMap tiles required by the
photo-addon map feature.

#11940
Enhancement - Add AI-assisted development guide: #11941

A new guide has been added to the oCIS documentation demonstrating how to build
web extensions using AI-assisted development with Claude AI. The guide covers
MCP connector setup, a five-phase development workflow, debugging techniques,
and contribution workflows.

This approach has been validated through real contributions including PR #11912
(photo metadata search backend) and web extensions PRs #305 and #306.

#11941
Enhancement - Bump Web to 12.3.1: #12015

Bugfix owncloud/web#13553: Search
Text Overalps With Search Icon In The Search Bar

#12015
https://github.com/owncloud/web/releases/tag/v12.3.1
Enhancement - Add space ID to incoming shares: #12024

Added the spaceId to the incoming shares. This is aligning the graph API with
the WebDAV API where the clients can use spaceid property. This change allows
clients to get the space ID directly instead of having to parse the resource ID.

#12024
Enhancement - Add spaceid to REPORT: #12028

Added the spaceid to the REPORT responses. This is aligning the REPORT
method with the PROPFIND method.

#12028
Enhancement - Bump Reva version: #12051

Bumped reva version

#12051
#12087
#12137
#12302
Enhancement - Add ResourceID field to UploadReady event: #12060

The UploadReady NATS event now includes a ResourceID field containing the
file's actual resource identifier (with the correct node OpaqueId). Previously,
only FileRef was available, whose ResourceId.OpaqueId is set to the space
root ID (required for CS3 gateway path resolution). Consumers that need the
file's unique identifier for Graph API or WebDAV operations can now use
ResourceID.OpaqueId directly.

#12056
#12060
owncloud/reva#547
owncloud/reva#560
Enhancement - Support numeric range queries in KQL: #12094

The KQL parser now supports numeric range queries using comparison operators
(>=, <=, >, <) on numeric fields. Previously, range operators only worked with
DateTime values, causing queries like size>=1048576 or photo.iso>=100 to
silently fail by falling through to free-text search.

Affected numeric fields: Size, photo.iso, photo.fNumber, photo.focalLength,
photo.orientation.

#12093
#12094
Enhancement - Add blobstore CLI commands to storage-users service: #12102

Added two new CLI commands under ocis storage-users blobstore to help
operators verify and inspect the configured blobstore without needing direct
access to the underlying storage system.

blobstore check performs a full upload/download/delete round-trip using a
random payload. The payload size is configurable via --blob-size and accepts
human-readable values such as 64, 1KB or 4MiB (default: 64 bytes).

blobstore get downloads a specific blob by its ID to verify it is readable.
The blob can be identified either with --blob-id and --space-id, or by
passing the raw blob path from a log line directly via --path. Both the s3ng
key format (<spaceID>/<pathified_blobID>) and the ocis filesystem path format
(…/spaces/<pathified_spaceID>/blobs/<pathified_blobID>) are accepted. When
using the s3ng driver without a known blob size, an automatic retry with the
actual size is performed on a size mismatch.

Both commands read the existing service configuration, so they always target the
same blobstore as the running service. Only the ocis and s3ng storage
drivers are supported.

#12102
Enhancement - Optimize search index after bulk reindexing: #12104

After an IndexSpace walk completes, the search engine now triggers a segment
merge (compaction) on the bleve index. Over time, writes create multiple index
segments that degrade query performance. The new Optimize() method calls
bleve's ForceMerge to consolidate all segments into one, improving subsequent
search and lookup speed. This is especially beneficial after bulk reindexing
large spaces.

#12093
#12104
Enhancement - Add vault storage with MFA-protected access: #12108

Added a dedicated vault storage that can be protected with MFA. A separate
storage-users service instance configured in vault mode runs and serves
/vault/users and /vault/projects mount points with a dedicated
VaultStorageProviderID. The graph service gained a new vault mode
(OCIS_ENABLE_VAULT_MODE) that serves the vault API under the /vault prefix.
The storage registry now routes vault-specific requests exclusively to the vault
storage provider, preventing accidental access to vault spaces when no explicit
storage ID is provided.

MFA status is propagated through gRPC metadata and forwarded in HTTP headers for
WOPI/collaboration flows.

#12108
Enhancement - Retry and abort on repeated extraction failures during indexing: #12111

During ocis search index bulk reindexing, if the content extractor (e.g. Tika)
becomes unavailable, individual file extractions are now retried up to 5 times
with a 1-second delay between attempts. If a file still fails after all retries,
the failure is logged and the walk continues.

If 5 consecutive files fail extraction (indicating the extraction service is
down rather than a single file being problematic), the index walk is aborted
with an error so the admin can investigate.

Previously, extraction failures were silently logged and the walk continued at
full speed, accumulating thousands of wasted "connection refused" errors when
Tika was down.

#12111
Enhancement - Log effective data and config paths at startup: #12117

OCIS now logs the effective data path and config path at startup so operators
can immediately verify that data is written to the expected location. This helps
catch misconfigured Docker volume mounts where data silently falls back to an
ephemeral container path instead of the intended persistent mount.

#12044
#12117
Enhancement - Allow resetting IDM service user passwords: #12118

The ocis idm resetpassword command now supports a --user-type flag to select
the account type: user (default, ou=users) or service (ou=sysusers). This
allows resetting passwords for service accounts (libregraph, idp, reva) which
live in ou=sysusers. Previously, the DN was hardcoded to ou=users, making it
impossible to reset service user passwords via the CLI.

