ownCloud Infinite Scale — 1,560 Features
Enable JavaScript for interactive search and filtering.
Administration and Governance
- Activity Event Logging— Activity
- The activitylog service records structured events for file actions, share changes, downloads, trash operations, and related collaboration events.
- Share, Lifecycle, and Expiration Notifications— Notifications
- The notifications service emits collaboration and lifecycle events, including share-related notifications, expiration reminders, and grouped email delivery.
- Admin User Management— Admin UX
- Admin-settings includes user listing, search, creation, edit, quota, group, and role management surfaces backed by server permissions.
- Admin Group Management— Admin UX
- Group administration supports API-backed search, listing, and membership-oriented management rather than only browser-side filtering.
- Admin Space Management— Admin UX
- Admin-settings includes a dedicated spaces section for listing, creating, and lifecycle-managing project spaces independently of end-user file browsing.
- Server-Driven User Ability Enforcement— Permissions UX
- Web consumes server-provided abilities to enable, disable, or hide system and admin actions based on the caller's effective capabilities.
- Activitylog Item Activities API— Activity
- `GET /graph/v1beta1/extensions/org.libregraph/activities` returns activity records for an item, parent container, trash item, or space root and accepts KQL filters. Access is permission-gated and the service reconstructs responses from stored event history rather than from a standalone activity database.
- Localized Activity Message Rendering— Activity
- activitylog renders localized message templates from embedded translation catalogs and can load custom translation files from configuration. This lets the same stored event produce user-facing text in the caller's language without changing the underlying event payload.
- TTL-Based Event History Store— Event Retention
- eventhistory stores raw event bytes with event IDs, types, and an expiration time, providing a short-lived history that other services can query by ID. It is used as an operational reconstruction store rather than a permanent analytics warehouse.
- User-Correlated Event Lookup— Event Retention
- eventhistory can find user-related events by matching stored payload bytes with regex patterns, which lets dependent services reconstruct activity or notification histories per user without owning the original event stream.
- Frontend Capability and Policy Signaling— Configuration
- frontend publishes capability flags such as favorites, upload protocol, max chunk size, federated sharing toggles, full-text search, server-managed spaces, public-link password policy, and tag-length rules. Web clients read these settings instead of hardcoding feature availability.
- Notification Preference Filtering and Localized Email Rendering— Notifications
- notifications filters recipients against stored notification preferences, skips users without usable mail settings, and renders localized email templates before instant or grouped delivery. Daily and weekly summary behavior is implemented in the service, not only in scheduler wrappers.
- Settings Bundles and Setting Definitions— Configuration
- settings supports bundle CRUD and add or remove operations for settings inside a bundle, making setting schemas themselves manageable objects. Bundles are the service layer used to expose grouped configurable capabilities to clients and admins.
- Per-Account Settings Values— Configuration
- settings can list, get, and save values per account, so user preferences and similar overrides are stored separately from global capability bundles. This is the persistence layer used by features such as notification preferences and default language.
- Disabled Space Purge CLI— Operations CLI
- `ocis storage-users spaces purge-expired` purges disabled personal and project spaces exceeding their retention period. `--dry-run` defaults to `true` to prevent accidental deletion. Retention is configured via `STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE` and `STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE` (both default 720h; `0` disables deletion).
- Upload Session Inspection and Recovery CLI— Operations CLI
- `ocis storage-users uploads sessions` (v8; replaces deprecated `uploads list`) outputs upload sessions in JSON or table form, filterable by session ID, processing status, expiry, and virus scan result. Flags: `--restart`, `--resume`, `--clean`. `ocis storage-users uploads move-stuck-upload-blobs` (v8) recovers blobs stranded by disk saturation.
- Trash Bin Administration CLI— Operations CLI
- the `storage-users trash-bin` CLI can list deleted items, purge expired content, restore all items, or restore selected items with `skip`, `replace`, or `keep-both` conflict modes. This is deeper operational control than the normal end-user trash UI.
- Blobstore Connectivity and Blob Retrieval CLI— Operations CLI
- the `storage-users blobstore` CLI can check blobstore connectivity and retrieve blobs by ID or parsed path. It exists for operational inspection and repair of underlying content storage.
- Global Notifications Management— Notifications
- userlog also exposes global notification create and delete endpoints that are guarded by an admin role or a static secret. This allows centrally pushed announcements without impersonating each user.
- Frontend Read-Only Attribute Hints— Admin UX
- the frontend can expose configured read-only user attributes as capabilities so admin screens can gray out directory-backed fields that local admins are not allowed to edit.
- Search Reindex CLI— Operations CLI
- operators can run `ocis search index --space <id>` or `--all-spaces` to trigger manual re-indexing when the search index needs repair or refresh.
- Orphaned Grant Cleanup CLI— Operations CLI
- `ocis shares clean-orphaned-grants` (v8.0.0) detects and removes storage grants that no longer have a corresponding share-manager entry. This addresses data consistency gaps that can accumulate after failed share operations.
- Userlog Notification Concurrency Control— Notifications
- `USERLOG_MAX_CONCURRENCY` (default: 5 goroutines) controls how many notification conversions the userlog service runs in parallel. Increasing this value can improve throughput at high event volume but increases memory pressure.
- Read-Only User Attribute Hints— User Management
- `FRONTEND_READONLY_USER_ATTRIBUTES` marks specific user profile fields (username, email, role, quota, etc.) as read-only in the web UI when those fields are managed by an external LDAP or IdP. Prevents users from attempting unsupported edits.
- Instance-Wide Maximum Space Quota— Quotas
- `OCIS_SPACES_MAX_QUOTA` / `FRONTEND_MAX_QUOTA` caps the maximum storage quota that can be assigned to any space. Zero means unlimited. Enforced globally across all drives regardless of individual drive quota settings.
- ownCloud SQL Legacy User/Group Backend— User Directory Integration
- oCIS supports the classic ownCloud MySQL/MariaDB database as a drop-in user and group directory backend (`USERS_DRIVER=owncloudsql`, `GROUPS_DRIVER=owncloudsql`). Supports medial (substring) search and UUID/username join options via `USERS_OWNCLOUDSQL_*` and `GROUPS_OWNCLOUDSQL_*` vars. Provides a smooth migration path from ownCloud 10 without replacing the user directory.
- Demo User Seeding— Platform Bootstrapping
- On-startup provisioning of a predefined set of demo users into IDM (`IDM_CREATE_DEMO_USERS=true`, default false). Eliminates manual user creation for evaluation, CI, and demo environment setup.
- Multi-Service-Account Role Assignment— Role Management
- `SETTINGS_SERVICE_ACCOUNT_IDS` accepts a list of service account IDs, each automatically assigned the hidden internal service-account role. Allows registering multiple service accounts (one per microservice or integration) with correct permissions without manual role assignment.
- Settings Service Custom Translations— Localization
- `SETTINGS_TRANSLATION_PATH` (also `OCIS_TRANSLATION_PATH`) points to a directory of custom `.po`/`.mo` translation files overriding built-in embedded translations. Allows organizations to provide localized or brand-customized label text across settings and admin UI. Introduced v7.1.0.
- MIME Type-to-App Registry with Per-Type Allow-Creation— App Registration
- The app-registry service provides a YAML-configured MIME type registry mapping file MIME types to named applications, setting default opener apps, and controlling whether users can create new files of each type (`allow_creation`). Covers ODF formats, OOXML formats (docx/xlsx/pptx), PDF forms, Markdown, Jupyter Notebooks, compressed Markdown (zmd), and GeoGebra Slides (ggs).
- GDPR Data Export with Keycloak Integration— Compliance
- When `gdprReport.integrations.keycloak.enabled` is set, oCIS calls the Keycloak admin API to export user data as part of a GDPR subject access request report. Configurable with base path, client ID, client realm, and user realm.
- Custom Roles via Inline JSON or ConfigMap— Role Management
- Administrators can inject custom RBAC role definitions as inline JSON (`customRoles`) or via a ConfigMap reference (`customRolesConfigRef`). Allows defining roles beyond the built-in admin/space-admin/user/guest set without code changes.
- Available Unified Roles Allowlist— Role Management
- `GRAPH_AVAILABLE_ROLES` (Helm: `features.roles.availableUnifiedRoles`) restricts which unified roles (by UUID) are surfaced to users during sharing. An empty list means all roles are available; a populated list acts as a strict allowlist.
- Per-Role Storage Quota— Storage Governance
- Quotas can be set per built-in role UUID (`features.quotas.roles` in Helm), enabling differentiated storage allocations for users, admins, and space admins without per-user configuration.
- Download Archive Size and File Count Limits— Storage Governance
- `features.archiver.maxSize` (default 1 GB) and `features.archiver.maxNumFiles` (default 10,000) cap the zip/tar archives users can generate. Prevents denial-of-service via runaway archive creation; these limits are surfaced to clients via the capabilities API.
- Share Recipient Search — Email Display Toggle— Privacy Controls
- `features.sharing.users.search.showUserEmail` controls whether a recipient's email address is shown in the user picker during sharing. Allows privacy-conscious deployments to hide email addresses from the sharing dialog.
- Share Recipient Search — Minimum Character Threshold— Privacy Controls
- `features.sharing.users.search.minLengthLimit` (default 3) sets the minimum characters required before the client triggers a user search. Reduces IdP query load and prevents information disclosure from partial-name lookups.
- Unified LDAP Configuration— Identity Configuration
- A single set of top-level LDAP environment variables (`LDAP_URI`, `LDAP_BIND_DN`, `LDAP_USER_BASE_DN`, etc.) is shared across all LDAP-consuming services — graph, idp, auth-basic, idm — with per-service overrides available. Eliminates duplicated LDAP config across service definitions. Introduced v1.20.0.
- Graph API User and Group Sorting— Directory API
- The Graph API `/users` and `/groups` endpoints support `$orderby` for sorting by displayName, mail, and onPremisesSamAccountName. Introduced v1.20.0.
- User and Group Audit Events— Audit and Compliance
- Audit events are emitted for user creation, user deletion, user property changes, group creation, group deletion, group member add, and group member remove. Provides a complete audit trail for identity lifecycle operations. Introduced v1.20.0.
- OCIS_CONFIG_DIR Override— Configuration Management
- `OCIS_CONFIG_DIR` overrides the default configuration file search paths (`/etc/ocis`, `~/.ocis`, `.config`), enabling a single explicit configuration directory for containerized and managed deployments.
- Admin Password Reset CLI— Identity Management
- `ocis idm resetpassword --user-name <name>` resets any user's password from the command line without requiring UI or API access. Available since v1.20.0/v6.1.0.
- Self-Password Change Disable— Identity Governance
- `OCIS_DISABLE_SELF_PASSWORD_CHANGE` prevents users from changing their own passwords via the UI or API. Surfaced as a capability so clients can hide or disable the password change UI accordingly.
- `ocis init --diff` Flag— Configuration Management
- `ocis init --diff` shows a configuration diff and stores the patch file, enabling operators to review what changed between configuration upgrades before applying them.
- Selective Service Run and Exclude— Deployment Control
- `OCIS_RUN_SERVICES` limits which services start in a deployment; `OCIS_EXCLUDE_SERVICES` selectively disables named services. Enables fine-grained composition of oCIS deployments without separate binaries.
- Audit Events for Folder and Space Creation— Audit and Compliance
- Audit events are recorded when folders and spaces are created, providing a complete audit trail for container-level operations alongside file-level events. Introduced v2.0.0.
- Delete All Spaces Permission— Access Governance
- A dedicated system-level permission (`delete-all-spaces`) allows administrators to delete any space regardless of ownership, enabling compliance-driven data removal workflows.
- DecomposedFS Backup Consistency Check CLI— Storage Maintenance
- `ocis backup consistency` checks the decomposedFS storage for structural inconsistencies. Supports `--fail` flag to return a non-zero exit code for use in CI/CD pipelines and automated health checks. Introduced v6.1.0.
- Empty Trashbin Directories CLI— Storage Maintenance
- `ocis trash purge-empty-dirs` removes empty directories left in the trashbin folder structure of decomposedFS. Applicable to any storage provider; prevents accumulation of orphaned trash tree nodes. Introduced v6.1.0.
- Delete Stale Upload Nodes CLI— Storage Maintenance
- `ocis storage-users uploads delete-stale-nodes` removes nodes stuck in processing state without a connected upload info record. Resolves upload ghost entries without direct storage access. Introduced v7.2.0.
- OCIS_ENABLE_OCM Global Flag— Federation Configuration
- A single `OCIS_ENABLE_OCM=true` flag enables all OCM (Open Cloud Mesh) federation services and routing at once, eliminating per-service configuration for federation deployments. Introduced v6.3.0.
- gRPC Max Connection Age— Service Configuration
- `GRPC_MAX_CONNECTION_AGE` limits the lifespan of gRPC connections, triggering DNS re-resolution for updated pod IPs in dynamic Kubernetes environments. Critical for stable service mesh behavior during rolling updates. Introduced v6.3.0.
- OCM Invite Email Notifications— Notifications
- The notification service sends an email to the invited user when an OCM federation invite is generated, and the audit service logs the event. Provides an end-to-end invite workflow from creation through email delivery. Introduced v6.4.0.
- Unified Roles Management CLI— Role Management
- `ocis graph list-unified-roles` lists all available unified roles with their UID, description, and enabled status. Allows operators to audit role availability and verify `GRAPH_AVAILABLE_ROLES` configuration. Introduced v6.4.0.
- OCIS_DEFAULT_LANGUAGE Global Locale— Localization
- `OCIS_DEFAULT_LANGUAGE` sets the default locale for all localization-aware services (activitylog, graph, notifications) when user locale is unavailable. Eliminates per-service locale configuration for multilingual deployments. Introduced v6.4.0.
- Configurable Share Auto-Acceptance Concurrency— Concurrency
- `FRONTEND_MAX_CONCURRENCY` controls the number of goroutines processing automatic share acceptance concurrently (default 25). Enables throughput tuning in high-volume share environments without additional service instances.
- Admin Settings Pagination Controls— Admin UI
- Administrators can configure the page size for users, groups, and spaces lists in the admin settings panel, enabling management of large directories without infinite scroll degradation. Introduced web v7.1.0.
- Include-Disabled Spaces Filter in Admin UI— Space Management
- The admin spaces overview includes an opt-in "include disabled" filter (off by default) so disabled spaces are hidden from the main view but accessible on demand without a separate query. Introduced web v9.0.0.
- API-Driven User Type Promotion and Demotion— User Lifecycle Management
- Administrators can upgrade or downgrade a user between Full and Light account types via the Graph API (`PATCH /users/{id}/appRoleAssignments`). The server automatically enables or disables the personal space and preserves all project spaces and shares during the transition.
- Regex Wildcard Role-Claim Mapping— Role Management
- The auto-provisioning role assignment configuration accepts regular-expression patterns, allowing a single mapping rule to match many OIDC claim values to one oCIS role (e.g., `ocis-user-.*` → user-light). Reduces mapping table size and maintenance burden.
- Graph API User-Type Filter— Directory API
- The Microsoft Graph-compatible `/users` endpoint supports `$filter=userType eq '<type>'` (Federated, Guest, Member), allowing callers to retrieve only users of a specific type. Federated users are hidden from default results unless explicitly requested.
- CLI Personal Space Deletion— Storage Lifecycle
- A dedicated CLI command allows administrators to delete a user's personal space from the command line, enabling scripted offboarding workflows without requiring web UI access.
- CLI Orphaned Grant Cleanup— Storage Maintenance
- A CLI maintenance command scans for and removes share grant records whose backing resources no longer exist, preventing stale grants from cluttering the permission store and improving system hygiene.
- CLI Stuck-Upload Blob Rescue— Storage Maintenance
- A CLI command identifies upload sessions whose blobs are stranded in a temporary location and moves them to the correct destination, resolving stuck-upload conditions without service restarts or direct storage access.
- On-Demand Search Index Optimization— Search Maintenance
- `ocis search optimize` triggers an immediate Bleve index compaction, merging segments to reduce disk footprint and improve query performance. Useful after bulk ingestion events without requiring a full reindex.
- Multi-ObjectClass LDAP Group Creation— Directory Integration
- The Graph API group creation endpoint accepts multiple LDAP objectClass values in a single request, enabling oCIS to create groups conforming to composite LDAP schemas used in enterprise directories without post-creation modification.
- Configurable Maintenance Banner— Operational Communication
- A server-side configuration activates a prominent maintenance notice displayed to all users in the web UI, enabling admins to communicate planned downtime or system messages without direct user contact. Introduced web v7.2.0.
- Corrupt Public Share Cleanup CLI— Data Integrity
- Introduces an `ocis clean-corrupt-public-shares` CLI command that scans and removes malformed or corrupt public share database entries, helping administrators recover from data integrity issues without manual database intervention.
- Maintenance Banner with Configurable Content— System Communications
- Introduces a configurable in-product maintenance banner that administrators can enable via server-side configuration to communicate planned downtime or maintenance windows to all active users.
- Admin Settings MFA Step-Up Gate— Access Controls
- If the MFA capability is enabled on the server, accessing the admin settings area requires MFA completion, protecting administrative functions from unauthorised access even for authenticated users.
- Admin Groups Server-Side Search— Group Management
- The group search in admin settings now uses the server-side API search parameter instead of client-side filtering, improving accuracy and performance when managing deployments with large numbers of groups.
- Share Controls Hidden for Disabled Spaces— Space Management
- Sharing-related UI controls are hidden when a space has been disabled, preventing users from attempting to create new shares within spaces that are no longer active without displaying confusing error messages.
- Android Logging Configuration Controls— Mobile Administration
- Administrators and support staff can configure log level and log file behaviour directly from the Android app settings, facilitating on-device diagnostic data collection without requiring device management infrastructure.
- iOS Watermark MDM Parameter Extensions— Mobile Administration
- Administrators can configure watermark display behaviour on iOS via additional MDM parameters, including toggles for when watermarks appear and what metadata fields are included in the watermark text.
- iOS MDM File Provider Access Control— Mobile Administration
- An MDM parameter controls whether the iOS Files app integration (File Provider extension) is enabled, allowing administrators to restrict ownCloud file access to the native app only on managed devices.
- iOS Space Admin Permission-Aware Actions— Space Management
- Administrative actions in the iOS space detail view, such as editing space metadata or managing members, are shown only to users who have the space manager role, keeping the interface clean for regular members.
- Space Alias Resolution— Administration and Governance
- Every space is assigned a human-readable alias that clients can use to resolve the space ID. Aliases allow applications to construct stable, user-readable URLs and navigation paths for project spaces and personal drives.
- Spaces List OData Sort Order— Administration and Governance
- The Graph API `/me/drives` and spaces endpoints support the OData `$orderby` query parameter. Administrators and clients can sort spaces by name or lastModifiedDateTime ascending or descending.
- Graph API Delete and Purge Spaces Endpoint— Administration and Governance
- A dedicated Graph API endpoint allows administrators to permanently delete a disabled space and purge all its data. Separate delete and purge operations let admins control the two-step deletion lifecycle.
- All Spaces Admin Listing API— Administration and Governance
- Administrators can call the Graph API to list all storage spaces across all users, not just their own. This endpoint enables admin dashboards, audits, and quota management tooling to enumerate every space in the system.
- Quota State Reporting— Administration and Governance
- The storage service reports per-space quota states (total, used, remaining) in the Graph API drives response. Administrators and users see accurate quota consumption without making additional API calls.
- Administrator Password Change via GraphAPI— Administration and Governance
- Administrators can change any user's password through the Graph API `/me/changePassword` endpoint. This enables password reset workflows for administrators without requiring direct LDAP or IdM access.
- Custom Logo Upload Endpoint— Administration and Governance
- Administrators can upload a custom logo image via the Graph API, replacing the default ownCloud logo in the web UI. The logo is served from the same oCIS instance, requiring no external CDN or asset hosting.
- Default Quota per Role Configuration— Administration and Governance
- Administrators can configure a default storage quota that applies automatically to new users based on their assigned role. Different roles (admin, user, guest) can receive different default quotas without manual assignment.
- System User ID Override for Storage-System Service— Service Configuration
- Administrators can set the OCIS_SYSTEM_USER_ID environment variable to specify a custom system user identity for the storage-system service, replacing the built-in default for environments that require deterministic identity values.
- Project Spaces Capability Toggle— Space Management
- Administrators can enable or disable advertisement of the project spaces feature capability to clients, allowing staged rollouts or suppression of the feature in deployments where it is not yet intended for use.
- Space Membership Endpoint OCS Config— Service Configuration
- The OCS service configuration now exposes the space membership endpoint URL, enabling clients to correctly discover and call the API for managing membership in project spaces.
