Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Releases: cs3org/reva

v3.11.1

Choose a tag to compare

@github-actions github-actions released this 09 Jul 14:01

Changelog for reva 3.11.1 (2026-07-09)

The following sections list the changes in reva 3.11.1 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5702: Preserve child ACLs when creating parent shares

Details

  • Bugfix #5702: Preserve child ACLs when creating parent shares

    This change also adds unit tests for the share hierarchy to the gateway

    #5702

v3.11.0

Choose a tag to compare

@github-actions github-actions released this 07 Jul 10:01

Changelog for reva 3.11.0 (2026-07-07)

The following sections list the changes in reva 3.11.0 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5693: Bugfix where descriptions are not propagated to web
  • Fix #5694: Whitelisted more request types for the lightweight scope
  • Chg #5671: Dropped support for Nextcloud as storage/user/auth provider
  • Enh #5691: Refactor current ocm invite manager to GORM
  • Enh #5688: Modernize Go Code
  • Enh #5562: Share hierarchy checks
  • Enh #5690: Store remote users on ocm share

Details

  • Bugfix #5693: Bugfix where descriptions are not propagated to web

    This fixes a bug where the descriptions of the ocm invites are not propagated to the web.

    #5693

  • Bugfix #5694: Whitelisted more request types for the lightweight scope

    This is required to enable OCM for external accounts

    #5694

  • Change #5671: Dropped support for Nextcloud as storage/user/auth provider

    This PR removes the code to support Nextcloud as storage, user, and auth provider.

    This code was developed as part of the initial effort to put in place the ScienceMesh, where the
    deployment model was to run Reva at each site, including sites running Nextcloud where Reva
    would be responsible for the OCM-based federation layer and Nextcloud for all the rest.

    Over the years, and especially during 2025-26, Nextcloud has implemented all OCM-related
    capabilities natively, and this interface is getting obsoleted. We have kept it until the
    maintenance cost was negligible, but with the upcoming changes on the OCM implementation,
    this is not sustainable any longer.

    #5671

  • Enhancement #5691: Refactor current ocm invite manager to GORM

    Refactor the ocm invite manager to user the GORM.

    #5691

  • Enhancement #5688: Modernize Go Code

    #5688

  • Enhancement #5562: Share hierarchy checks

    This PR adds a hierarchical checking algorithm for shares to the gateway, as defined in ADR
    general/0005-sharing. Concrectely, the new algorithm does the following:

    • Before applying any ACL, the gateway checks for parent and child shares in the database. *
      Based on their relationships and permission levels, the gateway decides whether to apply,
      reapply, or reject the operation. * ACL updates will be applied orderd by path-length (where
      the shortest comes first) to maintain consistent inheritance semantics (otherwise, you
      would overwrite child shares). * The algorithm applies equally to create, update, and delete
      operations.

    #5562

  • Enhancement #5690: Store remote users on ocm share

    This commit adds the following functionality:

    • Functionality to add remote users even without the invitation flow when an OCM share is
      received. - This configuration option is a whitelist of hosts of which this functionality is
      enabled for. - A machine secret is added so that we can impersonate the user receiving the share
      since the ocm endpoint is unauthenticated.

    #5690

v3.10.4

Choose a tag to compare

@github-actions github-actions released this 01 Jul 10:12

Changelog for reva 3.10.4 (2026-07-01)

The following sections list the changes in reva 3.10.4 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5685: Add sciencemesh paths for external accounts
  • Fix #5686: Do not fail list shares if only OCM shares fail to be retrieved
  • Fix #5687: Set resource id properly in share creation

Details

  • Bugfix #5685: Add sciencemesh paths for external accounts

    #5685

  • Bugfix #5686: Do not fail list shares if only OCM shares fail to be retrieved

    #5686

  • Bugfix #5687: Set resource id properly in share creation

    #5687

v3.10.3

Choose a tag to compare

@github-actions github-actions released this 30 Jun 10:21

Changelog for reva 3.10.3 (2026-06-30)

The following sections list the changes in reva 3.10.3 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5683: Redact machine auth secret from log
  • Fix #5684: Ignore basic auth if a signature is present
  • Enh #5677: Cancel background jobs and trigger scheduled jobs on demand
  • Enh #5672: Associate on-demand jobs with a user
  • Enh #5682: Configure on-demand jobs from the config file

Details

  • Bugfix #5683: Redact machine auth secret from log

    #5683

  • Bugfix #5684: Ignore basic auth if a signature is present

    #5684

  • Enhancement #5677: Cancel background jobs and trigger scheduled jobs on demand

    Added the ability to cancel a background job run, both on-demand and leader-scoped periodic,
    and to trigger a scheduled job to run immediately. Cancellation is cooperative through the
    job's context, durable so it reaches a run that is still queued or running on another process,
    and terminal so a cancelled run is not retried. Triggering enqueues an extra run without
    disturbing the schedule's regular cadence.