#12106
#12118
Enhancement - Update images in the ocis_full deployment example: #12123
- Update the docker images for core services and web-extensions - Moving all
  default image definitions (latest) into the .env file for consistency
#12123
Enhancement - Add ocis search optimize CLI command: #12136

Added a new ocis search optimize command that compacts the search index by
merging Bleve segments, without re-indexing content. The command opens the index
directly (without requiring the search service to be running), making it safe to
run during maintenance windows without blocking search queries.

This is useful after bulk reindexing operations that create many small index
segments, which can degrade search performance over time.

#12136
Enhancement - Add Keycloak to the ocis_full deployment example: #12139

Added Keycloak to the ocis_full deployment example.

#12139
Enhancement - Allow multiple objectClasses on group creation: #12229

Added support for configuring additional LDAP objectClasses when creating
groups. The new OCIS_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES /
GRAPH_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES environment variable accepts a list
of extra objectClasses that are set alongside the primary
GRAPH_LDAP_GROUP_OBJECTCLASS when a new group is created in LDAP.

#12229
Enhancement - Add SpaceEditorWithoutVersionsWithoutTrashbin space membership role: #12261

Added a new space membership role "Can edit"
(SpaceEditorWithoutVersionsWithoutTrashbin) that grants full editor permissions
(create, upload, download, edit, move, delete) on a space without access to file
versions or the trashbin.

#12261
Enhancement - Add vault capabilities to the OCS capabilities endpoint: #12283

Added OCIS_ENABLE_VAULT_MODE / FRONTEND_ENABLE_VAULT_MODE config option to
the frontend service. When enabled, the OCS capabilities endpoint advertises
vault.enabled = true. Clients can request vault-specific capabilities via
/ocs/v2.php/cloud/capabilities?vault=true, which returns a response with
public sharing and federation sharing disabled.

#12283
owncloud/reva#584
Enhancement - Disable public link sharing for vault resources: #12321

The graph service now rejects creating, updating, and setting passwords on
public links when the target resource lives in the vault storage provider.
Requests targeting a vault resource return 400 Bad Request with the message
public links are not allowed for vault resources.

#12321
Enhancement - Update web-extension images in ocis_fuill: #12324

The imgages for web-extensions have been updated for the ocis_full deployment
example.

#12324
Enhancement - Bump dependencies: #12325

Bumped Go and npm dependencies, including security fixes:
- github.com/owncloud/reva/v2 to v2.0.0-20260519092700-9da01c6fb954 -
  github.com/shamaton/msgpack/v2 v2.4.0 → v2.4.1 (CVE: denial of service) -
  filippo.io/edwards25519 v1.1.0 → v1.1.1 - github.com/cloudflare/circl
  v1.6.1 → v1.6.3 - github.com/russellhaering/goxmldsig v1.5.0 → v1.6.0 -
  postcss, fast-uri, @babel/plugin-transform-modules-systemjs (npm, via pnpm
  lock regen) - GitHub Actions: actions/upload-artifact 4→7,
  actions/download-artifact 4→8, pnpm/action-setup 5→6,
  fpicalausa/remove-stale-branches 2.4→2.6
#12325
Enhancement - Add VaultMode permission: #12328

Add a new VaultMode.ReadWriteEnabled permission that gates the visibility of
the vault mode switcher in the web UI. The permission is assigned to the admin,
space admin and user roles. The user light role does not receive it.

#12328
Enhancement - Add vault themes: #12329

We've added new themes that are available in the vault. These new themes are
intended to make a clear distinction between regular drives and vault.

#12329
Enhancement - Bump Web to 12.3.3: #13705
- Bugfix owncloud/web#13638: Share
  button not usable when role dropdown text is too long - Bugfix
  owncloud/web#13667: Shared with
  does not show members - Bugfix
  owncloud/web#13680: Escape strings
  when returned from server
owncloud/web#13705
https://github.com/owncloud/web/releases/tag/v12.3.3
Enhancement - Bump Web to 12.4.0: #13809
- Bugfix owncloud/web#13363:
  Prevent duplicate call for password protected public links - Bugfix
  owncloud/web#13578: Use dynamic
  viewport units (dvh/dvw) instead of viewport units (vh/vw) - Bugfix
  owncloud/web#13610: Cannot edit
  public link when name is too long - Bugfix
  owncloud/web#13634: Fix space key
  selecting wrong resource - Bugfix
  owncloud/web#13793: Fix share
  invite button being pushed down in space sharing - Bugfix
  owncloud/web#13799: Fix upload
  confirmation not visible on file drop page - Enhancement
  owncloud/web#13545: Strip WebDAV
  prefix - Enhancement
  owncloud/web#13577: Use spaceId -
  Enhancement owncloud/web#13631:
  Add theme mode - Enhancement
  owncloud/web#13632: Support log
  and conf files in text editor - Enhancement
  owncloud/web#13759: Show correct
  modal for saveAs and open actions - Enhancement
  owncloud/web#13769: Add vault
  search separation - Enhancement
  owncloud/web#13795: Add new theme
  colors - Enhancement
  owncloud/web#13802: Check vault
  permission - Enhancement
  owncloud/web#13803: MFA session
  expiry warning - Enhancement
  owncloud/web#13803: Vault-aware
  breadcrumbs
owncloud/web#13809
https://github.com/owncloud/web/releases/tag/v12.4.0

Assets 16