- Demo Users Generation On-Demand Toggle— Deployment Configuration
- Administrators can control whether demo users and groups are auto-created at startup via a dedicated configuration option, ensuring that production and security-sensitive deployments do not generate test accounts by default.
- Configurable Storage Driver System User UUID— Service Configuration
- Administrators can set the system user UUID used by the oCIS storage driver via configuration, ensuring it aligns with the value configured in the accounts service across custom or distributed deployments.
- oCIS Version Command for All Services— CLI Management
- Administrators can run a top-level version command on the oCIS binary to enumerate all services registered in the oCIS namespace along with their version strings, simplifying deployment verification and troubleshooting.
- Configurable JSONcs3 Share Manager Cache TTL— Service Configuration
- Administrators can tune the cache time-to-live for the JSONcs3 share manager, controlling the balance between share listing performance and cache staleness in high-traffic deployments.
- Delete-All-Spaces Administrator Permission— Space Management
- Administrators can clean up orphaned spaces whose owners have been deleted using the new "delete-all-spaces" permission, assigned to the Admin role by default, without requiring space membership.
- Default and Maximum Quota Policies for Spaces— Quota Management
- Administrators can define separate default and maximum storage quota amounts for personal and project spaces, ensuring consistent storage allocation policies and preventing uncapped usage across the deployment.
- Configurable LDAP Substring Search Filter Type— LDAP Configuration
- Administrators can configure the LDAP substring filter type (`initial`, `final`, or `any`) for user and group sharee searches; the default is now full substring matching (`any`), returning more relevant results when searching mid-string in display names.
- Expired TUS Uploads Listing and Cleanup CLI— Storage Maintenance CLI
- Administrators can list and remove expired TUS resumable upload sessions using a dedicated CLI command, reclaiming storage space from stalled or abandoned file uploads without manual intervention.
- Share Provider Migration CLI Command— Share Migration CLI
- Administrators can migrate shares and public shares between different share manager backends using the `ocis migrate` CLI command and its subcommands, enabling non-disruptive transitions between share storage providers.
- Create Space Permission Role— Permission Management
- Administrators can assign a dedicated create-space permission to specific roles, restricting which accounts are authorized to provision new Storage Spaces and preventing uncontrolled proliferation of spaces in a deployment.
- Set Space Quota Permission Control— Permission Management
- Administrators can assign a SetSpaceQuota permission to selected roles, controlling which users or admins are authorized to configure storage quota limits on individual Storage Spaces.
- Proxy Layer Request Access Logging— Request Auditing
- Administrators can review comprehensive access logs generated by the oCIS proxy that capture every incoming request including the remote address and the selected routing policy, regardless of how the request is ultimately handled.
- Configurable OCS User Backend— User Backend Configuration
- Administrators can configure the OCS service to use a custom user backend, providing flexibility to integrate with different user directory sources and support diverse enterprise identity environments without modifying the service itself.
- Active Storage Quota Enforcement— Storage Quota Management
- Administrators can set per-space storage quotas that are actively enforced at upload time, preventing users from writing data that would cause a space to exceed its configured storage limit.
- Accounts Index Rebuild CLI Command— Index Management
- Administrators can trigger a full rebuild of the accounts search index using the `ocis accounts rebuild` CLI command, restoring index consistency after data migrations or corruption events.
- Per-Service Version CLI and Build Metrics— Service Observability
- Administrators can query the version and build metadata of individual oCIS services via a dedicated CLI version subcommand and metrics endpoint, simplifying version tracking and troubleshooting across multi-service deployments.
- Account Lifecycle Management in Web UI— User Account Management
- Administrators can enable, disable, create, and delete user accounts directly from the oCIS Accounts web interface, providing full user lifecycle management without requiring CLI or API access.
- Accounts Service CLI Management Subcommands— User Account Management
- Administrators can list, create, and manage user accounts from the command line via the `ocis accounts` subcommand, enabling scriptable account administration without the web interface.
- PROPFIND DEPTH Infinity Toggle— WebDAV Protocol
- Administrators can enable or disable DEPTH:infinity support in WebDAV PROPFIND requests via configuration, balancing client compatibility with server load.
- Web Token Storage Local Option— Web Configuration
- Administrators can enable storing the web client access token in browser local storage via WEB_OPTION_TOKEN_STORAGE_LOCAL, providing an alternative to session storage for specific deployment scenarios.
- Postprocessing Pipeline Restart Command— Postprocessing Management
- Administrators can restart the complete postprocessing pipeline via the ocis postprocessing restart CLI command when no active postprocessing is running, recovering from stuck upload processing without a full service restart.
- Post-Logout Redirect URI Configuration— Web Configuration
- Administrators can configure a custom URL that the web client redirects to after a user logs out, enabling integration with external landing pages or single sign-on portals.
- Global File Preview Disable Option— Thumbnail Configuration
- Administrators can disable all file thumbnail generation system-wide via OCIS_DISABLE_PREVIEWS, or per service via WEB_OPTION_DISABLE_PREVIEWS and WEBDAV_OPTION_DISABLE_PREVIEWS, reducing CPU and storage usage in resource-constrained deployments.
- Access Denied Help URL Configuration— Web Configuration
- Administrators can configure a custom help link URL displayed on the access denied page in the web interface via WEB_OPTION_ACCESS_DENIED_HELP_URL, directing users to internal documentation or support resources.
- Disable WOPI Chat Setting— WOPI Integration
- Administrators can disable the chat functionality embedded within WOPI collaborative editing sessions via the WOPI_DISABLE_CHAT environment variable, simplifying the collaboration interface when integrated chat is not desired.
- Web Imprint and Privacy URL Configuration— Web Configuration
- Administrators can configure imprint and privacy policy URLs displayed in the web interface via WEB_OPTION_IMPRINT_URL and WEB_OPTION_PRIVACY_URL, meeting legal disclosure requirements in regulated regions.
- End User License Agreement Enforcement— Compliance Configuration
- Administrators can configure an End User License Agreement that users must accept before accessing the system, ensuring legal compliance and organizational usage policy acceptance are captured at login.
- Disable Email Notifications Setting— Notification Configuration
- Administrators can globally disable all email notifications via a single configuration setting, enabling deployments where email is handled by an external system or where email notifications are not desired.
- Education School Name Number PATCH— Education Management
- Administrators can update a school's display name or school number via PATCH requests to the Graph education/schools endpoint, enabling correction of school records without deleting and recreating entries.
- Configurable Graph Group Patch Limit— Graph API Configuration
- Administrators can set the maximum number of users that may be modified in a single Graph API group PATCH request, providing control over API throughput and server resource consumption.
- Identity Display Name in Drive Responses— Graph Drives API
- The Graph drives API includes the displayName property for user and group identity sets in drive responses, enabling administration interfaces to display names without requiring additional lookup requests.
- School Lookup by ID or Number— Education Management
- Administrators can retrieve or delete education schools using either their internal UUID or an external school number, providing flexibility for systems that identify schools by numeric codes.
- Education Schools and Classes Graph API— Education Management
- oCIS provides dedicated Graph API endpoints for creating and managing education schools, users, and classes (/education/schools, /education/users, /education/classes), enabling integration with school information systems for organizational and user management.
- Space Name Validation and Sanitization— Space Management
- oCIS enforces Space name length limits (max 255 characters), rejects reserved characters, and silently trims leading and trailing whitespace on creation and update, preventing malformed Space names.
- Read-Only User Attribute Capability Flags— Service Configuration
- The server advertises capability flags indicating which user profile attributes are read-only, allowing web clients to automatically disable editing controls for fields managed by external identity providers or LDAP.
- Read-Only LDAP Group Subtree Boundary— LDAP Integration
- Administrators can configure a dedicated create base DN for writable LDAP groups; all groups outside this subtree are treated as read-only, enabling hybrid deployments that combine a read-only LDAP replica with a locally managed writable group subtree.
- Group Rename via Graph API PATCH— Group Management
- Administrators can rename groups by issuing a PATCH request to the Graph API group endpoint, enabling self-service group name management directly through the API without requiring LDAP directory tools.
- Add Group Members by Name or Group ID— Group Management
- Administrators can add users to groups by specifying either the group display name or the group ID in the Graph API request, providing flexibility for integrations that reference groups by name rather than internal identifier.
- DecomposedFS Node Metadata Inspection CLI— Storage Administration
- Administrators can use the ocis decomposedfs metadata command to dump, inspect, and modify individual file and folder metadata attributes at the storage layer, supporting troubleshooting, auditing, and migration operations.
- Dedicated Project Space Quota Permission— Space Management
- A new Drive.ReadWriteQuota.Project permission grants Space Admins and system Admins the ability to change storage quotas for project spaces, separating this operation from personal space quota management.
- Education User Creation Without Email— Education API
- Administrators can provision education user accounts via the Graph API without providing an email address, accommodating school systems where students or staff may not have institutional email accounts.
- Role-Based Default Storage Quota Assignment— Quota Management
- Administrators can map specific user role IDs to default storage quota values in bytes in the proxy configuration, automatically applying the appropriate quota when users with those roles are first provisioned into oCIS.
- Custom Organization Logo Upload via Branding API— Branding and Theming
- Administrators can upload a custom organization logo and reset it to the default through dedicated Branding API endpoints, with the file served by the web service and the theme configuration automatically updated to reference the new logo path.
- Teacher Roster Management for Education Classes— Education API
- Administrators can list, add, and remove teachers from education classes via the Graph API, completing teacher and student roster management for school-based oCIS deployments.
- User Account Username Rename via Graph API— User Management
- Administrators can rename a user's login username through the Graph API, with the change propagated to the LDAP backend and all internal member references updated accordingly.
- Trash Bin Expiration Purge CLI Command— Storage Administration
- Administrators can run ocis storage-users trash-bin purge-expired to automatically delete all trash bin items older than a configured expiration period across personal and project spaces, reclaiming storage without manual intervention.
- School-to-Class Assignment via Graph API— Education API
- Administrators can assign and unassign education classes to schools through dedicated Graph API endpoints, enabling class roster organization within multi-school oCIS education deployments.
- Granular Space Management Role Permissions— Space Management
- New dedicated space management permissions allow organizations to grant specific space administration capabilities to designated users independently of full system administrator access, enabling role-based space governance.
- User Account Provisioning Without Email Address— User Provisioning
- Administrators can create user accounts through the Graph API without providing an email address, supporting deployments where not all users have or require an email account, such as service accounts or student populations.
- Education Class Property Updates via PATCH— Education API
- Administrators can update education class attributes such as display name via a PATCH request to the Graph API, enabling ongoing class record maintenance without deleting and recreating the class.
- Legacy Username Validation Bypass for Import— User Provisioning
- Administrators can configure oCIS to skip strict username format validation, trusting the upstream provisioning system, which allows users with non-standard characters in their usernames to be imported from legacy systems or existing LDAP directories.
- Given Name and Surname in User Profile Response— User Provisioning
- The Graph API now returns givenName and surname fields in user profile responses, enabling clients to display properly formatted names and supporting directory integrations that rely on structured first and last name data.
- Space ID Visible in Admin Settings— Space Management
- Administrators can see the unique space ID directly in the admin settings interface, making it easier to reference specific spaces when working with APIs, logs, or support tickets without needing separate tooling.
- Capability-Driven Space Member Management Visibility— Space Access Control
- Administrators can configure a capability to hide the "Add members" section and member edit options in space settings, allowing organizations to restrict who can modify space membership through policy.
- Inline Editable Group Names in Admin Settings— Group Management
- Administrators can edit group names directly within the admin settings interface without creating a new group, simplifying group lifecycle management for large deployments.
- Group Member List in Admin Sidebar— Group Management
- Administrators can open the details sidebar for any group in admin settings to see and manage its current member list, consistent with the spaces management experience.
- Unified Batch Group Assignment for Users— User Management
- Administrators can add or remove multiple users from groups simultaneously via a single "Edit groups" action in the user management batch actions, replacing two separate add and remove buttons.
- Space Disable and Delete Controls for Admin-Role Users— Space Governance
- Users assigned the admin role can disable and delete spaces owned by other users directly from admin settings, without needing a separate super-admin account.
- No-Group Filter Option in User Management— User Filtering
- Administrators can filter the user list to show only users who are not members of any group, making it easy to identify ungrouped accounts that may need attention.
- Sortable Member Count Column in Groups Table— Group Management
- Administrators can sort the groups list by member count in the admin settings, making it easy to identify the largest or smallest groups at a glance.
- Optimized User Listing for Large Installations— User Management
- Administrators managing large user bases benefit from improved user listing performance in admin settings, reducing page load times by limiting field expansion in the underlying Graph API queries.
- Configurable User Search Display Attributes— User Search Configuration
- Administrators can configure which user attributes appear in user search results using `UserSearchDisplayedAttributes`, enabling larger deployments to surface richer profile fields such as department or employee ID beyond just email.
- Client Context Logging on Auth Failures— Audit Logging
- Administrators can see client user agent, IP address, and peer network information in proxy logs whenever authentication errors occur, helping trace and diagnose unauthorized access attempts in complex network environments.
- Server-Side Listing Pagination in Admin Settings— Admin Settings UI
- Administrators experience fast, non-blocking user, group, and space listings in the admin settings panel through server-side pagination and filtering, preventing browser timeouts and server overload when managing large organizational directories.
- Accurate Quota Display for S3-Backed Spaces— Space Quota Management
- Administrators viewing project spaces backed by S3 object storage see accurate quota representations rather than misleading metadata-disk-derived figures, correctly reflecting that actual file blobs are stored in object storage rather than on the local filesystem.
- Static API Token for Deprovisioning Requests— User Lifecycle Management
- Administrators can authenticate deprovisioning notification requests using a static API token that takes precedence over standard permission checks, enabling reliable automated user lifecycle management integrations.
- Batch Group Membership Management via API— Group Management
- Administrators can add or remove multiple users from a group in a single Graph API PATCH request following the Microsoft Graph batch pattern, significantly reducing the number of backend calls required for bulk group membership provisioning.
- DisplayName Filter on Graph Users Endpoint— User Management API
- Administrators and developers can filter the Graph API `/users` endpoint using `startswith` and `contains` OData expressions on the `displayName` field, enabling efficient user discovery in large directories without retrieving the full user list.
- Default Storage Quota for New User Accounts— User Quota Management
- Administrators can configure a default storage quota applied to all newly created users via `GRAPH_SPACES_DEFAULT_QUOTA`, preventing unlimited storage consumption in environments with open or externally driven user registration.
- Admin Deletion of Orphaned Project Spaces— Space Management
- Administrators can manage and delete Project Spaces that have no remaining manager members—such as those left without a manager after the creator account is removed—preventing inaccessible orphaned spaces from accumulating in the system.
- Single-Request User Group Assignment API— Group Management
- Administrators can set a user's complete group membership or a group's complete user list in one API request rather than managing individual add/remove relationships separately, reducing backend round-trips for bulk provisioning and synchronization operations.
- LDAP User Provisioning via Graph API— User Management API
- Administrators can create and delete users in LDAP-backed oCIS deployments using standard Graph API POST and DELETE requests, enabling programmatic user provisioning pipelines without requiring direct LDAP access or separate tooling.
- Persistent Store for Public Link Attempts— Service Configuration
- Administrators can configure a persistent store backend for tracking public link access attempts, ensuring brute-force protection and rate-limiting state survives pod restarts.
- OIDC Claim-Based Managed Space Assignment— Identity Configuration
- Administrators can configure OIDC token claims to automatically assign users to managed spaces upon authentication, enabling claim-driven space provisioning through the Helm chart.
- Daily and Weekly Notification CronJobs— Scheduled Maintenance
- Administrators can enable scheduled Kubernetes CronJobs to dispatch daily and weekly email notification digest messages to users, configurable via Helm values with NATS stream integration.
- Configurable CronJob Timezone— Scheduled Maintenance
- Administrators can specify a IANA timezone for all oCIS maintenance CronJobs, allowing upload cleanup, postprocessing restarts, and notification jobs to run at local business hours while correctly observing daylight saving time transitions.
- Core Icons ConfigMap Override— Web UI Customization
- Administrators can provide a custom icon set for the oCIS web interface via a Kubernetes ConfigMap reference in Helm values, enabling branded icon replacements across the UI without rebuilding container images.
- Upload Cleanup Job Filter Parameters— Scheduled Maintenance
- Administrators can configure the upload cleanup CronJob to target only expired uploads that are not actively being processed, reducing the risk of interrupting in-progress file transfers during scheduled maintenance.
- Sharing and Userlog Concurrency Tuning— Service Configuration
- Administrators can set the event consumer concurrency level independently for the sharing and userlog services, enabling performance optimization under high sharing activity and notification workloads.
- Local Token Storage Configuration Option— Web UI Configuration
- Administrators can control whether authentication tokens are stored in browser local storage via a Helm value, enabling compliance with policies that restrict token persistence to session-only or cookie-based storage.
- Collaboration App Product Name Configuration— Office Integration Configuration
- Administrators can configure the product name and description exposed by the collaboration service, enabling deployments that use a custom-branded or non-default office application name in the oCIS web UI.
- Antivirus Event Consumer Concurrency— Antivirus Configuration
- Administrators can tune the number of concurrent antivirus scan workers consuming the NATS event queue, balancing scan throughput against available antivirus server capacity during peak upload periods.
- Postprocessing Event Consumer Concurrency— Service Configuration
- Administrators can configure the concurrency level for the postprocessing service's NATS event consumers, accelerating the file upload processing pipeline under heavy load.
- Frontend Service Max Concurrency Limit— Service Configuration
- Administrators can set a maximum concurrency value for frontend service event processing via Helm values, providing a resource consumption cap that prevents overload during traffic spikes.
- SSE Connection Keepalive Interval Setting— Service Configuration
- Administrators can configure the Server-Sent Events keepalive interval for the SSE service, allowing tuning for environments with aggressive idle connection timeouts or load balancers that close inactive HTTP streams.
- Unified Sharing Role Configuration— Access Control Configuration
- Administrators can enable and configure unified roles for the oCIS sharing permission model via Helm values, providing a consistent role set across internal shares and external federated sharing scenarios.
- WOPI Proof Key Verification Toggle— Office Integration Configuration
- Administrators can disable WOPI proof key validation via Helm configuration, accommodating office suite integrations that do not support WOPI proof keys while maintaining all other security and authentication controls.
- Thumbnail Maximum Image Dimension Limits— Thumbnail Service Configuration
- Administrators can set maximum pixel width and height for images submitted to the thumbnails service, preventing resource exhaustion and out-of-memory kills caused by abnormally large image files.
- Graph Service Default Language Setting— Localization Configuration
- Administrators can configure a default display language for the Graph service, ensuring consistent localization of system-generated content and email notifications in multi-language deployments.
- User Email Visibility in Share Search— Privacy Configuration
- Administrators can control whether user email addresses appear in sharing search results via Helm values, defaulting to hidden to align with privacy-first deployment policies and data protection requirements.
- Thumbnails Service CORS Configuration— Service Configuration
- Administrators can configure CORS headers for the thumbnails service via Helm values, enabling cross-origin thumbnail requests from browser-based clients or embedded third-party applications.
- Office Suite Chat Disable Option— Office Integration Configuration
- Administrators can disable the integrated chat feature within the connected office suite (Collabora/OnlyOffice) through Helm configuration, enforcing communication channel policies without modifying the office application itself.
- Storage-Users Service CORS Configuration— Service Configuration
- Administrators can configure CORS headers for the storage-users service, enabling TUS chunked file uploads from browser clients hosted on different origins without proxy-level CORS workarounds.
- Thumbnail Service Concurrency and Cleanup Controls— Thumbnail Service Configuration
- Administrators can configure concurrency limits and enable periodic cache cleanup for the thumbnails service, preventing out-of-memory terminations and disk exhaustion under sustained thumbnail generation workloads.
- Proxy Additional Routing Policies— Proxy Configuration
- Administrators can define additional custom routing policies for the oCIS proxy service via Helm values, enabling fine-grained request routing rules for specific paths or services beyond the built-in policy set.
- Backup Resource Label Annotation— Backup and Recovery
- Administrators can attach configurable labels to the specific oCIS Kubernetes resources that require backup, allowing backup tools such as Velero to select and protect only backup-critical persistent resources by label selector.
- Storage-Users Event Consumer Concurrency— Service Configuration
- Administrators can tune the number of concurrent event consumers for the storage-users service, accelerating postprocessing queue drain and reducing backlog after high-volume upload bursts.
