The following sections list the changes in reva 1.20.0 relevant to reva users. The changes are ordered by importance.
We’ve mitigated an XSS vulnerability resulting from unescaped HTTP responses containing user-provided values in pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go. This patch uses html.EscapeString to escape the user-provided values in the HTTP responses of pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go.
Makes sure the config map is allocated prior to setting it
Issue https://github.com/cs3org/reva/issues/2402 is closed.
LW accounts do not have quota assigned.
An OCM reference is not created for a data transfer type share.
When a webdav prefix is used it appears in both host and name parameter of the target uri for data transfer. This PR fixes that.
Previously we resolved such users (so called “lightweight” or “external” accounts in the CERN realm) by email, but it turns out that the same email may have multiple accounts associated to it.
Therefore we now resolve them by username, that is the upn, which is unique.
For oidc providers that only respond with standard claims, use the user provider to get the user.
We read the user acl in EOS until the migration of all user acls to sys acls are done
The configuration of the custom mimetypes has been moved to the AppProvider, and the given mimetypes are used to configure bridged apps by sharing the corresponding config item to the drivers.
Allows an operator to set a list of users that are banned for every operation in reva.
We’ve improved the http endpoint now uses the Form instead of Query to also support
application/x-www-form-urlencoded parameters on the app provider http endpoint.
This is a read only fs interface.
Update go version to 1.19 in go.mod
We’ve enabled the goimports and usestdlibvars linters in golangci-lint and solved the related issues.
We’ve enabled the stylecheck, whitespace, dupword, godot and dogsled linters in golangci-lint and solved the related issues.
This includes a
FirstName FamilyName (domain) format for non-primary accounts, and a
sanitization of the email address claim for such non-primary accounts.
This is a partial backport from edge: we introduce a language option in the appprovider, which if set is passed as appropriate parameter to the external apps in order to force a given localization. In particular, for Microsoft Office 365 the DC_LLCC option is set as well. The default behavior is unset, where apps try and resolve the localization from the browser headers.
Re-implements the lighweight account scope check, making it more efficient. Also, the ACLs for the EOS storage driver for the lw accounts are set atomically.
To better support sites that run multiple instances, the meta data have been extended to include a new hierarchy layer called ‘operators’. This PR brings all necessary changes in the Mentix and site accounts services.
This fix change the content type to just “application/json”
Add a public share auth middleware
We now support the WOPI compliant
UnlockAndRelock operation. This has been implemented in
the Eos FS. To make use of it, we need a compatible WOPI server.
The site accounts admin panel has been reworked and now also shows which sites aren’t configured properly yet. Furthermore, a bug that prevented users from changing site configurations has been fixed.
Some small improvements to the Site Accounts and Mentix services, including normalization of
data exposed at the
/cs3 endpoint of Mentix.
We use now the email claim for external/federated accounts as the
username that is then
passed to the wopiserver and used as
displayName in the WOPI context.