    #5677

  • Enhancement #5672: Associate on-demand jobs with a user

    On-demand background jobs can now be attached to a user through a WithOwner enqueue option, so
    the jobs a user created can be listed back (e.g. for a UI) with ListByOwner; jobs enqueued
    without it stay internal. An opt-in Unique option was also added to keep at most one active run
    per owner and key, so a user cannot, for instance, start the same export twice.

    #5672

  • Enhancement #5682: Configure on-demand jobs from the config file

    On-demand background jobs are now given their own configuration section from the config file,
    handed to the job constructor the same way the other services receive their configuration.
    Each job reads its settings from [serverless.services.jobs.on_demand.""], so it can
    load what it needs at startup instead of seeing only the per-run parameters.

    #5682

v3.10.2

Choose a tag to compare

@github-actions github-actions released this 29 Jun 12:09

Changelog for reva 3.10.2 (2026-06-29)

The following sections list the changes in reva 3.10.2 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5650: Fix for cephmount lock & xattr bugs
  • Fix #5649: Ceph: fix path resolution
  • Fix #5648: Eosfs: fixed lock retrieval
  • Fix #5673: Fix a nilptr in the HTTP server
  • Fix #5662: Check for nil pointers
  • Fix #5676: Fixed parsing of OCM discovery payload
  • Fix #5681: Correctly identify OCM embedded payloads
  • Fix #5653: Honor pidfile passed with the -p option
  • Fix #5639: Bound the Prometheus HTTP handler label cardinality
  • Enh #5651: Add a background jobs framework
  • Enh #5663: Add immutable stubs & upgrade cs3apis
  • Enh #5652: Add support for signed URLs of the archiver
  • Enh #5645: Implement hiding for ocm shares
  • Enh #5611: OCM: reworked discovery logic and payload
  • Enh #5654: Enable external accounts to list received OCM shares
  • Enh #5664: Implement the new OCM webapp protocol
  • Enh #5674: Honor outbound proxy settings in the OCM client
  • Enh #5643: Utilize the new transferring state in the cs3api

Details

  • Bugfix #5650: Fix for cephmount lock & xattr bugs

    • ReadArbitraryMetadata - Returns stored user.* xattrs in GetMD instead of nothing. * Paths
      Unlock/SetLock open the full chroot path instead of the incorrect relative path. * Quality of
      life improvements for error handling & debug logs.

    #5650

  • Bugfix #5649: Ceph: fix path resolution

    When performing a id-to-path lookup the path may not always be empty, as in the case for wopi,
    this case was not handled.

    #5649

  • Bugfix #5648: Eosfs: fixed lock retrieval

    GetLock on a file with an empty lock now returns no lock as opposed to failing with a malformed
    lock exception

    #5648

  • Bugfix #5673: Fix a nilptr in the HTTP server

    #5673

  • Bugfix #5662: Check for nil pointers

    #5662

  • Bugfix #5676: Fixed parsing of OCM discovery payload

    The principle is that we should not fail the JSON parsing on unsupported capabilities, but only
    on out of spec payloads. Therefore, ResourceType must be a generic string, to be validated
    afterwards.

    #5676

  • Bugfix #5681: Correctly identify OCM embedded payloads

    OCM "ro-crate" shares are to be mapped to (CS3) EMBEDDED resource types, where "embedded" is a
    generic term to signal that any JSON-represented payload can be mapped in this way.

    #5681

  • Bugfix #5653: Honor pidfile passed with the -p option

    The pidfile was always generated at a random path in the OS temp dir on startup, ignoring the
    location passed with -p. As a result -s reload (and the other -s signals) could not find the
    running master to signal it. The -p path is now honored when starting revad.

    #5653

  • Bugfix #5639: Bound the Prometheus HTTP handler label cardinality

    The HTTP metrics interceptor used the full request URL path as the value of the handler label
    on the http_request_duration_seconds histogram. Because Reva HTTP endpoints are
    user-bound, this produced unbounded label cardinality and caused excessive metrics
    storage. The label is now derived from the leading static path segment, keeping cardinality
    bounded to the number of route prefixes.