- Storage-Users CLI Gateway gRPC Address Config— CLI Operations
- Administrators can configure the gateway gRPC address for the storage-users service in the Helm chart, enabling oCIS CLI maintenance tools to connect to the running service for administrative operations such as orphan cleanup in Kubernetes deployments.
- Email Address Masking in Share Search— Privacy Configuration
- Administrators can configure oCIS to mask user email addresses in the share recipient search dialog, satisfying data minimization requirements while preserving the ability for users to discover colleagues by name.
- Consolidated Postprocessing Restart CronJob— Scheduled Maintenance
- Administrators have a single unified CronJob that restarts stuck postprocessing for both store-tracked and disk-only untracked files, replacing multiple separate maintenance jobs and reducing operational overhead.
- Service Account Assignment for Storage-Users CronJobs— RBAC and Security
- Administrators can configure dedicated Kubernetes service accounts for storage-users maintenance CronJobs, ensuring the jobs carry the correct RBAC permissions to access oCIS service account identifiers and run without authorization failures.
- Theme ConfigMap Mount Path Override— Web UI Customization
- Administrators can specify a custom filesystem mount path for the oCIS theme ConfigMap, allowing flexible co-location of custom themes alongside other configuration volumes without path conflicts.
- CronJob Suspend-State Management— Scheduled Maintenance
- Administrators can deploy all oCIS maintenance CronJobs pre-suspended and activate individual jobs on demand via Helm values, providing precise control over when scheduled maintenance tasks execute in production environments.
- SSE Service Enable/Disable Toggle— Service Configuration
- Administrators can disable the Server-Sent Events service entirely via a Helm value, supporting deployments where real-time push notifications are not required or where persistent SSE connections are incompatible with the network infrastructure.
- SMTP Encryption Mode Selection— Email Configuration
- Administrators can select from an expanded set of SMTP connection encryption modes with a more secure default via Helm values, ensuring outgoing oCIS notification emails are protected in transit according to current security standards.
- Sharing Service Helm Values— Service Configuration
- Administrators can tune sharing service behavior through dedicated Helm values, controlling how the sharing service accepts and enforces file-share operations within the oCIS Kubernetes cluster.
- Email Encryption Default and Deprecation Markers— Notification Configuration
- Administrators receive an updated default encryption method for outbound email and clear deprecation markers on obsolete mail configuration options that will be removed in a future major oCIS version, guiding migration planning.
- System-Wide Default Language Configuration— Locale Settings
- Administrators can set the default language for the entire oCIS instance through a Helm value, ensuring email notifications and the web interface are served in the preferred locale for users who have not set an individual preference.
- Fulltext Search Extractor File Size Limit— Search Configuration
- Administrators can set the maximum file size the oCIS search extractor processes for full-text indexing through Helm configuration, balancing search coverage against extraction service load and memory use for large files.
- OnlyOffice Chat Panel Disable Toggle— Office Integration
- Administrators can disable the OnlyOffice built-in chat panel through Helm configuration, preventing the in-editor chat feature from appearing to users when it conflicts with organizational communication policies or compliance requirements.
- Postprocessing Pipeline Steps Configuration— File Processing
- Administrators can specify which post-processing steps execute after file uploads by configuring POSTPROCESSING_STEPS through Helm values, giving fine-grained control over which pipeline stages such as virus scanning or format conversion are active.
- Archiver Service Download Settings— Service Configuration
- Administrators can configure the oCIS archiver service behavior through Helm values, including maximum archive size and compression options for the download-as-archive feature that lets users download multiple files as a single compressed bundle.
- Resharing Permission Enable Disable— Sharing Policy
- Administrators can enable or disable resharing through Helm values, controlling whether recipients of shared files or spaces are permitted to share them onward with additional users within the oCIS instance.
- Configurable oCIS Product Edition— Instance Configuration
- Administrators can set the oCIS product edition identifier through Helm configuration, enabling enterprise deployments to display the correct edition branding and activate edition-specific feature sets within the running instance.
- User Account Enable Disable Controls— User Management
- Administrators can configure the environment variables that govern enabling and disabling user accounts in oCIS through Helm values, providing controls to suspend user access without deleting the account or its associated data.
- Public Link Password and Search Controls— Sharing Policy
- Administrators can configure password requirements for public links and set the minimum character threshold for the user search autocomplete through Helm values, enforcing sharing policies for unauthenticated access and controlling how recipients are discovered.
- Read-Only User Attribute Enforcement— User Management
- Administrators can designate specific user profile attributes as read-only through Helm values when using external user management, preventing oCIS from allowing users to modify fields that are authoritatively managed by the external directory.
- Web Interface Branding and Theme— Instance Configuration
- Administrators can configure visual branding for the oCIS web interface through Helm values, including custom themes, color schemes, and logo assets to align the file platform appearance with organizational corporate identity standards.
- Custom Instance Favicon Volume Mount— Instance Configuration
- Administrators can mount a custom icon file into the oCIS web service container through Helm configuration, replacing the default oCIS favicon with an organization-specific icon shown in browser tabs and bookmark entries.
- Policies Service Kubernetes Deployment— Service Deployment
- The oCIS policies service is deployable as a dedicated Kubernetes workload through the Helm chart, enabling administrators to enforce OPA-based access control policies that govern file operations and sharing across the entire platform.
- Role-Based Default Storage Quota— Quota Management
- Administrators can assign default storage quotas to oCIS roles through Helm values, automatically applying per-role space limits so users inherit the appropriate quota based on their assigned role without individual quota configuration.
- Tika Content Extractor for Search— Search Configuration
- Administrators can configure the oCIS search service to use Apache Tika as the content extractor for full-text indexing by specifying the Tika endpoint through Helm values, enabling document text to be extracted and made searchable across the file platform.
- Web Runtime Configuration Options— Web Interface Configuration
- Administrators can set oCIS Web runtime configuration parameters through Helm values, controlling client-side behaviors such as upload chunk sizes, maximum concurrent uploads, and feature visibility toggles without rebuilding the web application.
- Group-Level Storage Quota Configuration— Quota Management
- Administrators can assign storage quotas at the group level through Helm values, applying different space limits to groups of users without requiring individual quota configuration for each user account in the directory.
- Notifications Service SMTP Configuration— Notification Configuration
- Administrators can configure the oCIS notifications service with SMTP server details, credentials, and sender identity through Helm values, enabling outgoing email delivery for sharing invitations, space events, and system-generated notifications.
Clients
- Cross-Platform Desktop Sync Client— Desktop Sync
- The ownCloud Desktop Client runs natively on Windows, macOS, and Linux and continuously keeps local folders in sync with an oCIS server in the background. Managed via a system-tray presence; no manual intervention required.
- Command-Line Sync Client (owncloudcmd)— Desktop Sync
- A headless CLI client is bundled alongside the GUI desktop app, enabling scripted, automated, and server-side sync workflows without the graphical interface.
- Enterprise-Grade Desktop Release Cadence— Desktop Sync
- The desktop client has a long, active release history (v6.x series as of 2026), reflecting a mature product with predictable update cycles under enterprise support.
- GNOME/Nautilus File Manager Sync Overlays— Shell Integration
- A native extension for the GNOME Nautilus file manager (and Nemo/Caja forks) surfaces real-time ownCloud sync-status overlay icons directly on files and folders, so users see sync state without leaving the OS file manager.
- GNOME File Manager ownCloud Context Menu— Shell Integration
- Right-click context menus in Nautilus, Nemo, and Caja expose ownCloud-specific actions (share, open in browser, copy link) directly in the file manager.
- KDE Dolphin Sync Status Overlays— Shell Integration
- A native KDE Frameworks 6 / Qt 6 plugin integrates ownCloud sync-state overlay icons into the Dolphin file manager on KDE Plasma, matching the experience available on Windows and macOS.
- Broad Linux Desktop Coverage— Shell Integration
- Shell integrations span GNOME, Cinnamon (Linux Mint), MATE, and KDE Plasma from a single unified ecosystem, ensuring ownCloud feels native across the full breadth of enterprise Linux desktops.
- iOS Files App Integration— Mobile iOS
- The ownCloud iOS app integrates directly into Apple's iOS Files app, enabling users to access and collaborate on ownCloud files from any Files-compatible third-party app without switching context.
- iOS Share and Action Extensions— Mobile iOS
- iOS Share and Action Extensions let users send files to ownCloud or open ownCloud files directly from other iOS apps, making ownCloud a first-class participant in the native iOS sharing model.
- iPadOS Power-User Support— Mobile iOS
- The app is optimized for iPadOS with multi-select, drag-and-drop, and large-canvas workflows for productive file management on tablets in enterprise environments.
- iOS Enterprise Certificate and Password-Manager Integration— Mobile iOS
- The iOS app supports custom certificate management and integrates with password managers, meeting enterprise security requirements for strict credential and PKI policies.
- iOS SDK for Custom App Development— Mobile iOS
- The ownCloud iOS SDK provides third-party developers and enterprise teams a full API for building custom ownCloud-connected iOS apps, including async file operations, OAuth2 auth, offline/background transfers, and a local database cache layer.
- Android oCIS and ownCloud 10 Backend Compatibility— Mobile Android
- The Android app and its test suite validate compatibility with both the modern oCIS backend and legacy ownCloud 10, ensuring continuity of mobile access during and after enterprise migration.
- Android Automated E2E Scenario Testing— Mobile Android
- A Gherkin/Appium behavior-driven test suite continuously validates core Android app workflows — file operations, sharing, and Spaces — against real devices and server backends, ensuring release quality and reducing regression risk.
- Android WebDAV/CalDAV/CardDAV Library (dav4android)— Protocol Support
- dav4android provides standards-based WebDAV, CalDAV, and CardDAV protocol support as the transport foundation for the ownCloud Android app, enabling interoperability with any standards-compliant server.
- JavaScript WebDAV/CalDAV/CardDAV Client (davclient.js)— Protocol Support
- davclient.js provides a WebDAV, CalDAV, and CardDAV client for browser and Node.js environments, enabling standards-based file, calendar, and contact access from JavaScript web applications.
- Python Client SDK (pyocclient)— Protocol Support
- pyocclient is a pure-Python SDK for the ownCloud API offering file operations, sharing, and user/group management via a clean programmatic interface. Installable via pip; widely adopted for scripting and automation use cases.
- AI-Native MCP Server for oCIS— Developer Integration
- The oCIS MCP server (`ocis-mcp-server`) exposes 80 AI-callable tools across 13 capability categories — files, spaces, users, sharing, federated sharing, search, notifications, and more — enabling AI assistants (Claude, etc.) to manage ownCloud through natural language. Ships as binaries for Mac/Windows/Linux, a Docker image, and supports stdio and HTTP transport.
- MCP Federated Sharing Tools— Developer Integration
- The oCIS MCP server exposes Open Cloud Mesh federation tools, allowing AI assistants to create and manage cross-organization shares with remote oCIS providers — bringing federated sovereignty to AI-driven workflows.
- MCP Multi-Platform Deployment— Developer Integration
- The MCP server integrates directly with Claude Desktop, Claude Code, and any MCP-compatible AI client with no additional infrastructure required.
- ownCloud 10 to oCIS Migration CLI— Migration Tools
- A structured, CLI-driven migration tool (`migrate_to_ocis`) migrates users, groups, files, and all share types (user shares, group shares, public links) from ownCloud Classic to oCIS without modifying or disrupting the source instance.
- Non-Destructive and Resumable Migration— Migration Tools
- The migration process is non-destructive (the Classic instance is untouched) and resumable — each phase must complete before the next begins and the process can be reset and restarted safely, reducing risk for large enterprise migrations.
- LDAP-Aware Migration Path— Migration Tools
- Organizations using LDAP-backed identity get a dedicated migration path where existing LDAP users and groups are reused in oCIS rather than recreated, preserving directory integrity and avoiding provisioning duplication.
- Pause Sync on Metered Connections— Desktop Sync
- The desktop client automatically pauses file synchronization when connected via a metered or cellular network, preventing unexpected data charges. Users can override the setting for individual connections. Introduced v6.0.0.
- Move Locally Deleted Files to OS Trash— Desktop Sync
- Instead of permanently deleting synced files removed locally, the desktop client moves them to the operating system's trash bin by default. Protects against accidental data loss from misclicks or erroneous sync rules. Default enabled since v6.0.1.
- Captive Portal Detection and Sync Pause— Desktop Sync
- The client detects captive portal conditions (hotel/airport Wi-Fi login walls) and automatically pauses sync until the user completes the portal authentication, preventing cascading sync errors.
- Spaces Browser UI (QML Rewrite)— Desktop Sync
- A redesigned Spaces browser in the desktop client (written in QML) provides a visual overview of all available Spaces with their sync status and a count of un-synced spaces. Introduced v6.0.0.
- Auto-Sync New Spaces Branding Option— Desktop Sync
- A branding/admin configuration option automatically begins syncing newly added Spaces without requiring user interaction. Configurable per branded enterprise build. Introduced v6.0.0.
- Separate oCIS Update Channel— Desktop Sync
- A dedicated "ownCloud Infinite Scale" update channel provides oCIS-connected clients with updates independently from the ownCloud 10 release cadence, allowing separate stabilization and testing cycles.
- Windows MSI Group Policy Installer— Desktop Sync
- A GPO-compatible MSI installer for Windows enables enterprise IT administrators to deploy and configure the desktop client via Group Policy without per-user installation. Included in every stable release download.
- OIDC prompt_values_supported Discovery— Desktop Sync
- The desktop client reads `prompt_values_supported` from the server's OpenID configuration and selects the correct prompt parameter during OAuth flows, ensuring compatibility with IdPs that require specific prompt values. Introduced v6.0.0.
- iOS Content Protection with Watermarking and Screenshot Prevention— Mobile iOS
- Enterprise MDM-configurable content protection: adds visible watermarks to files viewed in the app and prevents screenshots. Configurable via MDM profile and build-time settings for maximum data loss prevention. Introduced v12.4.0.
- MDM Confidential Protection with Per-Action Exemptions— Mobile iOS
- Confidential Protection mode (MDM-controlled) auto-disallows specified user actions; individual actions can be exempted via the `confidential.exempted-actions` MDM key. Provides granular enterprise DLP control without blanket lockdown. Introduced v12.6.1.
- Space Admin Permission Enforcement— Mobile iOS
- The iOS app enforces global space-admin permissions for all actions in Spaces — users with the space admin role get appropriate context menu actions unlocked automatically. Introduced v12.6.1.
- Server-Side KQL Search— Mobile iOS
- Native server-side search powered by the oCIS Search service using KQL syntax delivers fast cross-space search results without a local index on the device. Introduced v12.5.0.
- Recent Locations in File Operation Picker— Mobile iOS
- The location picker remembers and displays recently used upload/save destinations as a quick-access section for faster file operations. Introduced v12.6.0.
- Kiteworks Server Compatibility Mode— Mobile iOS
- The iOS app detects a Kiteworks server (compatible with Kiteworks 9.1.1+) and adapts the UI — sidebar items and quota display — accordingly. Enables use of the ownCloud iOS app with Kiteworks-hosted environments. Introduced v12.6.0.
- Customizable Sidebar with Saved Searches— Mobile iOS
- The redesigned sidebar promotes Recents, Favorites, and Available Offline to top-level items; saved searches appear as sidebar items; users add custom sidebar items via "Add to sidebar" with drag-and-drop reordering. Introduced v12.3.0.
- Password Policy Enforcement with Cryptographic Generator— Mobile iOS
- Full server-driven password policy enforcement in the iOS app: character-set and length rules engine; cryptographically secure password generator; one-tap generation on public link creation; combined link+password sharing via the system share sheet. Introduced v12.2.0.
- VisionKit Text Recognition in Image Viewer— Mobile iOS
- The image viewer integrates Apple VisionKit to recognize and make selectable text within photos (equivalent to iOS Photos "Live Text"), enabling copy-paste from images without downloads. Introduced v12.1.
- App Provider Document Creation on iOS— Mobile iOS
- The iOS app supports opening and creating new documents via oCIS App Providers (server-side document editors) directly from the mobile app, consistent with the web experience. Introduced v12.0.
- Role-Based Sharing Interface on iOS— Mobile iOS
- A role-based sharing UI on iOS mirrors the oCIS web interface, allowing users to set and modify share permissions using named roles rather than individual permission checkboxes. Introduced v12.0.
- Grid and Multi-Grid View Modes— Mobile iOS
- The file browser offers switchable display modes — list and multiple grid densities — to match user preferences for compact or spacious file presentation. Introduced v12.0.
- Shared Icon System with oCIS Web Design Tokens— Mobile iOS
- Automated infrastructure consumes icon and color tokens from the ocis/web design system in the native iOS app via CSS variable mapping, ensuring visual consistency between web and mobile clients. Introduced v12.7.0.
- Auto-Generated Software Bill of Materials (CycloneDX)— Mobile iOS
- The iOS app release pipeline auto-generates a Software Bill of Materials in CycloneDX JSON format from Swift Package dependencies, supporting enterprise supply chain security requirements. Introduced v12.6.0.
- Spaces Overview List View— Mobile iOS
- An alternative list view for the Spaces overview screen complements the default tile/card view, giving users a compact textual summary of all available spaces. Introduced v12.7.0.
- User Share and Group Share Migration— Migration Tools
- The `migrate_to_ocis` tool migrates existing ownCloud 10 user shares, group shares, and public link shares to oCIS, preserving permissions and share metadata during the migration pipeline. Introduced v1.0.0.
- Role Assignment Pipeline Step— Migration Tools
- A dedicated `assign-role` step in the migration tool provisions users with their correct oCIS roles during migration. Each pipeline step is independently skippable, allowing selective re-runs of individual phases without restarting the full migration. Introduced v1.0.0.
- Group and Group Membership Migration— Migration Tools
- The migration tool migrates ownCloud 10 groups and their memberships to oCIS alongside user and file migration, ensuring group-based access controls are preserved post-migration. Introduced v1.0.0.
- Android Spaces Full Lifecycle Management— Mobile Android
- The Android app allows admins and Space admins to create, edit (name, subtitle, quota), disable, enable, and delete Spaces directly from the mobile client. Includes a client-side toggle to show/hide disabled Spaces and a search/filter bar across the Spaces list. Quota display handles unit conversion (e.g., 2300 GB shown as 2.3 TB).
- Android Space Membership Management— Mobile Android
- Android users with appropriate permissions can add, edit, and remove Space members directly from the app, assigning roles (Viewer, Editor, Manager) and optional membership expiration dates per member.
- Android Space Public Link Sharing— Mobile Android
- Android users can create, edit, and delete public access links on Spaces with control over link name, permission level (view, edit, or secret file drop), password protection, and expiration date — distinct from per-file/folder link sharing.
- Android Granular Share Permissions per Recipient— Mobile Android
- The Android app exposes fine-grained permission control on private shares — users can set and edit read, update, create, and delete permissions independently for each individual or group sharee, supporting all combinations of the OCS permission bitmask.
- Android Shared-With-Me Shortcut— Mobile Android
- A dedicated Shares shortcut in the Android app lets users browse content that has been shared with them directly from the navigation, without traversing the full file tree. Available on oCIS backends.
- Android Public Link File Drop Mode— Mobile Android
- Android users can create public links on folders with "Upload Only (File drop)" permission, allowing external recipients to upload files to the folder without viewing its existing contents.
- Android Move Conflict Resolution Dialog— Mobile Android
- When moving a file or folder to a location where an identically named item already exists, the Android app presents a conflict resolution dialog with "Keep both" (auto-renames with suffix) and "Replace" options.
- Android In-App Camera Capture and Immediate Upload— Mobile Android
- Users can take a photo directly within the Android app and upload it immediately to their oCIS account, with the file automatically named with an IMG_ prefix.
- Android App Update Data Preservation Guarantee— Mobile Android
- Passcode configuration, account settings, and file data are fully preserved across over-the-top Android app version upgrades, verified by automated CI testing on every nightly build against both stable and development builds.
- iOS Spaces Full Lifecycle Management— Mobile iOS
- The iOS app allows admins and Space admins to create, edit (name, subtitle), disable, and enable Spaces from the sidebar. Remote Space changes (created or disabled externally) are reflected in the app in real time without requiring a manual refresh.
- iOS Space Membership Management— Mobile iOS
- iOS users with appropriate permissions can add, modify, and remove Space members from the sidebar members menu, assigning named roles (Viewer, Editor, Manager) and optional per-member expiration dates.
- iOS Role-Based Private Sharing with Expiration— Mobile iOS
- iOS private shares use named permission roles (Viewer, Editor, EditorTrashbin) rather than permission bitmasks and support setting an expiration date at share creation time, accessible from both the Actions menu and the contextual long-press menu.
