The following sections list the changes in reva 1.20.0 relevant to reva users. The changes are ordered by importance.
We’ve mitigated an XSS vulnerability resulting from unescaped HTTP responses containing user-provided values in pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go. This patch uses html.EscapeString to escape the user-provided values in the HTTP responses of pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go.
https://github.com/cs3org/reva/pull/3316
Makes sure the config map is allocated prior to setting it
https://github.com/cs3org/reva/pull/3455
Issue https://github.com/cs3org/reva/issues/2402 is closed.
https://github.com/cs3org/reva/pull/3311
https://github.com/cs3org/reva/pull/3396
LW accounts do not have quota assigned.
https://github.com/cs3org/reva/pull/3055
https://github.com/cs3org/reva/pull/3361
https://github.com/cs3org/reva/pull/3344
An OCM reference is not created for a data transfer type share.
https://github.com/cs3org/reva/pull/2979
When a webdav prefix is used it appears in both host and name parameter of the target uri for data transfer. This PR fixes that.
https://github.com/cs3org/reva/pull/2973
https://github.com/cs3org/reva/pull/3319
Previously we resolved such users (so called “lightweight” or “external” accounts in the CERN realm) by email, but it turns out that the same email may have multiple accounts associated to it.
Therefore we now resolve them by username, that is the upn, which is unique.
https://github.com/cs3org/reva/pull/3481
For oidc providers that only respond with standard claims, use the user provider to get the user.
https://github.com/cs3org/reva/pull/3055
We read the user acl in EOS until the migration of all user acls to sys acls are done
https://github.com/cs3org/reva/pull/3053
The configuration of the custom mimetypes has been moved to the AppProvider, and the given mimetypes are used to configure bridged apps by sharing the corresponding config item to the drivers.
https://github.com/cs3org/reva/pull/3401
Allows an operator to set a list of users that are banned for every operation in reva.
https://github.com/cs3org/reva/pull/3402
We’ve improved the http endpoint now uses the Form instead of Query to also support
application/x-www-form-urlencoded
parameters on the app provider http endpoint.
https://github.com/cs3org/reva/pull/3098 https://github.com/cs3org/reva/pull/3101
This is a read only fs interface.
https://github.com/cs3org/reva/pull/3116
https://github.com/cs3org/reva/pull/3422
https://github.com/cs3org/reva/pull/3412
Update go version to 1.19 in go.mod
https://github.com/cs3org/reva/pull/3367
https://github.com/cs3org/reva/pull/3467
https://github.com/cs3org/reva/pull/3463
We’ve enabled the goimports and usestdlibvars linters in golangci-lint and solved the related issues.
https://github.com/cs3org/reva/pull/3471
https://github.com/cs3org/reva/pull/3466
https://github.com/cs3org/reva/pull/3465
https://github.com/cs3org/reva/pull/3487
We’ve enabled the stylecheck, whitespace, dupword, godot and dogsled linters in golangci-lint and solved the related issues.
https://github.com/cs3org/reva/pull/3475
https://github.com/cs3org/reva/pull/3070
This includes a FirstName FamilyName (domain)
format for non-primary accounts, and a
sanitization of the email address claim for such non-primary accounts.
https://github.com/cs3org/reva/pull/2986 https://github.com/cs3org/reva/pull/3280
This is a partial backport from edge: we introduce a language option in the appprovider, which if set is passed as appropriate parameter to the external apps in order to force a given localization. In particular, for Microsoft Office 365 the DC_LLCC option is set as well. The default behavior is unset, where apps try and resolve the localization from the browser headers.
https://github.com/cs3org/reva/pull/3303
Re-implements the lighweight account scope check, making it more efficient. Also, the ACLs for the EOS storage driver for the lw accounts are set atomically.
https://github.com/cs3org/reva/pull/3348
https://github.com/cs3org/reva/pull/3304
To better support sites that run multiple instances, the meta data have been extended to include a new hierarchy layer called ‘operators’. This PR brings all necessary changes in the Mentix and site accounts services.
https://github.com/cs3org/reva/pull/3072
This fix change the content type to just “application/json”
https://github.com/cs3org/reva/pull/3313
https://github.com/cs3org/reva/pull/3234
https://github.com/cs3org/reva/pull/3347
Add a public share auth middleware
https://github.com/cs3org/reva/pull/3056
https://github.com/cs3org/reva/pull/3305
https://github.com/cs3org/reva/pull/3163 https://github.com/cs3org/reva/pull/2715
We now support the WOPI compliant UnlockAndRelock
operation. This has been implemented in
the Eos FS. To make use of it, we need a compatible WOPI server.
https://github.com/cs3org/reva/pull/3289 https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/rest/files/unlockandrelock
https://github.com/cs3org/reva/pull/3315
https://github.com/cs3org/reva/pull/3438
The site accounts admin panel has been reworked and now also shows which sites aren’t configured properly yet. Furthermore, a bug that prevented users from changing site configurations has been fixed.
https://github.com/cs3org/reva/pull/3221
Some small improvements to the Site Accounts and Mentix services, including normalization of
data exposed at the /cs3
endpoint of Mentix.
https://github.com/cs3org/reva/pull/3404
https://github.com/cs3org/reva/pull/3424
We use now the email claim for external/federated accounts as the username
that is then
passed to the wopiserver and used as displayName
in the WOPI context.
https://github.com/cs3org/reva/pull/2986