    #5639

  • Enhancement #5651: Add a background jobs framework

    Introduce a framework to run background work in reva, both periodically (e.g. warming a cache
    or cleaning up expired state) and once on demand on a user request. Jobs are hosted by a new "jobs"
    serverless service backed by NATS JetStream, run status is tracked in a SQL store and can be
    queried by run id, and multiple jobs processes can run together without duplicating work.

    #5651

  • Enhancement #5663: Add immutable stubs & upgrade cs3apis

    This upgrade is needed so we can move past this version to the cs3apis even though we don't use it
    currently.

    #5663

  • Enhancement #5652: Add support for signed URLs of the archiver

    #5652

  • Enhancement #5645: Implement hiding for ocm shares

    This commit introduces the functionailty required to hide ocm shares

    #5645

  • Enhancement #5611: OCM: reworked discovery logic and payload

    This PR adapts the OCM Discovery endpoint to the latest standard and introduces better logic to
    discover remote endpoints' protocols.

    #5611

  • Enhancement #5654: Enable external accounts to list received OCM shares

    External accounts cannot create shares but can be recipient of shares. This now applies to OCM
    shares as well.

    #5654

  • Enhancement #5664: Implement the new OCM webapp protocol

    Following the OCM specifications, the webapp protocol and access method were reworked in the
    cs3apis: the view mode was replaced by share permissions (view, read, write, share on the
    wire), and the protocol now carries a shared secret, requirements (including
    must-exchange-token), targets (blank or iframe), and optional display metadata (appName,
    appIconHint, mediaTypes).

    • The OCM /shares endpoint now validates and parses webapp protocol payloads according to the
      new specification; legacy payloads carrying a viewMode are rejected - Outgoing webapp shares
      are serialized with the new wire fields, with the shared secret taken from the share token - The
      SQL share manager persists the new webapp fields - Roles for webapp-only shares are now derived
      from the share permissions instead of the view mode

    #5664

  • Enhancement #5674: Honor outbound proxy settings in the OCM client

    ocmd.NewClient now honors the standard HTTP_PROXY, HTTPS_PROXY, and NO_PROXY
    environment variables for outbound OCM requests, while keeping the existing request timeout
    and insecure TLS behavior. This applies to discovery, outgoing shares, invite-accepted,
    token exchange, and directory-service fetches that go through the shared OCM client.

    #5674

  • Enhancement #5643: Utilize the new transferring state in the cs3api

    • Puts the ocm share in a transferring state when doing the processing of an embedded share is
      ongoing - A callback is implemented that puts the share in the accepted state when the transfer
      is finished

    #5643

v3.10.1

Choose a tag to compare

@github-actions github-actions released this 05 Jun 10:52

Changelog for reva 3.10.1 (2026-06-05)

The following sections list the changes in reva 3.10.1 relevant to
reva users. The changes are ordered by importance.

Summary

  • Enh #5641: Make addSpaceInfo more defensive
  • Enh #5640: Remove useless, spammy log line

Details

  • Enhancement #5641: Make addSpaceInfo more defensive

    #5641

  • Enhancement #5640: Remove useless, spammy log line

    #5640

v3.10.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 08:36

Changelog for reva 3.10.0 (2026-06-03)

The following sections list the changes in reva 3.10.0 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5624: Throw proper err upon invalid COPY request
  • Fix #5620: Fix PROPFIND inconsistencies
  • Enh #5625: Store attributes on version folders in EOS
  • Enh #5627: Use destination field in received ocm share
  • Enh #5626: Implement CS3 labels API
  • Enh #5638: Add SpaceID field in shares table
  • Enh #5629: Support for zenodo json-ld wrapped ro-crates

Details

  • Bugfix #5624: Throw proper err upon invalid COPY request

    When doing a COPY / MOVE with an invalid space id, Reva starts copying from / instead of
    returning an error

    #5624

  • Bugfix #5620: Fix PROPFIND inconsistencies

    Stop emitting a duplicate oc:public-link-expiration entry in the not-found list, drop an
    erroneous fallthrough from oc:privatelink and skip re-adding oc:name when explicitly
    requested (since it's already added unconditionally)

    #5620

  • Enhancement #5625: Store attributes on version folders in EOS

    See ADR decisions/reva/0004-attributes-version-folder.md

    #5625

  • Enhancement #5627: Use destination field in received ocm share

    Instead of hijacking the opaque we use the new destination field when processing a share