- iOS Shared-With-Me and Shared-By-Me Sidebar Shortcuts— Mobile iOS
- The iOS sidebar provides dedicated shortcuts for "Shared with me" and "Shared with others," giving users quick one-tap access to inbound and outbound private shares from anywhere in the app.
- iOS Public Link Secret (File Drop) Mode— Mobile iOS
- iOS users can create public links on folders with "Secret" (upload-only/file drop) permission, allowing link recipients to upload files without being able to view existing folder contents.
- iOS Shared-By-Link Sidebar Shortcut— Mobile iOS
- The iOS sidebar includes a dedicated "Shared by link" shortcut that lists all items the current user has made accessible via public link, separate from the private-share shortcuts.
- Android Space Admin — Create and Edit Spaces— Mobile Android
- Android users with admin or space-admin privileges can create new Spaces and edit existing Space properties (name, subtitle, image, emoji) directly from the mobile app, with permission-gated UI that hides create/edit controls for non-managers.
- Android Space Admin — Disable, Enable, and Delete Spaces— Mobile Android
- Space managers can disable, re-enable, and permanently delete project Spaces from the Android client. A settings toggle controls visibility of disabled Spaces in the Spaces list for Space managers.
- Android Space Quota Display— Mobile Android
- The Android app displays per-Space used and total quota values in the Space bottom sheet, sourced from the Graph API, allowing users and managers to assess storage utilization before uploading.
- Android Space Member Role Display— Mobile Android
- The Android Spaces detail view shows each member's assigned role (Viewer, Editor, Manager) and optional membership expiration date alongside member name, giving managers an at-a-glance view of access levels.
- Android Space Permanent Link Copy— Mobile Android
- Android users can copy and share the permanent deep link of a Space directly from the Space members view, enabling stable bookmarkable references to Spaces for distribution over email or chat.
- Android Space Public Link Management— Mobile Android
- Android users can list, add, edit, and remove public access links directly on a Space (not just on individual files or folders within it), with pull-to-refresh to sync link state and permissions.
- Android Spaces List Layout with Bottom Sheet Actions— Mobile Android
- The Android Spaces list uses a horizontal card layout with a per-Space three-dot button that opens a bottom sheet for all Space management actions (edit, manage members, links, quota, disable/remove).
- Android Space Emoji as Cover Image— Mobile Android
- Users with appropriate Space permissions can set an emoji as the Space cover image directly from the Android app, providing a lightweight personalization option when a custom photo is not needed.
- Android Spaces List Search and Filter— Mobile Android
- The Android Spaces list includes a real-time search bar allowing users to filter Spaces by name, reducing navigation time in deployments with many Spaces.
- Android Copy/Move Destination Snackbar— Mobile Android
- After a copy or move operation completes, the Android app displays a snackbar with a quick-navigation action button that takes the user directly to the destination folder, reducing the steps needed to verify the result.
- Android Space-Aware Documents Provider— Mobile Android
- The Shares Space is exposed in the Android system-level Documents Provider (native file picker/explorer), allowing third-party apps on the device to access received shares without launching the ownCloud app.
- Android oCIS Light User Support— Mobile Android
- The Android app correctly handles oCIS Light Users (accounts without a personal Space), displaying only project/shared Spaces in the Spaces tab and showing an empty view in the Personal tab instead of errors.
- Android Multi-Personal Space Display— Mobile Android
- The Android app supports accounts with multiple personal Spaces, displaying all personal Spaces in the Spaces tab for selection rather than assuming a single home Space. Introduced to support multi-personal oCIS deployments.
- Android Available Offline Status Feedback— Mobile Android
- When toggling available-offline status from any preview (image, text, media), the Android app shows a status confirmation message and updates the options menu to reflect the new offline sync state immediately.
- Android Quota Display via Graph API— Mobile Android
- The Android app retrieves personal Space quota from the Graph API (not WebDAV PROPFIND), showing used and remaining storage in the navigation drawer with live updates after file operations (delete, copy, move, refresh). Per-account quota is also shown in the Manage Accounts dialog.
- Android OIDC Enforcement via Branding— Mobile Android
- A branded parameter `enforce_oidc` forces the Android app to use the OIDC authentication flow regardless of server detection, with configurable `oauth2_redirect_uri_path`. Enables enterprise deployments to mandate OIDC over basic auth for all connections.
- Android Biometric Unlock with Fallback— Mobile Android
- The Android app supports biometric authentication (fingerprint/face) as the primary unlock method, automatically falling back to passcode or pattern unlock when biometrics are unavailable or fail, with the failure reason displayed to the user.
- Android Passcode and Pattern Lock— Mobile Android
- The Android app enforces a user-configurable passcode (numeric PIN) or pattern screen lock, restricting app access without requiring device-level authentication. Both lock screens support landscape and portrait orientations.
- Android MDM/Branding Configuration— Mobile Android
- The Android app reads enterprise branding and MDM configuration parameters at startup, including server URL pre-configuration, authentication mode enforcement, and UI customization parameters, enabling zero-touch enterprise deployment.
- Android In-App Document Creation via App Provider— Mobile Android
- The Android app integrates with oCIS App Provider to create new documents (.docx, .xlsx, .odt) directly from the file list FAB, opening the new file in the registered web editor via a custom tab without leaving the device context.
- Android Deep Link Navigation— Mobile Android
- The Android app handles ownCloud deep links, automatically selecting the correct user account and navigating to the referenced file or folder when the app is opened via a shared URL.
- Android Automatic Uploads to Any Space— Mobile Android
- Android automatic uploads (camera roll, configured folders) can target any oCIS Space—not just the personal Space—allowing photos and documents to be routed directly into project Spaces on upload.
- Android Share-to Upload to Any Space— Mobile Android
- When sharing files from third-party Android apps into ownCloud, users can select any available oCIS Space as the upload destination, not just the personal home folder.
- Android Auto-Upload Duplicate Prevention— Mobile Android
- The Android automatic uploads algorithm tracks upload timestamps at the start of processing to prevent the same file from being uploaded multiple times when retry logic or app restarts occur.
- Android Thumbnail Grid View— Mobile Android
- The Android app displays file thumbnails in grid view with improved thumbnail loading and rendering for a more visual file browsing experience across all Spaces and folders.
- Android Video Streaming in Spaces— Mobile Android
- The Android app correctly constructs streaming URIs for video files stored in oCIS Spaces, enabling in-app video playback without full download for Space-hosted media.
- Android Audio Playback in Background— Mobile Android
- The Android app supports background and foreground audio playback with correct Android media permissions for Android 14+, allowing audio files to continue playing when the app moves to background.
- Android URL Shortcut File Creation— Mobile Android
- Users can create `.url` shortcut files directly from the Android app's FAB, entering a web address that opens in the browser when the shortcut file is tapped, enabling bookmark-style web references stored in oCIS.
- Android Automatic Local File Deletion Policy— Mobile Android
- A configurable setting automatically deletes locally downloaded files that have not been accessed within a user-specified time period, preventing stale cached content from accumulating on-device storage.
- Android Manual Local Storage Deletion— Mobile Android
- An icon in the Manage Accounts view allows users to manually delete all locally cached/downloaded files for a specific account without removing the account, reclaiming on-device storage on demand.
- Android Multi-Account Management Dialog— Mobile Android
- The Manage Accounts view is a dedicated dialog showing all configured accounts with quota information per account, supporting account switching, addition, and removal from a single screen.
- Android HTTP Connection Warning— Mobile Android
- The Android app displays a warning dialog when a user attempts to connect to an HTTP (non-HTTPS) server, informing them of the security risk before proceeding with an insecure connection.
- Android Public Link Password Generator for oCIS— Mobile Android
- When creating public links on oCIS accounts, the Android app offers a cryptographic password generator that produces passwords satisfying all server-enforced password policies (length, complexity, banned list) without requiring the user to craft a compliant password manually.
- Android Password Policy Live Enforcement— Mobile Android
- The Android app enforces server-defined public link password policies in real time as the user types, highlighting policy violations before submission and updating enforcement as server-side password policies change.
- Android Batch Name Conflict Resolution— Mobile Android
- When multiple file conflicts arise during a copy, move, or upload operation, the Android app offers an "Apply to all" option to apply the same resolution (keep both or replace) to all conflicting files at once, avoiding repeated per-file dialogs.
- Android App Provider Icon Display— Mobile Android
- The oCIS App Provider icon for a registered web application is fetched from the server endpoint and displayed in the file's "Open in (web)" bottom sheet entry, giving users a visual indicator of which app will handle the file.
- Android Accessibility — TalkBack and Screen Reader Support— Mobile Android
- The Android app includes comprehensive TalkBack support with correct content descriptions, semantic roles, headings, and focus order for file lists, Spaces, share views, passcode, drawer menu, and image previews, meeting WCAG accessibility requirements.
- Android Accessibility — Hardware Keyboard Navigation— Mobile Android
- The Android app supports full hardware keyboard navigation with logical focus traversal across file lists, Spaces list, drawer menu, share view, image preview, and the passcode screen, with no focus traps.
- Android Accessibility — Color Contrast Compliance— Mobile Android
- UI elements across the Android app meet minimum color contrast requirements, with the search bar, share link views, and branding-colored components updated for WCAG-compliant contrast ratios.
- Android In-App Log File Download and Sharing— Mobile Android
- Android users can download and share app diagnostic log files directly from within the ownCloud app to support channels or developers, without requiring access to the device file manager.
- Open File in ownCloud Web from Android— Android Client
- A dedicated action in the Android app's file context menu opens the selected file directly in the ownCloud web interface in the device browser, letting users switch from mobile to the full web experience in one tap.
- Open File in Named Web Editor from Android— Android Client
- When a file has an associated web editor (such as Collabora or OnlyOffice), the Android app offers a specifically labelled open action that launches the file in that editor within the device browser.
- Open Actively Downloading File with External App— Android Client
- Files that are still downloading can be opened immediately with an external app; the Android client passes the partial download in a way that allows compatible apps to begin rendering before the download completes.
- External App Edit via Open With and Sync Back— Android Client
- Users can open a file with any compatible external editor via the Android share sheet, and the Android app automatically detects when the external app saves changes and syncs the updated file back to the server.
- Android File Details Panel Redesign— Android Client
- The file details panel in the Android app has been redesigned with a refreshed layout presenting metadata, sharing information, and actions in a more visually organised and accessible manner.
- Android Space Cover Photo Management— Android Client
- Space administrators can set, replace, or remove a custom cover photo for a space directly from the Android app, with the image uploaded and applied to the space visible across all clients.
- Android Bottom Navigation Bar— Android Client
- The Android app uses a bottom navigation bar for primary navigation between Files, Spaces, and other main sections, replacing the previous side-drawer-first navigation pattern for one-handed reachability.
- Android Bottom Navigation Text Labels— Android Client
- Text labels are shown beneath each icon in the Android bottom navigation bar, making the purpose of each tab immediately clear without requiring users to learn icon meanings.
- Android Side Drawer Configurable External Link— Android Client
- Administrators can configure a custom external link that appears in the Android app's side drawer, allowing organisations to surface a help portal, intranet, or branded resource directly within the app.
- Android Automatic Server URL Discovery via Webfinger— Android Client
- Users can sign in by entering only their email address or username; the Android app uses Webfinger to automatically discover and pre-fill the correct server URL, reducing onboarding friction in multi-server organisations.
- Android Settings Accessible Without Active Account— Android Client
- The Android app's settings screen can be opened even when no account is configured, allowing users to adjust app-level preferences such as theme or logging before completing sign-in.
- Android Forbidden Character Validation in Create Dialog— Android Client
- When creating a file or folder from the Android app, forbidden characters are validated immediately in the name field with inline error messages, preventing server-side errors from invalid names.
- Android Consistent File Row Context Menu— Android Client
- The overflow menu on each file row in the Android app exposes a consistent and complete set of actions regardless of how the file list is sorted or filtered, preventing actions from disappearing unexpectedly.
- Android Deletion Progress Blocking UI— Android Client
- While a file or folder deletion is in progress, the Android app shows a progress indicator and blocks further interaction with the item, preventing race conditions from concurrent actions during deletion.
- Android Manual Content Refresh Button— Android Client
- A pull-to-refresh gesture and a dedicated refresh button allow users to manually trigger a content reload in any file list view, ensuring they always see the current server state without waiting for automatic sync.
- Android Auto-Refresh After Upload Completion— Android Client
- File lists in the Android app automatically refresh once an upload completes, making newly uploaded files immediately visible without requiring a manual reload.
- Android Hidden Dot-Files Display Toggle— Android Client
- A setting in the Android app allows users to show or hide files and folders whose names begin with a dot, providing access to configuration files and hidden content when needed.
- Android Upload File from Remote URL— Android Client
- Users can trigger an upload of a remote file by providing its URL in the Android app; the server fetches and stores the file directly, avoiding the need to download it to the device first.
- Android Download All Files in Folder as Zip— Android Client
- A download action on a folder in the Android app downloads all contained files as a single zip archive to local device storage, simplifying bulk offline access.
- Android System Share Sheet Integration for Receiving Files— Android Client
- The Android app registers itself as a share target in the Android system share sheet, allowing files from other apps such as the camera, browser, or document editors to be uploaded to ownCloud in one step.
- Android Multi-File Send via System Share Sheet— Android Client
- Users can select multiple files in the Android app and share them to other apps via the Android system share sheet in a single action, enabling batch sharing with messaging or email apps.
- Android Per-App Language Selection— Android Client
- On Android 13 and later, the ownCloud app supports the per-app language selection feature introduced by the OS, allowing users to run the app in a different language than the device system language.
- Android In-App Release Notes Screen— Android Client
- The Android app displays release notes for the installed version in a dedicated in-app screen, accessible from settings, so users can review what changed without leaving the app.
- Android Account Last Used Timestamp— Android Client
- The account list in the Android app shows the date and time each account was last actively used, helping users identify and manage accounts in multi-account setups.
- Android ONLYOFFICE Form Template File Type Icon— Android Client
- Files with the ONLYOFFICE form template extension (.oform) display a dedicated file type icon in the Android app, making form template files visually distinguishable from regular office documents.
- Android OIDC Login Hint Branding Flag for Re-Authentication— Android Client
- A configurable flag controls whether the OIDC login_hint parameter is sent during re-authentication flows on the Android app, allowing organisations to suppress pre-filled usernames in branded identity provider login screens.
- Android Space Member Current User Highlight— Android Client
- The current user's entry is visually highlighted in the space member list on Android, making it easy to identify one's own role and permissions within a shared space at a glance.
- Android Space Member List Pull to Refresh— Android Client
- The space member list in the Android app supports pull-to-refresh, allowing users to immediately reload the current member list after changes such as invitations or permission updates.
- iOS Spaces List and Grid View Toggle— iOS Client
- Users can switch the Spaces overview between list and grid view modes on iOS, with the last chosen mode persisted across sessions so the preferred layout is restored automatically.
- iOS Shared Icon Set with ownCloud Web— iOS Client
- The iOS app adopts the same standardised icon set used by ownCloud Web and the Android app, providing a visually consistent experience across all ownCloud client platforms.
- iOS 26 Liquid Glass UI Adaptation— iOS Client
- The iOS app's interface adapts to the iOS 26 Liquid Glass design system, including updated tab bar materials and navigation chrome that match the platform's visual identity on the latest OS version.
- iOS Location Picker Recent Destinations— iOS Client
- The iOS file and folder picker remembers and surfaces recently used destination folders, allowing users to quickly re-select common save locations without navigating the full folder hierarchy each time.
- iOS Account Reordering via Drag and Drop— iOS Client
- Users can reorder accounts in the iOS account list by dragging and dropping entries, allowing them to set a preferred account order that persists across app launches.
- iOS File Provider Sharing and Link Actions— iOS Client
- Via the iOS Files app integration, users can create direct shares and public links for ownCloud files without opening the ownCloud app, using the standard iOS share sheet from within the Files app.
- iOS Grid View for File and Photo Lists— iOS Client
- File and photo lists in the iOS app can be displayed in a grid layout, making image-heavy folders easier to browse visually compared to the standard linear list view.
- iOS Dynamic Instance Logo as Account Avatar— iOS Client
- The iOS app fetches the server-configured instance logo and uses it as the visual avatar for that account in the account list, helping users distinguish between multiple ownCloud server accounts at a glance.
- iOS Enhanced Drag and Drop with Mac Catalyst Support— iOS Client
- Drag and drop in the iOS app supports multi-item selection, external app targets, and full Mac Catalyst drag-and-drop conventions, enabling efficient file transfers between ownCloud and other apps on iPad and Mac.
- iOS Limited Photo Library Access Upload— iOS Client
- On iOS 14 and later, users can grant the ownCloud app access to only selected photos from their library when uploading, respecting privacy without requiring full photo library permission.
- iOS Sync Engine Hanging Upload Recovery— iOS Client
- The iOS sync engine detects uploads that have stalled without completing and automatically attempts recovery, preventing files from remaining indefinitely in an uploading state after network interruptions.
- Desktop VFS (Virtual File System) for Windows— Desktop Client
- The Windows desktop client uses the native Windows Virtual File System (VFS) API to present all files as local placeholders without downloading content immediately. Files are hydrated on demand when opened, saving disk space while preserving full file-manager integration including Explorer overlays.
- Desktop Selective Sync per Space— Desktop Client
- Users can choose exactly which sub-folders of each oCIS Space to synchronize locally. The selective sync dialog is available from the sync-folder context menu, allowing granular control over which content consumes local disk.
- Desktop Spaces Browser and Management UI— Desktop Client
- A dedicated spaces browser lists all oCIS Spaces available to the user, shows how many are currently unsynced, and lets users add or remove Space sync connections without navigating to the web UI.
- Desktop Move-to-Trash Instead of Delete— Desktop Client
- When the server removes files, the desktop client can move them to the operating system trash bin rather than permanently deleting them, giving users a safety net to recover accidentally deleted content. Enabled by default.
- Desktop File Version History Context Menu— Desktop Client
- A "Show file versions…" entry in the file-manager context menu lets users browse and restore previous versions of a synced file directly from Explorer or Finder without opening the web interface.
- Desktop Open-in-Web-Editor from Context Menu— Desktop Client
- Users can right-click a synced file in Explorer/Finder and choose "Open in web editor" to launch the file in the server-side online office suite (e.g., Collabora, OnlyOffice) directly from the desktop.
- Desktop Open-in-Web from File Browser Context Menu— Desktop Client
- A context menu action on sync-root folders and files lets users jump directly to the corresponding item in the oCIS web frontend from Explorer, Finder, or the Linux file manager.
- Desktop Open Sharing Options in Web— Desktop Client
- Selecting "Share…" in the file-manager context menu opens the sharing panel for that file in the oCIS web frontend, so users can manage shares with full UI fidelity from the desktop.
- Desktop Space Quota Display— Desktop Client
- The account settings page and folder status view display quota information for each synced Space, so users always know how much storage they have available.
- Desktop Space Name and Subtitle Display— Desktop Client
- The client shows the server-provided Space name and subtitle (instead of the local path) in the account settings and tray menu, reflecting server-side renames automatically.
- Desktop Unsynced Space Count Indicator— Desktop Client
- The spaces browser shows a count of how many Spaces are not yet synchronized, prompting users to add sync connections for newly provisioned Spaces.
- Desktop Disabled-or-Deleted Space Status Message— Desktop Client
- When a Space is disabled or deleted on the server, the desktop client displays a clear human-readable message rather than a cryptic technical error.
- Desktop Windows Long Path Support— Desktop Client
- The client detects and warns when Windows long-path support is not enabled and blocks creation of sync roots that would produce paths exceeding MAX_PATH, preventing silent sync failures.
- Desktop Windows DPI Scaling Improvement— Desktop Client
- The client uses exact DPI scale factors rather than rounding, producing sharper text and UI elements on high-DPI Windows displays with fractional scaling.
- Desktop Branding — Auto-Sync New Spaces— Desktop Client
- An admin-configurable branding flag causes the desktop client to automatically create sync connections for newly discovered Spaces, removing the manual "add space" step for end users.
- Desktop Branding — Custom URL Toolbar Buttons— Desktop Client
- A branding option lets administrators inject one or more buttons into the main toolbar that open a configured URL, enabling quick access to internal portals or help pages from within the client.
- Desktop Update Channel for ownCloud Infinite Scale— Desktop Client
- A dedicated "ownCloud Infinite Scale" update channel in the About dialog lets administrators direct users to the oCIS-compatible release series, independent of the classic ownCloud 10 channel.
- Desktop Windows Update Restart Prompt— Desktop Client
- On Windows, when a client update has been downloaded, a modal dialog prompts the user to restart and apply the update immediately, replacing the previously silent tray notification.
- Desktop Duplicate Space Sync Prevention— Desktop Client
- The client prevents users from adding a second sync connection for a Space that is already synchronized, and uses platform extended attributes (Linux/macOS) or alternate data streams (Windows) to tag sync roots and avoid folder collisions across multiple accounts.
- Desktop Captive Portal Sync Pause— Desktop Client
- The desktop client detects when the operating system signals a captive portal and automatically suspends all sync activity, preventing SSL certificate mismatch errors and resuming sync automatically once the portal is dismissed.
- Desktop Sync Pause on Metered Connections— Desktop Client
- On platforms that report metered network connections, users can configure the client to pause automatic synchronization when on a metered link, while still allowing manual force-sync.
- Desktop Redesigned Setup Wizard— Desktop Client
- A completely rewritten account setup wizard provides a cleaner multi-step flow, inline error feedback on the final configuration page, a progress spinner during account initialization, and oCIS-aware WebFinger server discovery.
- Desktop WebFinger Server Discovery— Desktop Client
- The desktop client supports the oCIS WebFinger service to resolve a user's organizational entry-point URL to the correct oCIS instance, enabling single-URL login across multi-instance deployments.
- Desktop oCIS Spaces Support— Desktop Client
- The desktop client can enumerate and sync all oCIS Spaces a user has access to, mapping each Space to a separate local sync root and respecting Space-level permissions.
- Desktop Server-Guided Migration to Spaces— Desktop Client
- When an existing ownCloud 10 sync is pointed at an oCIS server, the client performs a guided, limited automatic migration of the sync configuration to the Spaces model, reducing manual reconfiguration.
- Desktop Sync Hidden Files Toggle (CLI)— Desktop Client
- The command-line sync client (owncloudcmd) supports a --sync-hidden-files flag that enables synchronization of dot-files and other hidden items, complementing the default behavior of excluding them.
- Desktop AppImage Self-Updater for Linux— Desktop Client
- The Linux AppImage distribution includes a built-in libappimageupdate-based self-updater that downloads and applies new client releases through ownCloud's update infrastructure without requiring system-level package manager access.
- Desktop owncloudcmd oCIS Space Sync— Desktop Client
- The command-line client supports syncing oCIS Spaces by accepting a separate --server flag for the oCIS endpoint while using the positional argument for the specific Space WebDAV URL.
- Desktop owncloudcmd Hidden Files Sync Flag— Desktop Client
- The desktop command-line tool provides a --sync-hidden-files parameter that re-introduces the ability to include hidden files (dot-files) in a command-line-initiated sync session.
- Desktop Active Directory Federation Services Support— Desktop Client
- The OAuth2 login flow has been updated to support Active Directory Federation Services (ADFS) as an identity provider, allowing organizations using ADFS to authenticate desktop client users.
- Desktop OAuth2 Configurable Port List— Desktop Client
- A branding option allows administrators to specify a list of local ports used during the OAuth2 loopback redirect flow, enabling deployment behind strict firewall or endpoint-policy configurations.
- Desktop OpenID Connect prompt_values_supported— Desktop Client
- The desktop client reads the prompt_values_supported field from the OpenID Connect discovery document and uses it to select the correct prompt parameter value, improving compatibility with diverse identity providers.
- Desktop Proxy Password Secure Storage— Desktop Client
- The desktop client stores the proxy password in the operating system's secure keychain (Windows Credential Manager, macOS Keychain, or Linux Secret Service) rather than in plain-text settings files.
- Desktop Selective Sync Dedicated Dialog— Desktop Client
- Selective sync configuration was moved from the account status page into a dedicated dialog accessible from the sync-folder context menu, decluttering the main window and eliminating duplicated code paths.
- Desktop Folder Status Page Rewrite— Desktop Client
- The folder status page was rewritten to provide a clearer view of per-folder sync state, progress, and errors without requiring users to navigate multiple dialogs.
- Desktop Reconnect Button in Account Menu— Desktop Client
- When the client is disconnected from the server, a manual "Reconnect" button appears in the account menu so users can trigger an immediate reconnection attempt without restarting the application.
- Desktop Not-Synced Tab Filter Persistence— Desktop Client
- Filter settings applied in the "Not Synced" tab of the sync activity view are persisted across client restarts, so users do not need to reapply their preferred filters each session.
- Desktop Windows VFS Locked-File Sync— Desktop Client
- The Windows VFS implementation can upload files that are locked by office applications by explicitly tracking and resolving outdated placeholders, restoring sync capability for actively-edited Office documents.
- Desktop Windows VFS Ignored-Filename Rename Guard— Desktop Client
- The Windows VFS plugin prevents users from renaming virtual file placeholders to names on the sync-ignore list, avoiding silent server-side deletions caused by invalid filenames.
- Desktop Windows VFS Read-Only Placeholder Flag— Desktop Client
- The desktop client correctly marks VFS placeholder files as read-only when the server reports the file or its Space as read-only, surfacing permission state through standard OS file attributes.
- Desktop macOS APFS-Only VFS Support— Desktop Client
- The macOS desktop client restricts virtual file support to APFS volumes (dropping legacy HFS+), enabling proper Unicode NFC/NFD normalization handling and eliminating a class of filename encoding conflicts.
- Desktop Continuous Rotating Log Files— Desktop Client
- Instead of generating a new log file per sync operation, the desktop client writes to a single rolling log: when the file exceeds 100 MiB it is rotated, compressed, and the user controls how many archived files to retain.
- Desktop Sync File-Change Batching— Desktop Client
- Local file-system change events are batched for 10 seconds before being processed rather than handled every 1 second, reducing redundant checksum computations and unnecessary sync cycles during active editing.
- Desktop Linux GTK3 Bookmark Integration— Desktop Client
- The desktop client adds file-manager bookmarks using the GTK3 bookmarks file format, restoring sidebar entries in Nautilus, Thunar, Nemo, Caja, and other GTK3-based file managers on modern Linux distributions.
- Desktop HTTP/1.1 Pipelining Support— Desktop Client
- The desktop client enables HTTP/1.1 pipelining for WebDAV connections, allowing multiple requests to be sent on a single connection before responses are received, improving throughput in high-latency network environments.
- Mobile-Specific Topbar Logo Theme Option— Branding and Theming
- Administrators can define a separate logo for the topbar on mobile devices via the theme configuration, enabling responsive branding without affecting the desktop logo.
- Configurable XHR Upload Timeout— File Upload Reliability
- Administrators can set the XHR upload timeout in config.json, allowing tuning for slow or high-latency networks; the default has been increased from 30 to 60 seconds to reduce spurious upload failures.
- Touch Swipe Navigation in Media Viewer— Mobile Media Interaction
- Users on touch devices can swipe left and right to navigate between images in the media viewer, providing a native mobile gallery experience without needing to tap arrow buttons.
- HTTP Cache Headers for Desktop Sync Client— Desktop Sync Client
- oCIS sends appropriate HTTP cache control headers allowing the desktop sync client to use its built-in Qt network cache, reducing data transfer volume and enabling offline access to previously fetched resources without constant server round-trips.
- WebDAV and Mobile Access to Project Spaces— WebDAV Protocol
- Users can access Project Spaces via standard WebDAV URLs and ownCloud mobile applications, enabling file synchronization and access from any WebDAV-compatible client without requiring the web browser interface.
- Persistent Virtual Shares Space for Desktop Sync— Desktop Sync Client
- The virtual "Shares" Space remains permanently present in the desktop sync client's space list rather than appearing and disappearing as shares change, providing a stable sync experience that avoids repeated disruptive space discovery cycles.
- Private Link Property in WebDAV PROPFIND— WebDAV Protocol
- The `<oc:privatelink>` property is now available in WebDAV PROPFIND responses for all file and folder types, enabling the desktop sync client to offer an "Open in Web" action for any item by fetching the direct browser link via standard WebDAV.
Collaboration and Sharing
- Write-Capable Link Separate Password Requirement— Public Links
- `OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` / `SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` enforces passwords specifically on write-capable public link roles (Uploader, Editor, Contributor) without requiring passwords on view-only links. Distinct from the blanket `SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`.
- Banned Password List for Public Links— Public Links
- `OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` / `SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` — path to a newline-delimited file of disallowed passwords. Public link password creation is rejected if the chosen password appears in the list.
- Microsoft 365 WOPI Proxy Routing— WOPI Integration
- `COLLABORATION_WOPI_PROXY_URL` and `COLLABORATION_WOPI_PROXY_SECRET` route Microsoft 365 WOPI traffic through the ownCloud Office365 proxy subscription service, enabling web-based Microsoft Office editing without requiring direct Microsoft CSP membership.
- WOPI Proof Key Verification— WOPI Integration
- Cryptographic request authentication via WOPI proof keys validates that requests arriving at the collaboration service originated from the registered WOPI client. Admins can disable with `COLLABORATION_APP_PROOF_DISABLE` or tune the cache duration via `COLLABORATION_APP_PROOF_DURATION`.
- Collaboration Session Persistent Store— WOPI Integration
- `COLLABORATION_STORE` / `OCIS_PERSISTENT_STORE` configures a durable backend (nats-js-kv, redis-sentinel) for WOPI session tokens, enabling horizontal scaling of the collaboration service without session loss on pod restart.
- Configurable Default Public Link Permission— Public Links
- `FRONTEND_DEFAULT_LINK_PERMISSIONS` sets the default permission level for newly created public links: `0` = internal only, `1` = viewer. Administrators can tune this to match organizational sharing policies.
- Upload Integrity Checksums— File Transfers
- `FRONTEND_CHECKSUMS_SUPPORTED_TYPES` declares the checksum algorithms the server accepts (sha1, md5, adler32) and `FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE` signals the preferred algorithm. TUS clients use this to verify upload integrity end-to-end.
- Signature Auth for Password-Protected Archive Downloads— Public Links
- WebDAV PROPFIND responses for public link subfolders now expose the `oc:signature-auth` attribute (v8.0.1), enabling clients to generate signed archive (zip/tar) download URLs inside password-protected public links. Previously, missing this attribute blocked archive downloads from password-protected shares.
- Create Space from File Selection— Spaces
- Users can select one or more existing files in their Personal Space and create a new Project Space pre-populated with those files in a single action, without manually re-uploading. The selected files are moved into the new Space with their existing names and structure.
- Space Member Expiry Dates— Spaces
- Administrators and Space Managers can set an expiry date on a Space membership when adding or editing a member. Once the expiry date is reached, the member loses access to the Space automatically. Expiry dates can also be removed to grant permanent access.
- Share Visibility Toggle via Graph API— Sharing
- A new Graph API endpoint allows users to hide or unhide received shares from their drive view without revoking permissions, giving users control over their personal workspace organisation.
- Share Autocomplete Custom Attribute Display— Sharing UI
- When inviting collaborators, the share recipient autocomplete shows server-configured custom user attributes such as department or job title alongside email, making it easier to identify the correct recipient in large organisations.
- Merged People and Link Sharing Sidebar Panel— Sharing UI
- The people sharing and link sharing panels in the file sidebar have been merged into a single unified access panel, giving users one place to view all users and links that have access to a resource.
- Password-Protected Link Submit Loading Feedback— Public Links
- A loading spinner and disabled submit button appear immediately when a visitor clicks to unlock a password-protected public link, providing clear visual feedback while the server validates credentials.
- File Drop View Branding and Upload Prompt— Public Links
- The public file drop landing page includes explanatory text, additional branding elements, and a prominent upload button, making the purpose of the page immediately clear to visitors dropping files.
- Transparent Sharees Sidebar Display— Sharing
- When multiple users have access to a resource, users who are both a direct sharee and a space member see a consolidated view of access, eliminating duplicate share entries in the sidebar and giving a cleaner picture of who has access.
- External User Share Visual Badge— Sharing UI
- External (federated) user shares are marked with a visual badge in the sidebar share panel, instantly indicating to owners and administrators which collaborators are from external ownCloud instances.
- Android Public Link Password Visibility Toggle— Public Links
- When setting or entering a password for a public link in the Android app, a show/hide toggle allows users to reveal the password field contents, reducing password entry errors on mobile keyboards.
- iOS Public Link Password Policy Generator— Public Links
- When creating a public link on iOS, the app enforces the server-configured password policy and offers a one-tap generated password that meets all policy requirements, reducing friction when mandatory passwords are required.
- iOS Link Share Custom Display Name— Public Links
- When creating or editing a public link on iOS, users can set a custom display name for the link, making it easier to distinguish multiple links on the same resource and communicate their purpose to recipients.
- Secure Viewer Share Role— Sharing Roles and Permissions
- A dedicated "Secure Viewer" share role lets owners grant read-only access that explicitly blocks downloading, editing, and deleting — ideal for confidential content reviews and compliance scenarios.
- SecureView Permission Flag in WebDAV— Sharing Roles and Permissions
- WebDAV PROPFIND responses include an `X` flag in the permissions string when a resource is accessible only in secure-view mode, enabling WebDAV clients to adapt their UI accordingly.
- Secure View App Discovery Flag— Sharing Roles and Permissions
- The app-listing HTTP endpoint marks which registered applications support secure view mode, so web clients can surface only compatible apps when opening a file shared with the Secure Viewer role.
- Space Editor Without Version History Role— Sharing Roles and Permissions
- A space editor role variant that excludes version listing and version restore permissions, allowing administrators to grant editing access while preventing users from browsing or recovering older file versions.
- Space Viewer and Editor with Membership Visibility— Sharing Roles and Permissions
- Space viewer and editor role variants that include the ListGrants permission, enabling space members to see who else has access to the space directly from the sharing panel.
- Editor with Grants and Version History Role— Sharing Roles and Permissions
- New editor roles (EditorListGrantsWithVersions and FileEditorListGrantsWithVersions) combine content editing with the ability to view share recipients and browse file version history in a single role assignment.
- Public Link Password Opt-Out for Privileged Users— Public Link Sharing
- Administrators can grant specific users or roles the ability to remove passwords from otherwise password-required read-only public links, enabling trusted internal distribution without password friction.
- WebDAV Direct Public Share Resolution— Public Link Sharing
- WebDAV clients can resolve both public and internal share links by sending a PROPFIND to `/dav/public-files/{token}` without calling a separate tokeninfo endpoint, streamlining programmatic access and sync client integration.
- Hide Received Share from Shared-With-Me— Sharing Roles and Permissions
- Users can hide individual received shares from appearing in their "Shared with me" view through the OCS API, keeping the collaboration list uncluttered without formally declining the share.
- Unique Share Mountpoint Auto-Rename— Sharing Roles and Permissions
- When accepting a received share whose mountpoint name already exists in the user's share jail, oCIS automatically appends a unique suffix to prevent naming conflicts, so users never see a failed acceptance.
- Locked File Upload Prevention with Correct HTTP Status— File Locking
- Uploading to a WebDAV-locked file now returns the correct HTTP 423 Locked status code, enabling desktop sync clients and WebDAV tools to correctly identify and handle upload conflicts caused by active WOPI or WebDAV locks.
- File Lock Owner and Timestamp Metadata— File Locking
- File lock records now include the display name of the user who placed the lock and the exact time it was set, enabling administrators and collaborators to see who locked a file and when directly from the file details panel.
- OCS Received Share Retrieval— Collaboration and Sharing
- The OCS `GET /apps/files_sharing/api/v1/shares` endpoint now returns received (incoming) shares when called with the `shared_with_me` parameter. Clients can enumerate all shares received by the authenticated user from a single endpoint.
- File Comments Markdown Rendering— File Collaboration
- Comments in the file comments sidebar are rendered from Markdown (bold, italic, code blocks, links) and sanitized with DOMPurify before display, enabling rich-text annotation without exposing XSS risks.
- File Comments Author Edit and Delete— File Collaboration
- Comment authors can edit or delete their own comments inline from the sidebar, while collaborators who did not write a comment see it in read-only mode.
- File Comments Concurrency Locking— File Collaboration
- When adding or modifying comments, the extension acquires a short WebDAV LOCK on the file to prevent sequence-number collisions when multiple collaborators comment simultaneously.
- File Comments Rename and Move Persistence— File Collaboration
- Comments are stored as WebDAV properties on the file node itself, so they follow the file when it is renamed or moved to a different folder without any manual migration.
- CS3 Metadata Storage Share Manager Backend— Share Management
- Administrators can configure oCIS to use the CS3 metadata storage backend as its share manager, providing a cloud-native alternative to SQL-based share storage for deployments that want share data co-located with file metadata.
- Graph Drive Permissions in Listing— Space Management
- The Graph API drive listing response now includes per-space permission data showing which users have access and at what role, enabling clients to surface access control details alongside space metadata.
- Sharees Additional Info Parameter Config— Sharing Configuration
- Administrators can configure which supplementary user information is returned for sharees in OCS share search responses, enabling customization of the data displayed when users search for share recipients.
- Public Share Link App Authentication Middleware— Public Link Sharing
- Files shared via public links can now be opened directly in integrated apps such as Collabora or OnlyOffice, as a new proxy middleware transparently authenticates the app provider by exchanging the public share token for an access token.
- Public Share SQL Storage Driver— Share Storage Backend
- Administrators can configure an SQL database as the persistence backend for public share data, providing enterprise-grade durability and scalability beyond the default file-based driver.
- Group Share Provider with SQL Backend— Group Share Management
- Administrators can enable a dedicated group provider service backed by an SQL sharing driver, allowing files and folders to be shared with entire groups with durable SQL-based persistence.
- Private Links for Direct File Access— File Sharing
- Users can generate private links to specific files and folders, allowing recipients to navigate directly to a resource without browsing the file tree; the capability is advertised to clients via the capabilities endpoint.
- Configurable Resharing for Share Recipients— Resharing
- Administrators can enable or disable resharing—the ability for share recipients to re-share content with additional users—via a configuration flag that defaults to off, providing fine-grained control over data propagation beyond the original share.
- Alias Link Sharing Capability Advertisement— Public Link Sharing
- Clients can discover alias link support through the oCIS capabilities endpoint, enabling applications to surface the alias link sharing option in their UI when the feature is active on the server.
- SQL Backend for Public Share Storage— Share Storage Backend
- Administrators can configure the public shares service to use a SQL database as its storage backend, enabling persistent and scalable management of public link share data independent of the primary file storage layer.
- Public Link File Thumbnails— Thumbnail Generation
- Users accessing files through public share links can view thumbnail previews of images and other supported file types without logging in, providing a richer browsing experience on shared content pages.
- Public Shares Service Embedded in Runtime— Public Link Service
- oCIS now includes a built-in public shares service that starts automatically as part of `ocis server` on a dedicated port, enabling public link creation and access without additional service configuration.
- Share Remote Item Navigation Metadata— Share Navigation
- Shared drive items now expose full remote item metadata including path, root space ID, drive alias, and WebDAV URL, enabling clients to navigate directly to the original location of a shared resource in the owner's space.
- External Guest User Invitation Service— Guest User Management
- Internal users can invite external email addresses to collaborate as Guest accounts through the Invitations service, following the Microsoft Graph invitation API model, which triggers Guest account creation and a redemption workflow for the invited person.
- Time-Limited Space Member Permission Grants— Space Management
- Space managers can attach an optional expiration date to individual space membership grants, automatically revoking access when the specified date is reached without requiring manual follow-up.
- Expiration Dates for User and Group Shares— File Sharing
- Users can set an optional expiration date on shares to individual users or groups, causing the share to be automatically revoked when the date is reached and eliminating the need to manually remove long-lived permissions.
- Custom Attributes in Share Autocomplete— Share Recipient Discovery
- When sharing a resource, the recipient autocomplete now displays administrator-configured custom user attributes alongside the email address, making it easier to identify the correct recipient in organizations with many similarly named users.
- Multi-File Archive Download from Public Links— Public Link Downloads
- Users who receive a public link can select multiple files and download them as a single archive, eliminating the need to download files one by one from shared folders.
- Re-Sharing for Personal and Project Spaces— Share Forwarding
- Users who have received a shared resource with re-sharing permissions can share that resource onward with other users or groups, supporting both personal space shares and project space shares in oCIS.
- Expiration Date for Collaborator Shares— Share Lifecycle
- Users can set an expiration date on individual collaborator shares, automatically revoking access after the specified date without requiring manual follow-up.
- Remaining Time Indicator on Expiring Link Shares— Share Visibility
- Users can see at a glance how much time remains before a shared link expires, displayed as a visual indicator next to the link, enabling timely renewals.
- Pending, Accepted, and Declined Shares Sectioned View— Incoming Shares
- The "Shared with me" view organizes incoming shares into distinct pending, accepted, and declined sections, making it easy for users to act on new shares and review previously declined ones.