    #5627

  • Enhancement #5626: Implement CS3 labels API

    Together with this, the new table is also "GORM-ified"

    #5626

  • Enhancement #5638: Add SpaceID field in shares table

    On top of that, we set the owner of a share to be initiator

    #5638

  • Enhancement #5629: Support for zenodo json-ld wrapped ro-crates

    Adds support for OCM embedded shares whose payload is an RO-Crate wrapping the Zenodo JSON-LD
    format (the plain RO-Crate is also supported)

    #5629

v3.9.0

Choose a tag to compare

@github-actions github-actions released this 21 May 09:08

Changelog for reva 3.9.0 (2026-05-21)

The following sections list the changes in reva 3.9.0 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5619: Fix EOS bug in version folder creation
  • Fix #5618: Workaround for weird EOS ENODATA issue
  • Fix #5610: Display ResourceType correctly for OCM Shares
  • Fix #5609: OCM invite manager should use shared DB conf
  • Enh #5571: Exclude expired shares from ListReceivedShares
  • Enh #5552: OCM code-flow token exchange
  • Enh #5598: Performance improvements to /permissions call
  • Enh #5613: Check verb in signed URLs

Details

  • Bugfix #5619: Fix EOS bug in version folder creation

    Due to a bug in the EOS drivers, version folders were created under the owner of the first
    resource in a directory, instead of the owner of the corresponding file.

    #5619

  • Bugfix #5618: Workaround for weird EOS ENODATA issue

    #5618

  • Bugfix #5610: Display ResourceType correctly for OCM Shares

    #5610

  • Bugfix #5609: OCM invite manager should use shared DB conf

    #5609

  • Enhancement #5571: Exclude expired shares from ListReceivedShares

    • ListReceivedShares no longer returns shares whose expiration date has passed

    #5571

  • Enhancement #5552: OCM code-flow token exchange

    Added end-to-end OCM code-flow support for both sender and receiver paths. Shares can now
    declare requirements: ["must-exchange-token"] and accessTypes: ["remote"], with the
    new fields preserved across both SQL and JSON persistence. Discovery advertises
    tokenEndPoint and exchange-token, the new POST /ocm/token endpoint exchanges
    authorization codes into short-lived JWTs, and the dedicated ocmsharecode and
    ocmexchangedtoken auth managers separate exchange-code validation from
    exchanged-token validation.

    The same feature branch also hardens the runtime path uncovered during live interop
    validation. Code-flow scopes now carry share and resource identity without embedding the
    long-lived shared secret, malformed protocol payloads are rejected earlier, and the
    validated interop fixes stay in the same change set: correct client_id handling,
    root-mounted DAV share recovery for Nextcloud-style clients, preserved download paths for
    root-mounted single-file reads, and the related WOPI external-link fix that prefers
    canonical share ids over legacy tokens.

    Validation coverage was expanded at the seams that changed most. The branch now includes
    focused tests for /ocm/token behavior, discovery-to-route coupling, WOPI share-id
    fallback, received-side token-endpoint discovery and exchange helpers, received-side
    retry wrappers, and persistence/validation behavior. Legacy direct-secret flows remain
    operational, while code-flow shares enforce token exchange as an explicit protocol
    requirement.

    #5552

  • Enhancement #5598: Performance improvements to /permissions call

    #5598

  • Enhancement #5613: Check verb in signed URLs

    #5613

v3.8.2

Choose a tag to compare

@github-actions github-actions released this 20 May 14:03

Changelog for reva 3.8.2 (2026-05-20)

The following sections list the changes in reva 3.8.2 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5619: Fix EOS bug in version folder creation

Details

  • Bugfix #5619: Fix EOS bug in version folder creation

    Due to a bug in the EOS drivers, version folders were created under the owner of the first
    resource in a directory, instead of the owner of the corresponding file.

    #5619

v3.8.1

Choose a tag to compare

@github-actions github-actions released this 05 May 15:31

Changelog for reva 3.8.1 (2026-05-05)

The following sections list the changes in reva 3.8.1 relevant to
reva users. The changes are ordered by importance.

Summary

  • Fix #5603: LW accounts should be able to do GetGroup
  • Enh #5597: Proper passthrough of EOS ACL errors

Details

  • Bugfix #5603: LW accounts should be able to do GetGroup

    #5603

  • Enhancement #5597: Proper passthrough of EOS ACL errors

    #5597