- Redesigned File Drop Landing Page— File Drop UX
- The file drop public endpoint now displays branding elements, an explanatory description, and an upload button in addition to drag-and-drop, making it clearer for external users who may not be familiar with ownCloud.
- Member Filter in Share Permissions Panel— Share Management
- Users can search and filter the members list within the share sidebar to quickly find a specific collaborator in resources shared with many people.
- Disable Chat in Collaboration Service— Collaborative Editing
- Administrators can disable the real-time chat feature in the collaboration service via configuration, enforcing communication boundaries or meeting data retention and communication compliance requirements across all collaborative editing sessions.
- Parent Folder Path in Shared-By-Me Response— Sharing API
- The `/graph/v1beta1/me/drive/sharedByMe` endpoint now returns the parent folder name and full path in each response entry, giving API consumers complete context about where each shared resource resides in the directory tree.
- Native Golang WOPI Protocol Server— Collaborative Editing
- oCIS includes a new WOPI server written natively in Go that implements the Microsoft WOPI protocol for integrating online editors such as Collabora and OnlyOffice, replacing legacy compatibility adapters with a purpose-built, maintainable implementation.
- OnlyOffice Form File Type Creation— Collaborative Editing
- Users can create new OnlyOffice form files (`.docxf`) directly from the oCIS web interface, enabling document form design workflows within the integrated OnlyOffice collaborative editor.
- Configurable Chat Disable in OnlyOffice— Collaborative Editing
- Administrators can disable the built-in chat panel in OnlyOffice collaborative editing sessions via the `APP_PROVIDER_WOPI_DISABLE_CHAT` configuration option, enforcing communication boundaries or satisfying data retention compliance requirements.
- Web URL Field in Spaces API Responses— Space Management
- The Spaces API response includes a `webUrl` field pointing directly to the Space root in the web browser, giving client applications a reliable way to offer an "Open in browser" action for Space management without constructing URLs manually.
- Space Description Update via Graph API— Space Management
- Users and administrators can update a Project Space's description field via a PATCH request to the drives API, keeping Space metadata current through the standard API without requiring direct server-side filesystem access.
- Space Metadata Configuration via space.yaml— Space Configuration
- Space administrators can configure a Space's description, readme document, and cover image by uploading a `space.yaml` file to the Space's `.config` directory, providing a declarative file-based approach to managing Space metadata.
- Custom Cover Image for Project Spaces— Space Management
- Users can assign a custom image as the visual icon or cover for a Project Space, improving discoverability in Space listings across web, desktop, and mobile clients.
- Access Restriction for Pending Share Acceptance— Share Lifecycle Management
- Users cannot access or download files from shares that are in a pending state before acceptance, ensuring the pending versus accepted distinction is meaningful and preventing unintentional data access prior to an explicit user acceptance action.
- WebDAV LOCK and UNLOCK Method Support— WebDAV Protocol
- WebDAV clients can issue standard LOCK and UNLOCK requests against oCIS endpoints, enabling file locking workflows used by WebDAV-based editors and collaboration tools that require exclusive file access to prevent conflicting simultaneous edits.
- Expiration Dates for All Share Types— Share Lifecycle Management
- Users can set an expiration date on user shares, group shares, and public link shares, automatically revoking access after the specified date without requiring manual administrator follow-up or monitoring.
Content Collaboration
- Space Creation API— Spaces
- Graph drive endpoints create project spaces with drive type, alias, quota, and metadata, and the same behavior is surfaced in the admin-settings creation flow.
- Space Disable, Restore, and Purge— Spaces
- Project spaces can be disabled, restored, and permanently purged through drive lifecycle endpoints and acceptance-tested management flows.
- Space Creation from Folder Template— Spaces
- Users can create a new project space from an existing folder: the server copies the folder tree (content and metadata) into the new space root. This is a copy-from-source operation rather than a server-defined named template — the source folder is selected by the user at creation time.
- Default Space Images— Spaces
- Space templates and default provisioning can attach a predefined image so new spaces start with a cover asset clients can display immediately.
- Space Special Folder Provisioning— Spaces
- Template processing can register special folders in the space metadata so clients can resolve designated folders without guessing by path.
- Space Membership Assignment— Spaces
- Space access is modeled as permissions on the space root and can be granted to users or groups with role-specific capabilities.
- Space Editor Without Trashbin Role— Spaces
- Two editor roles omit trashbin access. `SpaceEditorWithoutTrashbin` (added v7.2) allows full editing without trashbin access. `SpaceEditorWithoutVersionsWithoutTrashbin` (added v8.0.2) additionally removes access to file version history — designed for contractor access, compliance-constrained spaces, or data-governance contexts where version history must not be exposed.
- Space Permission Lookup API— Spaces
- The GetPermission endpoint exposes the effective permission object for a resource or space membership so clients can render the right controls.
- Internal User Sharing— Sharing
- Drive item invite endpoints create direct shares to individual users for files, folders, and supported space roots.
- Group Sharing— Sharing
- The same invite model supports groups as recipients, producing shared resources that group members can receive or auto-accept depending on deployment settings.
- Federated Recipient Sharing— Sharing
- Invite handling includes OCM/federated sharees when external sharing is enabled, so recipient search is not limited to local identities.
- Share Permission Updates and Revocation— Sharing
- Existing permissions can be updated or removed for role changes, expiry changes, and share deletion without recreating the share.
- Public Link Creation— Link Management
- Graph permission endpoints create anonymous link permissions for files, folders, and supported space roots, with the permission shape determining what anonymous users can do.
- Public Link Password and Expiration Controls— Link Management
- Link creation and update flows can set or change passwords and expirations instead of treating public links as permanent unauthenticated URLs.
- Public Link Quick Links and Signed Downloads— Link Management
- Link metadata supports quick-link style state, and download flows can use signed URLs rather than exposing raw unauthenticated download endpoints.
- Space Participant Management UI— Spaces UX
- Participant management uses space permission data to add members, show assigned roles, and gate available participant actions by the current user's rights.
- Automatic Share Acceptance— Sharing
- frontend can auto-accept received shares asynchronously and set the resulting mountpoint, rather than requiring every share to wait for manual acceptance. The behavior is capability-driven and uses service-account-backed processing.
- Gateway Transfer Secret and Provider Caching— Sharing
- gateway configuration includes transfer secrets and expiry windows for handoffs plus caches for provider lookup and personal-space creation. These settings affect share resolution and service-to-service handoff behavior under load.
- Graph MFA-Gated Unrestricted Drive Listing— Spaces
- unrestricted drive listing is gated behind elevated authentication-level checks, so listing across drives is not treated the same as reading the caller's own drive set. This matters for admin search and cross-space management flows.
- Pluggable User Share Providers— Sharing
- sharing supports user-share providers backed by `json`, `owncloudsql`, `cs3`, and `jsoncs3` (default). Note: `jsoncs3` is the recommended production driver in v8.0.5; a standalone `sql` driver is not documented. The provider abstraction sits underneath the Graph and OCS share surfaces.
- Pluggable Public Share Providers— Link Management
- public-share handling supports `json`, `cs3`, and `jsoncs3` providers. A standalone `sql` driver is not documented in v8.0.5. This separates link semantics from the physical persistence backend.
- Password-Protected Folder Creation— Secure Folders
- the built-in password-protected-folders app adds a `Password Protected Folder` creation flow in Web so users can create folders that require a separate password before access.
- Password-Protected Folder Link-File Backing— Secure Folders
- password-protected folders are backed by hidden `.psec` link files that point to password-protected shares, while the actual content lives in mirrored hidden folders in the creator's personal space.
- Password-Protected Folder Cleanup and Trash Handling— Secure Folders
- deleting a protected-folder link file as the owner removes the backed folder as well, and normal deletion moves both the link file and destination folder into their respective trash bins.
- Frontend Claim-Managed Space Membership Blocking— Spaces
- when claim-managed spaces are enabled, the frontend can block add and remove member actions in Web so UI changes do not conflict with IdP-managed memberships.
- Default Space Quota Configuration— Spaces
- `GRAPH_SPACES_DEFAULT_QUOTA` sets the default storage quota (in bytes) applied to all newly created project spaces. Administrators can pre-configure this so drive creators are not required to specify quota manually.
- WebDAV CS3 Namespace Jailing (ocDAV)— WebDAV Protocol
- Administrators configure separate CS3 namespace prefixes for legacy `/dav/webdav` (`OCDAV_WEBDAV_NAMESPACE`, default `/users/{{.Id.OpaqueId}}`), per-user `/dav/files/{username}` (`OCDAV_FILES_NAMESPACE`), and the Shares virtual folder (`OCDAV_SHARES_NAMESPACE`). Enables multi-tenant namespace isolation and legacy WebDAV client compatibility.
- OCM Federated Share WebDAV Namespace— WebDAV Protocol
- `OCDAV_OCM_NAMESPACE` (default `/public`) defines the WebDAV path prefix under which OCM federated shares are surfaced via the ocDAV service. Introduced v5.0.0; routes cross-instance share traffic to the correct CS3 storage namespace.
- PROPFIND Depth Infinity— WebDAV Protocol
- `OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY` enables unlimited recursive directory traversal via WebDAV PROPFIND requests. Disabled by default to protect against excessive server load; enabling allows desktop sync clients and tools to traverse the full namespace in a single request.
- WebDAV CS3 Path Namespace Customization (WebDAV Service)— WebDAV Protocol
- `WEBDAV_WEBDAV_NAMESPACE` (default `/users/{{.Id.OpaqueId}}`) configures how the WebDAV service maps `/webdav` request forwarding to CS3 storage locations. Go template syntax supports per-user path customization for legacy client compatibility.
- Resharing Support— File Sharing
- Users can reshare received shares with others, configurable via `FRONTEND_ENABLE_RESHARING`. Allows recipients of shared content to grant access to additional collaborators without requiring space membership.
- Server-Managed Space Membership via OIDC Claims— Space Governance
- Space memberships can be managed from OIDC token claims rather than user-driven assignment, enabling centrally-governed space membership synchronized from the identity provider on each login. Introduced v7.2.0.
- Explicit Drive ID Assignment via Graph API— Drive Management
- Space/drive IDs can be explicitly set through the Graph API during drive creation, enabling migration scenarios and external system integrations that require stable, predetermined space IDs. Introduced v7.2.0.
- Download Archive Format Selection— File Operations
- The archiver supports selecting output format (zip or tar) via query parameter when downloading multiple files or folders, giving clients and automations control over the archive format without configuration changes.
- WOPI Extended File Operations— WOPI Protocol
- The collaboration service supports WOPI `PutRelativeFile` (save-as copy), `DeleteFile`, and `RenameFile` operations beyond the baseline get/put. Enables richer document lifecycle management from Collabora, OnlyOffice, and other WOPI editors. Introduced v6.3.0.
- WOPI Collaboration Product Name Override— WOPI Protocol
- `COLLABORATION_APP_NAME` gives the collaboration service a custom product name (e.g., `CoolBox`, `MicrosoftOfficeOnline`). The name is sent to WOPI clients and used to activate editor-specific behavior such as MS Office Online Server lock token handling. Introduced v7.0.0.
- MS Office Online Server Lock Token Compatibility— WOPI Protocol
- Special lock token handling for MS Office Online Server's WOPI locking mechanism is activated when `COLLABORATION_APP_NAME=MicrosoftOfficeOnline`. Ensures document lock semantics are compatible with MOOS's expectations during multi-user editing sessions. Introduced v6.2.0.
- Password-Protected Folder Access— Access Restrictions
- A web extension enables creation of password-protected folders that require a passphrase to browse, enabling secure sharing of folder contents without requiring a user account on the oCIS instance. Introduced v7.1.0 web extensions.
- Create New Documents from WOPI Templates— Document Creation
- Users can create new documents by selecting a predefined WOPI template (e.g., blank .docx, spreadsheet, presentation). The default action on a template file triggers the WOPI app's document-creation capability, pre-filling the new document with template content. Introduced web v11.0.0.
- App View Mode via URL Query Parameter— App Integration
- The `view_mode` query parameter on app URLs specifies whether an app opens in read-only (`view`) or edit (`write`) mode, gated by app and share permissions. Enables external links and embeds to deep-link directly to the correct editing context. Introduced web v11.0.0.
- Share Link Password Complexity Policy— Sharing
- Configurable minimum character counts for total length, lowercase, uppercase, special characters, and digits for share link passwords (Helm: `features.passwordPolicy.*`). Also supports a configurable banned-password list. Complements the per-link brute-force protection.
- Cloud Import from External Cloud Providers— Cloud Integration
- Users can import files directly from external cloud providers (initially OneDrive) into oCIS without manual download-upload cycles. Eliminates friction for users migrating content or working across cloud boundaries. Introduced web v7.1.0.
- OnlyOffice Mobile Browser Rendering Mode— Office Integration
- Enables a mobile-optimised rendering mode for OnlyOffice documents when accessed from a mobile browser, ensuring the editor layout is usable on smartphones and tablets without a native app.
- Camera Access in Embedded App Iframes— Embedded App Security
- Grants camera permissions to embedded external application iframes, enabling in-editor document scanning and camera-based content capture without leaving the oCIS web interface.
- Collabora Insert Graphic and File via PostMessage— WOPI Integration
- The web external app integration handles Collabora UI_InsertGraphic and UI_InsertFile postMessages, allowing users to insert ownCloud-stored files and images into Collabora Office documents directly from the editor.
- Thumbnail Service Bundled in oCIS Binary— Thumbnail Generation
- Users see in-browser image thumbnails because oCIS now bundles the thumbnail generation service in the main binary, eliminating the need to deploy and configure a separate thumbnails service.
- Processing-State Thumbnail Status Code— File Processing
- Clients requesting thumbnails for files that are still being post-processed receive an HTTP 425 Too Early response, allowing them to implement retry logic rather than displaying an error or broken image.
- TIFF and BMP Thumbnail Generation— Thumbnail Generation
- Users can view generated thumbnails for TIFF and BMP image files in the oCIS file browser, as the thumbnails service now processes these formats in addition to common image types.
- Single and Batch Resource Duplication— File Management
- Users can duplicate files and folders individually or in bulk via the context menu or action bar, creating copies in the same location without navigating away.
- Automatic Hiding of Trashed Spaces— Space Management
- Spaces that have been moved to the trash (root.deleted.state = trashed) are no longer shown in the UI, including personal spaces, preventing clutter from deleted spaces in the spaces list.
- Clipboard Paste-to-Upload in File Browser— File Upload
- Users can paste an image or file from their clipboard directly into the ownCloud Web file browser to trigger an upload, matching the intuitive behavior of modern web applications.
- Additional Sorting Options for Spaces View— Space Management
- Users can sort the spaces list by size and last modification date in addition to name, making it easier to find recently active or storage-heavy spaces in large deployments.
- Drag and Drop File and Folder Move— File Operations
- Users can drag files and folders from the file list and drop them into a target folder to move them, providing the familiar desktop-style interaction in the browser.
- Trashbin with Restore and Permanent Delete— Trash Management
- Users can view deleted files in a dedicated trashbin view with the original path, file size, and deletion date, and can restore them or permanently delete them.
- TUS-Based Resumable File Uploads— File Upload
- File uploads use the TUS protocol, enabling large uploads to be paused and resumed after a network interruption, preventing the need to restart long uploads from scratch.
- Folder Upload via New Menu— File Upload
- Users can upload entire folder structures by selecting a folder through the "New" menu, preserving the directory hierarchy during upload into ownCloud Web.
- Upload Conflict Resolution Dialog— File Upload
- When uploading a file that already exists in the destination folder, users are presented with a conflict dialog offering the choice to overwrite the existing file or, when versioning is enabled, to create a new version.
- Server-Enforced Tag Character Limit— Content Tagging
- The maximum number of characters allowed in a resource tag is read from the server capability and enforced in the UI, defaulting to 30 characters, enabling administrators to control tag length policy from the backend.
- Visual Highlight for Spaces Where User Is Space Admin— Space Visibility
- Spaces in which the logged-in user has the space-admin role are visually distinguished in the spaces list, helping users with many spaces quickly identify where they have elevated permissions.
Deployment and Operations
- Helm Replicas and Autoscaling Controls— Helm Deployment
- The chart exposes global and per-service replica, HPA, and PodDisruptionBudget controls so operators can scale services without rewriting manifests.
- Helm Alternative State Backends and External Messaging— Helm Deployment
- Chart values support `redis-sentinel` state backends. `nats-js-kv` as a state backend is available in the v8-era chart only. External NATS with TLS is supported via `messagingSystem.external.*` and `secretRefs.messagingSystemCaRef` in both chart generations.
- Helm Ingress, TLS, and Custom CA Trust— Network and Trust
- Ingress hosts, TLS secrets, classes, and injected CA bundles are first-class chart settings for clusters that use internal PKI or custom trust roots.
- Helm Sharing, Notification, and Branding Controls— Helm Deployment
- Operators can configure share password policies, automatic share acceptance, SMTP delivery, notification summary jobs, and branded mail templates from chart values.
- Helm Web App, External App, and Office Deployment Patterns— App Deployment
- The repo ships concrete deployment patterns for loading extra web apps, wiring external apps, and integrating collaboration service with office suites.
- Helm External User Management, LDAP, and Antivirus Controls— External Identity
- The chart supports external user management with OIDC and writable LDAP mapping and also exposes antivirus backend settings such as ICAP and max scan size.
- Embedded NATS JetStream Event Broker— Messaging
- the embedded NATS service can run with configurable host, port, cluster ID, JetStream storage directory, and TLS certificates. It is the built-in message broker option for event delivery and persistent JetStream streams.
- libvips Thumbnail Generation— Media Processing
- A libvips-based generator is available as an alternative image processor (libvips 8.18.2 in v8.0.5). It is a build-time opt-in via `ENABLE_VIPS` make variable — disabled by default for bare-metal builds but enabled in official Docker images. libvips adds broader format support (HEIC, WebP, TIFF, AI, PDF pages) and better performance at high concurrency.
- Thumbnail Generation Concurrency Limiting— Media Processing
- Thumbnail generation uses a semaphore-style concurrency limiter (`THUMBNAILS_MAX_CONCURRENT_REQUESTS`, default: 0 = unlimited). When the limit is reached, the WebDAV service returns HTTP 429 with a `Retry-After` header. This is an operational safeguard against unbounded parallel image processing, not a rate limiter in the tokens-per-second sense.
- Helm WOPI Secret References— Helm Deployment
- The v8-era Helm chart requires `secretRefs.collaborationWopiSecret` when WOPI integration is enabled. Additional secret references include `secretRefs.globalNotificationsSecretRef` (push notification endpoint secret) and `secretRefs.serviceAccountSecretRef` (service account credential).
- Helm NATS Persistence Configuration— Helm Deployment
- `services.nats.persistence.*` in the Helm chart controls NATS JetStream persistent storage: `storageClassName`, `accessModes`, and `size`. Required for durable event delivery in production Kubernetes deployments where pod restarts would otherwise lose in-flight events.
- Distributed Tracing (Jaeger / OTLP)— Observability
- All oCIS services support pluggable distributed tracing backends — Jaeger or any OTLP-compatible collector — via `OCIS_TRACING_ENABLED`, `OCIS_TRACING_TYPE`, `OCIS_TRACING_ENDPOINT`, and `OCIS_TRACING_COLLECTOR`. Enables full request tracing across microservices for production observability and debugging.
- Per-Service Live Debug Profiling (pprof / zpages)— Observability
- Every oCIS service exposes a debug HTTP server with optional Go pprof profiling (`*_DEBUG_PPROF`) and OpenCensus zpages (`*_DEBUG_ZPAGES`) endpoints, secured by a bearer token (`*_DEBUG_TOKEN`). Enables live performance profiling and in-memory trace inspection in production without redeployment.
- NATS TLS Mutual Authentication— Event Bus Security
- The embedded NATS broker supports TLS with configurable server certificates and optional client certificate verification (`NATS_TLS_CERT`, `NATS_TLS_KEY`, `NATS_EVENTS_ENABLE_TLS`, `NATS_TLS_SKIP_VERIFY_CLIENT_CERT`). Enables encrypted and optionally mutually authenticated event bus communication in multi-node deployments.
- CORS Allow-Origins Configuration— API Security
- `PROXY_CORS_ALLOW_ORIGINS` specifies the list of allowed cross-origin origins for the oCIS API. Supports wildcards. Needed for deployments where the oCIS API is called from external trusted web applications or portals.
- Cron-Based Email Notification Digest Jobs— Scheduled Jobs
- Cron-based jobs aggregate user activity and send digest emails on a configurable daily and weekly schedule (Helm: `notifications.notifications.smtp.dailySummary`, `weeklySummary`). Reduces notification volume for active users; disabled by default.
- Global Notifications Endpoint Secret— Notifications Security
- `NOTIFICATIONS_GLOBAL_NOTIFICATIONS_SECRET` is required to call the global notifications POST/DELETE admin endpoints. Prevents unauthorized use of system-wide notification broadcasting in multi-tenant deployments.
- Pod Disruption Budget— Kubernetes
- Global and per-service PodDisruptionBudget configuration (`podDisruptionBudget.maxUnavailable` in Helm) ensures Kubernetes cluster maintenance operations do not simultaneously evict all pods of a critical oCIS service. Essential for zero-downtime rolling upgrades.
- Pod Affinity and Anti-Affinity Rules— Kubernetes
- Per-service `affinity` blocks supporting `nodeAffinity` (zone pinning) and `podAntiAffinity` (anti-collocation) rules. Enables topology-aware scheduling for high-availability deployments across failure domains.
- Topology Spread Constraints— Kubernetes
- `topologySpreadConstraints` in Helm distributes pods across failure domains (nodes, zones) with configurable maxSkew and `whenUnsatisfiable` behavior. Provides fine-grained distribution control beyond basic affinity rules.
- Kubernetes Priority Classes— Kubernetes
- `priorityClassName` and `jobPriorityClassName` (global and per-service) map oCIS services to Kubernetes PriorityClass objects, enabling resource preemption policies that protect critical services during resource pressure.
- Per-Service Container Image Override— Kubernetes
- Every oCIS service supports independent `image.repository`, `image.tag`, `image.sha`, and `image.pullPolicy` overrides in Helm. Enables canary deployments and pinning specific services to older image versions without redeploying the entire chart.
- Kubernetes Backup Resource Labels— Kubernetes
- `backup.configMapLabels`, `backup.secretLabels`, and `backup.pvcLabels` attach custom labels to Helm-managed ConfigMaps, Secrets, and PVCs. Allows backup tools (Velero, Stash, etc.) to target oCIS resources precisely via label selectors.
- Custom CA Chain Injection— Kubernetes
- `customCAChain.enabled` with `existingConfigMap` mounts an operator-provided CA bundle into all pods at `/etc/ssl/custom`. Enables mTLS or private PKI for S3, SMTP, LDAP, or other external services without rebuilding container images.
- Pod-Level Non-Root Security Context— Kubernetes
- Global `securityContext.runAsUser`, `runAsGroup`, `fsGroup`, and `fsGroupChangePolicy` enforce non-root execution and consistent volume ownership across all oCIS pods. `OnRootMismatch` policy avoids expensive recursive chown on large volumes during pod startup.
- Extra Kubernetes Resource Manifests— Kubernetes
- `extraResources` accepts arbitrary YAML manifests (cert-manager Issuers, NetworkPolicies, ConfigMaps, etc.) templated and deployed as part of the Helm release. Eliminates the need for separate chart orchestration when injecting supporting resources.
- Coordinated Graceful Service Shutdown— Service Reliability
- All oCIS microservices use a shared runner framework to catch termination signals and drain in-progress work — including metadata propagation and activity logging — before exiting. Prevents data loss during rolling restarts, scale-down events, and Kubernetes node drains.
- Storage-Users Graceful Shutdown Timeout— Service Configuration
- `STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT` controls the maximum wait time for the storage-users service to complete in-flight metadata propagation before a forced exit. Allows operators to balance availability against data-safety margins.
- `ocis init` Interactive Bootstrap Command— Initial Setup
- An interactive initialization command generates all required secrets, signing keys, certificates, and a valid configuration file for new oCIS deployments, removing the need to manually configure secrets and reducing setup errors. Introduced v2.0.0.
- NATS JetStream Health Check Endpoints— Monitoring
- Adds HTTP health-check and readiness-probe endpoints to the embedded NATS JetStream event broker, allowing orchestrators and load balancers to monitor message-bus availability independently of application health.
- HTTP Response Compression— Web Server Performance
- Adds gzip and zstd HTTP response compression to the oCIS web server, reducing bandwidth consumption for all web traffic and improving load times for users on metered or constrained connections.
- Layered Theme Auto-Merge at Runtime— Theming
- Processes theme configuration in a three-layer priority chain — built-in defaults, base theme, then branding theme — so administrators can supply only the keys they wish to override, with all other values automatically inherited.
- Bash-Style Env Variable Substitution in YAML— Configuration Management
- Supports ${VAR} and ${VAR:-default} placeholder syntax in any oCIS YAML configuration file, with values resolved from environment variables at startup, enabling a single shared config file to serve multiple environments.
- Runtime Selective Extension Loading— Deployment and Operations
- Administrators can configure which oCIS extensions are loaded at runtime, cherry-picking only the services needed for a given deployment. Unnecessary services do not start, reducing resource consumption and attack surface.
- File-Based Log Output— Deployment and Operations
- oCIS services can be configured to write log output to a file on disk in addition to or instead of stdout. File logging is configurable per service and enables log rotation via external tools.
- OCIS_URL Global URL Environment Variable— Deployment and Operations
- A single `OCIS_URL` environment variable sets the canonical public URL for all oCIS services at once. This simplifies deployment configuration compared to setting the URL separately for each service.
- SMTP Authentication and Encryption Configuration— Deployment and Operations
- The notifications service supports configuring SMTP authentication credentials (username, password) and transport encryption (STARTTLS, TLS) for outbound email delivery. Administrators can integrate with any standard corporate SMTP relay.
- Extendable Policy MIME Type Mapping— Deployment and Operations
- The policies engine MIME type registry can be extended by pointing `POLICIES_ENGINE_MIMES` at a custom `mime.types` file. Administrators add custom application/extension mappings without modifying oCIS source code.
- Configurable Config Directory via OCIS_CONFIG_DIR— Service Configuration
- Administrators can set the OCIS_CONFIG_DIR environment variable to specify a single custom directory for all oCIS configuration files, overriding the default search paths (/etc/ocis, ~/.ocis, .config) for consistent containerized and multi-environment deployments.
- Per-Service Configurable Event Bus Settings— Service Configuration
- Administrators can configure the event system connection parameters (such as the NATS endpoint) independently for each oCIS service, enabling Kubernetes and split-service deployments to connect individual services to a shared or dedicated event bus.
- Docker Compose Example for Decoupled Microservice Deployment— Deployment Examples
- Operators can use the provided Docker Compose example to run oCIS as fully separated microservices (proxy, web, graph, graph-explorer) behind Traefik, demonstrating how to customize per-service configuration for production-grade and Kubernetes-style deployments.
- Consul Service Registry Support— Service Discovery
- Administrators can configure oCIS to use HashiCorp Consul as the service registry (via MICRO_REGISTRY=consul and MICRO_REGISTRY_ADDRESS), enabling native integration with Nomad and other Consul-based infrastructure.
- Storage Permissions Endpoint Variable— Service Configuration
- Administrators can set the STORAGE_PERMISSIONS_ENDPOINT environment variable to specify which permissions service the storage service connects to, enabling flexible routing in distributed deployments.
- Machine Auth Provider Standalone Subcommand— Service Configuration
- Operators can start the machine authentication provider as a standalone process using the ocis storage-auth-machine subcommand, enabling independent deployment and scaling of the machine auth service.
- Docker Image Extended Attribute Debug Tools— Container Tooling
- The oCIS Docker container image now bundles the attr and tree utilities, giving operators tools to inspect storage extended attributes and visualize directory hierarchies directly within a running container for troubleshooting and diagnostics.
- Supervision Tree Single-Process Runtime— Service Runtime Management
- Administrators can run all oCIS services under a single supervised process using a supervision tree that automatically restarts failed extensions, while still retaining the ability to run individual services as standalone unsupervised processes.
- Global OCIS_URL Deployment Variable— Deployment Configuration
- Administrators can configure the base URL for all oCIS services with a single OCIS_URL environment variable, eliminating the need to set service-specific URL environment variables individually and simplifying remote deployments to a single command.
- Per-Service Data Path Configuration— Service Configuration
- Administrators can configure custom data directory paths for each oCIS service via environment variables, with all services defaulting to organized subdirectories under a common base path for clean out-of-the-box deployments.
- Per-Upstream TLS Verification Toggle— Proxy Configuration
- Administrators can disable TLS certificate verification for individual upstream servers defined in the proxy configuration file, enabling deployments that use internal or self-signed certificates without requiring system-wide trust store changes.
- Proxy Signed URL Handling Toggle— Proxy Configuration
- Administrators can disable signed URL processing in the oCIS proxy via a configuration flag, a requirement for ownCloud 10 bridge deployments where the legacy server is responsible for URL signing.
- JSONcs3 Public Share Manager Backend— Service Configuration
- Administrators can configure oCIS to use the JSONcs3 public share manager, storing public share metadata in the object store alongside file data for improved scalability in large deployments.
- JSONcs3 Distributed Share Manager Configuration— Share Management Backend
- Administrators can configure oCIS to use the JSONcs3 share manager, which stores share metadata directly in the object store, supporting more scalable and storage-collocated share management for distributed deployments.
- Standalone Postprocessing Service CLI Command— Service Configuration
- Administrators can start the postprocessing service as an independent component using a dedicated CLI command, enabling flexible microservice deployment architectures where postprocessing is scaled or managed separately.
- Selective Service Exclusion at Startup— Service Configuration
- Administrators can specify services to exclude from the all-in-one oCIS startup using `OCIS_EXCLUDE_RUN_SERVICES`, making it straightforward to substitute a custom build of a single service while running all other services from the standard binary.
- Per-Service Prometheus Request Counters— Observability
- Administrators can monitor request throughput per oCIS gRPC and HTTP service using Prometheus metrics, with labeled counters exposed at the metrics endpoint for each service such as gateway, storage-users, and sharing.
- IDP Auto-Generated Signing Key and Encryption Secret— Identity Provider Configuration
- Administrators benefit from simplified initial setup as the built-in IDP service automatically generates and persists its signing key and encryption secret on first startup, ensuring oCIS can be restarted without invalidating all active user sessions.
- OpenTelemetry Distributed Tracing Support— Distributed Tracing
- Administrators can instrument oCIS deployments with OpenTelemetry-compatible tracing backends, replacing the deprecated OpenCensus and OpenTracing integrations to collect distributed traces across all services using current CNCF standards.
- OCS Cache Warmup Configuration— Service Configuration
- Administrators can configure cache warmup behavior for the OCS service, reducing cold-start latency by pre-populating the cache after service restarts and controlling how namespace conflicts in protobuf registrations are handled.
- Parallel Migration Deployment Stage— Migration Infrastructure
- Administrators can deploy oCIS alongside a running ownCloud 10 instance using a provided Docker Compose configuration implementing stage 6 of the official migration path, allowing both platforms to serve users concurrently during a phased transition.
- Structured YAML Config Override System— Service Configuration
- Administrators can manage oCIS configuration through hierarchical YAML files at both global and per-service levels, providing a consistent and version-controllable alternative to environment variables that is fully supported in supervised-mode deployments.
- Supervisor Fail-Fast Startup Handling— Service Health Management
- When any service fails to start in oCIS supervised mode, the entire supervisor process stops immediately, preventing partially-initialized deployments and making startup failures immediately visible to operators rather than silently degrading.
- Per-Service Config in Supervised Mode— Service Configuration
- Administrators can apply individual service configuration files when restarting a specific service via the oCIS run subcommand in supervised mode, enabling targeted reconfiguration of a single service without modifying or reapplying the global oCIS configuration.
- JSON File Proxy Registry Rules— Proxy Routing Configuration
- Administrators can define proxy routing rules in an external JSON file rather than environment variables, making it straightforward to manage complex routing configurations and version-control routing policies alongside other infrastructure-as-code assets.
- Configurable Runtime Network Binding— Runtime Configuration
- Administrators can set the host address and port for the oCIS runtime listener using OCIS_RUNTIME_HOST and OCIS_RUNTIME_PORT environment variables, enabling custom network binding configurations for containerized and multi-tenant deployments.
- File-Based Log Output Configuration— Log Management
- Administrators can direct all oCIS service logs, or individual service logs, to a specified file using the OCIS_LOG_FILE or per-service LOG_FILE environment variables, supporting integration with log aggregation tools and enabling persistent log storage outside the console.
- Docker Compose EOS Storage Test Setup— Container Deployment
- Administrators can deploy a complete oCIS-on-EOS environment using a dedicated Docker Compose file, enabling testing and development against EOS distributed storage without manual cluster orchestration.
- EOS-Based oCIS Container Docker Images— Container Image Distribution
- Administrators can use purpose-built Docker images based on owncloud/eos-base to deploy oCIS against EOS distributed storage, enabling containerized EOS deployments without custom image assembly.
- ARM and ARM64 Docker Image Builds— Container Image Distribution
- Administrators can deploy oCIS on ARM-based hardware — including edge devices and ARM cloud instances — using official ARM and ARM64 Docker images, broadening the supported deployment platform range.
- External LDAP Server in EOS Docker Compose— LDAP Integration
- Administrators deploying oCIS on EOS via Docker Compose can connect to an external LDAP server for user directory integration, replacing the built-in directory with an enterprise LDAP service in containerized EOS setups.
- Custom pman Process Manager for Services— Runtime Process Management
- oCIS uses a purpose-built process manager (pman) for service orchestration, giving operators independent start and stop control over individual services without relying on third-party process management libraries.
- Per-Service Distributed Tracing from Single Binary— Distributed Tracing
- Administrators can collect distributed traces from individual oCIS services running inside the all-in-one binary, enabling end-to-end request visibility and performance diagnostics with standard tracing backends.
- Dedicated CLI Commands for Reva Storage Services— Storage Service CLI
- Administrators can start and manage individual Reva-based storage services using dedicated oCIS CLI subcommands, providing fine-grained control over storage service startup and configuration.
- Embedded go-micro Runtime Service Orchestration— Runtime Process Management
- oCIS services are orchestrated by an embedded go-micro runtime that allows individual services to be stopped and restarted independently within the single binary, improving operational flexibility compared to goroutine-based management.
- Storage-Users Propagator Configuration— Service Configuration
- Administrators can configure the storage-users propagator, enabling control over how filesystem change notifications are delivered through the storage layer when running as a standalone service.
- Per-Service OCI Container Images— Container Image Distribution
- Each oCIS service is published as its own OCI container image, allowing operators to deploy individual services independently without running the full all-in-one binary.
- Uppy Companion WOPI Deployment Example— WOPI Deployment
- The WOPI deployment example now includes an Uppy Companion microservice, enabling cloud-to-cloud import functionality so users can import files directly from external cloud storage services.
- Enterprise and Community Edition Releases— Product Edition
- oCIS is now distributed as distinct enterprise and community editions, allowing organizations and operators to identify and deploy the appropriate release type for their licensing and support requirements.
- Postprocessing Service Default Store— Service Configuration
- The postprocessing service now ships with a default persistent store configuration including database and table settings, ensuring upload processing state survives service restarts and reduces configuration overhead for new deployments.
- Uppy Companion Upload URL Configuration— Cloud Import Configuration
- Administrators can configure the Uppy Companion microservice URL via WEB_OPTION_UPLOAD_COMPANION_URL, enabling users to import files directly from external cloud storage providers through the web interface.
- Configurable App Provider Service Name— App Provider Configuration
- Administrators can assign a unique service name to each app provider instance via APP_PROVIDER_SERVICE_NAME, enabling multiple app providers (for example, Collabora and OnlyOffice) to run concurrently and be individually addressable.
- Configurable Storage ID Cache— Cache Configuration
- Administrators can configure the storage layer ID cache parameters, enabling tuning of cache size and TTL to optimize performance and memory usage in large-scale deployments.
- Postprocessing Service Persistent Store— Service Configuration
- The postprocessing service now supports a persistent store backend, ensuring that upload processing state is preserved across service restarts and enabling reliable recovery from interruptions during file ingestion workflows.
- Configurable oCIS Edition Identifier— Product Edition
- Administrators can configure the edition identifier for their oCIS deployment, enabling clear differentiation between enterprise and community installations across status endpoints and system reporting.
- Notifications Service Debug Endpoint— Service Debugging
- The notifications service now exposes a dedicated debug and health endpoint, allowing administrators to monitor service health and retrieve diagnostic information for troubleshooting notification delivery issues.
- IDM Service Debug Endpoint— Service Debugging
- The Identity Management service now exposes a dedicated debug and health endpoint, enabling administrators to monitor IDM service health and gather diagnostics as part of standard operational monitoring.
- Unified Cache TTL Configuration— Cache Configuration
- Caching configuration across oCIS services has been unified and cleaned up, with TTL values now correctly applied to the underlying storage layer in seconds, preventing misconfigured cache expiry and improving cache reliability.
- NATS Messaging Service Debug Endpoint— Service Debugging
- The embedded NATS messaging service now exposes a debug endpoint, allowing administrators to monitor event broker health and gather diagnostics for troubleshooting event-driven workflows and notification pipelines.
- Asynchronous File Upload Postprocessing— Upload Processing Pipeline
- Administrators can configure an asynchronous postprocessing pipeline for uploaded files that runs virus scanning, content extraction, and other steps in the background without blocking the upload response to the client.
- OTLP Tracing Exporter Support— Distributed Tracing
- Administrators can configure oCIS to export distributed traces via OpenTelemetry Protocol (OTLP) by setting tracing_exporter=otlp, enabling integration with observability platforms such as SigNoz, Jaeger, and Grafana Tempo.
- Configurable Storage-Users Event Consumers— Service Scaling
- Administrators can configure the number of parallel event consumers in the storage-users service, increasing storage operation throughput for deployments with high concurrency requirements.
- In-Memory Registry for Single-Binary Mode— Service Discovery
- The oCIS all-in-one binary defaults to an in-memory service registry instead of mDNS, avoiding multicast-related networking issues and simplifying deployment in environments where mDNS is restricted or unavailable.
- Global Events Bus Endpoint Configuration— Service Configuration
- Administrators can set OCIS_EVENTS_ENDPOINT and OCIS_EVENTS_CLUSTER as global variables to configure the NATS message bus for all services simultaneously, replacing per-service event configuration variables.
- Configurable DecomposedFS Listing Goroutine Limit— Storage Configuration
- Administrators can set a maximum number of concurrent goroutines used for directory listing in the DecomposedFS storage backend, enabling performance tuning for storage systems with varying I/O concurrency characteristics.
- Optional Admin Bootstrap User for OIDC Deployments— Identity Configuration
- Administrators can deploy oCIS without setting OCIS_ADMIN_USER_ID when using external role assignment mechanisms such as OIDC claims, removing the requirement for a built-in admin account in enterprise identity provider configurations.
- Global Persistent Store Config with Redis Sentinel— Cache Configuration
- Administrators can configure shared OCIS_PERSISTENT_STORE_* environment variables applied consistently to the proxy access-token cache, userlog service, and eventhistory service, including Redis Sentinel support for high-availability cache deployments.
- Configurable Post-Processing Pipeline Steps— Service Configuration
- Administrators can define the list of post-upload processing steps executed by the postprocessing service using the POSTPROCESSING_STEPS environment variable, controlling which workflows such as antivirus scanning or custom processors are applied to incoming content.
- Runtime Theming with Logo and Primary Colors— Instance Branding
- Administrators can apply custom branding to ownCloud Web at runtime via a theme configuration file, setting logos for the login page and topbar, primary and secondary colors, background images, and favicon without recompiling the frontend.
- Backup Consistency Check Exit Code Flag— Backup and Recovery
- Administrators can use the `--fail` flag with `ocis backup consistency` to receive a non-zero exit code when storage inconsistencies are detected, enabling automated backup validation in CI pipelines and monitoring scripts.
- NATS Multi-Tenant Account Authentication— Message Queue Configuration
- Administrators can configure NATS account-based authentication to safely share a single NATS cluster across multiple independent oCIS deployments, reducing infrastructure overhead for multi-tenant Kubernetes environments.
- Built-In NATS for Single-Process Deployments— Service Configuration
- Administrators deploying oCIS as a single all-in-one process can use the bundled NATS service for registry, cache, and event stores without provisioning an external NATS instance, reducing operational complexity for smaller or trial deployments.
- Configurable NATS Event Stream Replicas— Message Queue Configuration
- Administrators can configure the number of NATS stream replicas to achieve high availability for oCIS event messaging, ensuring reliable event delivery in clustered NATS deployments even when individual nodes fail.
- Automatic Expired Upload File Cleanup— Storage Maintenance
- Administrators can configure automatic cleanup of orphaned blobs and metadata from expired incomplete file uploads, preventing storage accumulation from interrupted TUS transfers and reducing unnecessary disk consumption over time.
- Template-Based Webfinger Configuration— Service Configuration
- Administrators managing many oCIS instances in Kubernetes can use template-based webfinger configuration to avoid exceeding the Kubernetes ConfigMap 1 MiB size limit, enabling reliable multi-instance federation configurations at scale.
- Global Decomposedfs Metadata Backend Setting— Service Configuration
- Administrators can use the global `OCIS_DECOMPOSEDFS_METADATA_BACKEND` environment variable to configure the metadata backend for all storage services simultaneously, replacing per-service variable configuration and ensuring consistency across the deployment.
- Storage Write-Freeze for Consistent Backups— Backup and Recovery
- Administrators can trigger a write-freeze across oCIS storage to ensure files and metadata reach a fully consistent state before a backup snapshot is taken, preventing data corruption or missing-file conditions in production backup workflows.
- S3 Incomplete Multipart Upload Cleanup Tool— Storage Maintenance
- Administrators using S3-backed storage can identify and clean up incomplete multipart uploads that accumulate when file transfers are interrupted mid-flight, preventing ongoing cloud storage charges from orphaned upload fragments.
- File-Based OpenTelemetry Trace Exporter— Observability
- Administrators can configure oCIS to write distributed traces to a local file using the OpenTelemetry file exporter, capturing trace data in air-gapped or development environments where a Jaeger collector or cloud trace backend is unavailable.
- Stable Docker Image Tag for Latest Release— Container Image Distribution
- Administrators can reference the `owncloud/ocis:stable` Docker image tag to always pull the most recent stable oCIS release without updating deployment manifests for each version bump, distinguishing stable from development builds.
- Configurable oCIS Configuration Directory— Service Configuration
- Administrators can specify the oCIS configuration directory using the `OCIS_CONFIG_DIR` environment variable, overriding all default path discovery locations and enabling container-friendly or multi-instance configuration layouts.
- Simplified Proxy Config for External IDP— Identity Integration
- Administrators deploying oCIS with an external identity provider can configure the proxy to transparently forward OIDC well-known discovery endpoints, enabling desktop, iOS, and Android clients to locate the IdP without extra DNS entries or reverse proxy rules.
- oCIS Full Configuration Report Command— Admin CLI
- Administrators can generate a complete configuration report showing the active settings and service count for all running oCIS services, simplifying support request submission and troubleshooting of configuration-related deployment issues.
- Total Storage Size Prometheus Metric— Observability
- Administrators can monitor total storage consumption through a dedicated metric exposed on the storage-users service metrics endpoint, enabling Prometheus-based alerting and capacity planning dashboards without manual filesystem inspection.
- Per-Service OCI Images Reduced Memory Footprint— Container Image Distribution
- Each oCIS microservice can be deployed from its own dedicated OCI container image containing only that service's binary, reducing per-pod memory consumption in Kubernetes compared to running the full all-in-one binary for each service instance.
- AuthApp Service Helm Chart Support— Service Configuration
- Administrators can deploy the oCIS authentication app service (auth-app) as a discrete Kubernetes Deployment through the Helm chart, enabling token-based application authentication as an independently scalable component.
- Custom Deployment Annotations Support— Kubernetes Deployment
- Administrators can attach arbitrary Kubernetes annotations to all oCIS Deployment resources via Helm values, enabling integrations such as Stakater Reloader for automatic pod restarts when ConfigMaps change.
- Recreate Deployment Strategy Support— Kubernetes Deployment
- Administrators can select the Kubernetes Recreate deployment strategy for oCIS services via Helm values without disabling JSON schema validation, enabling zero-concurrent-instance updates for stateful services that cannot run as multiple replicas simultaneously.
- Sub-Chart Global Values Schema Support— Helm Chart Configuration
- Administrators can embed oCIS as a Helm sub-chart and pass global configuration values from the parent chart, enabling composite platform deployments where oCIS shares settings with sibling services.
- Helm Values JSON Schema Validation— Helm Chart Configuration
- Administrators benefit from automatic JSON schema validation of oCIS Helm values during chart installation and upgrade, surfacing misconfiguration errors before they propagate to the Kubernetes API and cause runtime failures.
- ClamAV ICAP Antivirus Deployment Example— Antivirus Deployment
- Administrators have a reference Helmfile deployment example for integrating ClamAV as an ICAP antivirus backend with oCIS, enabling file scanning on upload in a Kubernetes-native environment.
- Web App Install via InitContainers— Web App Extension
- Administrators can declare oCIS Web application extensions in Helm values and have them automatically installed via Kubernetes init containers at pod startup, enabling custom web app distribution without building new container images.
- ActivityLog Service Helm Deployment— Service Configuration
- Administrators can enable and configure the oCIS activitylog service through the Helm chart, providing users with per-space file activity history stored durably in a NATS key-value stream.
- Custom CA Chain Injection for Deployments— PKI and TLS Configuration
- Administrators can inject a custom Certificate Authority chain into all oCIS deployment examples via Helm configuration, enabling mutual TLS and internal certificate validation in enterprise PKI environments without modifying container images.
- Collaboration Service Replaces WOPI Server— Office Integration Deployment
- Administrators deploy the dedicated oCIS collaboration service instead of the legacy WOPI server, gaining support for multiple simultaneous office suite backends (Collabora, OnlyOffice) and improved integration with the oCIS postprocessing pipeline.
- Kubernetes Service appProtocol Declaration— Service Mesh Configuration
- Administrators deploying oCIS with a service mesh such as Istio benefit from explicit application protocol declarations on all Kubernetes Services, eliminating ambiguous protocol auto-detection and enabling correct traffic management and mTLS policy enforcement.
- Dynamic OCM JWT Secret Name Configuration— Secret Management
- Administrators can specify a custom Kubernetes secret name for the OCM service JWT secret via Helm values, enabling use of externally managed or sealed secrets instead of the chart-generated default name.
- oCIS 5 S3 Bucket Permission Policy— S3 Object Storage
- Administrators deploying oCIS 5 with S3-compatible object storage receive an updated required bucket permission set in the Helm chart, ensuring the storage backend is correctly authorized for the access patterns introduced in oCIS 5.
- NATS JetStream Service Registry— Service Registry
- Administrators can configure oCIS to use the NATS JetStream service registry for service discovery, consolidating event streaming and service registration onto a single NATS infrastructure already deployed alongside oCIS.
- Conditional Antivirus Service Creation— Service Lifecycle
- The Helm chart creates the antivirus Kubernetes Service only when the antivirus feature is enabled, preventing unnecessary service resources from appearing in installations that do not use antivirus scanning.
- Pod Host Aliases Configuration— Network Configuration
- Administrators can inject custom hostname-to-IP mappings into all oCIS service pods via the Helm chart's hostAliases setting, enabling DNS resolution overrides for Minikube setups, air-gapped clusters, or split-DNS environments.
- Webfinger Service Kubernetes Deployment— Service Deployment
- The oCIS webfinger service is deployable as a dedicated Kubernetes workload through the Helm chart, enabling clients to discover oCIS endpoints via the WebFinger protocol at the .well-known/webfinger path.
- Per-Service Pod Priority Class— Pod Scheduling
- Administrators can assign a Kubernetes PriorityClass to each oCIS service pod individually through Helm values, ensuring critical services such as the proxy or gateway are evicted last under node memory pressure while lower-priority services yield resources first.
- Per-Service Node Selector Scheduling— Pod Scheduling
- Administrators can configure Kubernetes node selector labels per oCIS service through Helm values, constraining each service to run on designated node pools such as storage-optimized or compute-optimized nodes.
- Settings Service Shared Cache Integration— Caching Configuration
- Administrators can configure the oCIS settings service to use the same external shared cache as other services, enabling cache reuse across horizontally scaled replicas and reducing redundant backend reads under load.
- Office Integration Helmfile Deployment Example— Deployment Topology
- A ready-to-use Helmfile deployment example shows operators how to deploy oCIS alongside an office suite such as OnlyOffice or Collabora Online, providing a reference configuration for enabling in-browser document editing at scale in Kubernetes.
- Rook Ceph Storage Deployment Example— Deployment Topology
- A Helmfile deployment example demonstrates how to run oCIS with Rook-Ceph as the underlying block and object storage provider, giving operators a self-contained storage topology without dependency on external NAS or cloud object storage services.
- External NATS Messaging Deployment Example— Deployment Topology
- A Helmfile deployment example shows operators how to deploy oCIS with a separately managed NATS cluster for event streaming, providing a reference production-grade messaging topology that decouples the messaging layer from the oCIS application pods.
- etcd Service Registry Support— Service Registry
- Administrators can configure oCIS to use etcd as the service registry through Helm values, offering an alternative to the Kubernetes-native and NATS registries for environments where etcd is already part of the cluster infrastructure.
- Configurable Maintenance Job Container Image— Container Configuration
- Administrators can specify a custom container image for oCIS maintenance job pods such as thumbnail or upload cleanup CronJobs through Helm values, enabling use of images from private registries without modifying chart templates.
- Redis-Backed Caching Deployment Example— Deployment Topology
- A Helmfile deployment example shows operators how to deploy oCIS with Redis as the shared distributed cache backend, demonstrating the full configuration needed for consistent cache state across horizontally scaled oCIS service replicas.
- Custom PersistentVolumeClaim Name— Persistence Configuration
- Administrators can specify a custom name for PersistentVolumeClaims created by the Helm chart, enabling in-place upgrades from earlier chart versions that used different PVC naming conventions without losing existing persistent storage data.
- Init Container Image Configuration— Container Configuration
- Administrators can configure the container image used for oCIS init containers separately from the main service images through Helm values, enabling use of custom or private registry images for initialization tasks such as volume permission setup.
- Per-Service Kubernetes ServiceAccount Settings— Security Context
- Administrators can configure the Kubernetes ServiceAccount for each oCIS service pod through Helm values, including disabling automatic API token mounting to harden workloads that do not require access to the Kubernetes API server.
- Per-Service Deployment Rollout Strategy— Rollout Strategy
- Administrators can set the Kubernetes deployment update strategy per oCIS service through Helm values, enabling stateful services like NATS or IDM to use the Recreate strategy while stateless services roll out without downtime.
- Per-Service Custom Pod Labels— Kubernetes Metadata
- Administrators can inject arbitrary Kubernetes labels onto each oCIS service's pods and Deployment resources through Helm values, enabling fine-grained integration with label-based network policies, affinity rules, and external monitoring and routing tooling.
- Per-Service Kubernetes Pod Affinity— Pod Scheduling
- Administrators can define Kubernetes pod affinity and anti-affinity rules per oCIS service through Helm values, enabling workload co-location for latency-sensitive service pairs or spreading replicas across failure domains for high availability.
- Per-Service Horizontal Pod Autoscaler— Horizontal Scaling
- Administrators can independently enable and tune horizontal pod autoscaling for each oCIS service through Helm values, setting per-service minimum and maximum replica counts and CPU or memory utilization thresholds without a uniform global policy.
- Automated Thumbnail Cache Cleanup CronJob— Maintenance Automation
- Administrators can enable a Kubernetes CronJob that automatically deletes thumbnail files older than a configurable number of days, preventing unbounded growth of the thumbnail cache on persistent storage volumes.
- External Identity Provider Helmfile Example— Deployment Topology
- A Helmfile deployment example provides operators with a reference configuration for running oCIS integrated with an external identity provider such as Keycloak, covering the full Helm settings needed for externally managed authentication and user directory services.
- Prometheus ServiceMonitor for oCIS— Observability
- Administrators can enable Prometheus ServiceMonitor resources through Helm values, allowing a Prometheus Operator-managed stack to automatically discover and scrape metrics from oCIS service debug endpoints without manual scrape job configuration.
- Postprocessing Service Replica Scaling— Horizontal Scaling
- Administrators can deploy multiple replicas of the oCIS postprocessing service through the Helm chart, enabling parallel processing of post-upload tasks such as virus scanning and format conversion for high-throughput file ingestion environments.
- Distributed Tracing Endpoint Configuration— Observability
- Administrators can configure distributed tracing for all oCIS services by setting the tracing backend endpoint and collector address through Helm values, enabling trace collection in OpenTelemetry-compatible backends for performance analysis and request troubleshooting.
- Automated Trash Bin Cleanup CronJob— Maintenance Automation
- Administrators can enable a Kubernetes CronJob that automatically purges expired items from the oCIS trash bin on a configurable schedule, reclaiming storage space from deleted files that have exceeded the configured retention period.
- Userlog and EventHistory Service Scaling— Horizontal Scaling
- Administrators can configure replicas, horizontal pod autoscaling, and pod disruption budgets for the userlog and eventhistory services independently through Helm values, enabling these notification and audit services to handle increased load in large deployments.
- Pod Disruption Budget Per-Service— High Availability
- Administrators can configure Kubernetes PodDisruptionBudgets globally and override them per oCIS service through Helm values, ensuring a minimum number of replicas remain running during node maintenance, cluster upgrades, or rolling deployments.
- Private Registry Image Pull Secrets— Container Configuration
- Administrators can specify Kubernetes imagePullSecrets in the Helm chart to authenticate against private container registries, supporting air-gapped and enterprise deployments that pull oCIS images from internal or access-controlled registries.
- External NATS Cluster Connection— Messaging Infrastructure
- Administrators can configure oCIS to connect to an externally managed NATS cluster through Helm values, enabling use of existing enterprise messaging infrastructure and independent scaling of the event streaming and service communication layer.
- Per-Service CPU and Memory Limits— Resource Management
- Administrators can configure Kubernetes CPU and memory requests and limits independently for each oCIS service through Helm values, enabling right-sizing of resource allocations for production workloads without enforcing a uniform global constraint.
- External Cache for Gateway and Storage-Users— Caching Configuration
- Administrators can configure the gateway and storage-users services to share an external cache backend through Helm values, preventing stale cache state when these two services run as separate scaled replicas and rely on active cross-instance cache invalidation.
- Topology Spread Constraints for Pods— Pod Scheduling
- Administrators can define Kubernetes TopologySpreadConstraints for oCIS service pods through Helm values, distributing service replicas evenly across availability zones, racks, or nodes to maximize fault tolerance in multi-zone clusters.
- Service Liveness and Readiness Probes— Observability
- Kubernetes liveness and readiness probes are configured for oCIS services, enabling the orchestrator to automatically restart unhealthy pods and temporarily remove them from load balancer rotation during startup delays or degraded states.
- Expired Incomplete Upload Cleanup Job— Maintenance Automation
- Administrators can enable a Kubernetes CronJob that removes expired incomplete file uploads from the storage-users service on a configurable schedule, reclaiming storage space consumed by interrupted or abandoned upload sessions.
- Volume fsGroup Change Policy Configuration— Storage Configuration
- Administrators can configure the Kubernetes fsGroup change policy and enable a chown init container for oCIS pods through Helm values, resolving volume permission issues on storage backends that do not automatically apply fsGroup ownership to mounted directories.
- TLS Certificate Validation Skip Option— TLS Configuration
- Administrators can disable TLS certificate validation for oCIS service-to-service communication through Helm values, enabling deployment in environments with self-signed certificates or internal certificate authorities not trusted by the default certificate store.
- Configurable Pod UID GID fsGroup— Security Context
- Administrators can specify custom UID, GID, and fsGroup values for all oCIS service pods through Helm values, enabling deployment on platforms such as OpenShift that enforce restricted security context constraints with mandatory non-default user ID ranges.
- NATS Messaging Service Helm Deployment— Messaging Infrastructure
- Administrators can deploy a NATS messaging service as part of the oCIS Helm chart installation, providing the event streaming and service communication backbone required for the distributed microservices architecture of oCIS.
Developer Enablement
- SDK Webfinger Discovery and Version Detection— SDK
- The PHP SDK can resolve the service endpoint through Webfinger and inspect the server product version so callers can gate newer API usage.
- SDK Drive Enumeration and Project Space Creation— SDK
- SDK methods enumerate available drives and create project drives with optional quotas instead of forcing callers to assemble raw Graph requests.
- SDK Resource Upload, Folder Creation, and Tagging— SDK
- The SDK wraps common resource operations such as folder creation, file upload, and tag assignment or removal on drive items. Tag assignment uses `OcisResource::setTags()` and `removeTags()`; the drive-level `tagResource`/`untagResource` stubs exist in code but are marked "not yet implemented" as of v8.0.5.
- SDK Share Invites, Public Links, and Received Shares— SDK
- SDK consumers can invite users or groups, create public links, and inspect received shares with remote-item metadata.
- SDK Notification Retrieval and Dismissal— SDK
- The SDK exposes unread notifications and can dismiss them through the notifications OCS endpoint.
- cdPerf Login, Search, and Navigation Scenarios— Performance Validation
- cdPerf ships repeatable k6 workloads for login, filename search, and browsing the file tree to baseline everyday navigation flows.
- cdPerf File, Folder, and Download Workloads— Performance Validation
- The workload library covers folder creation, file upload, rename, delete, and download scenarios rather than only authentication and search.
- cdPerf Space, Share, Tag, and Sync Scenarios— Performance Validation
- Scenario coverage includes creating spaces, creating or removing group shares, tagging resources, and sync-style property access patterns.
- cdPerf LDAP Group Lifecycle and OnlyOffice Edit/Save Scenarios— Performance Validation
- Performance coverage also includes LDAP group create/add-user/delete flows and an OnlyOffice open-change-save scenario for integrated editing under load.
- SDK Project Drive Permission Management— SDK
- the PHP SDK can fetch drive roles, invite users or groups to project drives, update drive permission roles or expirations, and remove drive members through drive-level permission helpers.
- SDK Education Access Token and Education User APIs— SDK
- the PHP SDK supports a separate education access token and can create, list, fetch, and delete education users through education-specific endpoints.
- cdPerf Multi-Cloud Benchmark Coverage— Performance Validation
- cdPerf is designed to benchmark Infinite Scale, ownCloud Core, and Nextcloud with one shared toolbox instead of only a single platform-specific harness.
- cdPerf k6 Test Development Kit— Performance Validation
- the `k6-tdk` package provides the shared development layer used to build new cloud performance scenarios on top of common abstractions and helpers.
- TypeScript web-client for Graph OCS and WebDAV— SDK
- the `@ownclouders/web-client` package wraps Graph, OCS, and WebDAV APIs with typed TypeScript clients and higher-level resource objects.
- web-pkg Components and Composables— SDK
- the `@ownclouders/web-pkg` package provides reusable components and composables for developing ownCloud Web apps and extensions.
- Protobuf-to-Chi HTTP Handler Generation— Code Generation
- `protoc-gen-microweb` generates Chi HTTP and JSON handlers from protobuf services and gRPC HTTP annotations, including service interfaces, marshaling, and error handling.
- Open-File-in-Web API Endpoint (`/app/open-with-web`)— Integration API
- `POST /app/open-with-web` enables external applications to open files directly in ownCloud Web, providing a programmatic bridge for tool integrations that need to hand off a file to the oCIS collaborative editor. Introduced v2.0.0.
- oCIS Web App Developer Skeleton— Developer Tooling
- An official starter scaffold (`web-app-skeleton`) for building custom web apps and extensions for ownCloud Infinite Scale. Includes a local Docker dev stack, build tooling, hot-reload, and README-guided workflow. The canonical on-ramp for third-party oCIS web app development.
- MCP Multi-Step Composite Workflow Tools— MCP Server
- The oCIS MCP server provides 5 composite workflow tools that orchestrate multiple oCIS API calls in a single AI agent invocation: `ocis_upload_and_share`, `ocis_create_project_space`, `ocis_find_and_download`, `ocis_share_with_link`, and `ocis_get_space_overview`.
- MCP Resources and Guided Prompt Templates— MCP Server
- The MCP server exposes 5 read-only resources (capabilities, version, sharing roles, drive types, auth mode) and 4 multi-step prompt templates (onboard-user, migrate-files, audit-space, share-report) providing AI assistants with structured context and guided workflows.
- MCP Destructive Operation Confirmation Gate— MCP Server
- All destructive MCP tools (delete user/group/space/file/share, empty trashbin, reject share) require an explicit `confirm=true` parameter. Tool annotations classify each tool's safety level so MCP clients can gate dangerous operations with user confirmation flows.
- MCP Server Multi-Platform Binary Releases— MCP Server
- MCP server releases pre-built binaries for linux/darwin/windows × amd64/arm64 via GoReleaser with checksums and optional macOS code signing and notarization. Enables installation without Go toolchain in enterprise managed environments.
- Pinia-Based Web Extension State API— State Management
- The Vuex store was fully removed from ownCloud Web and replaced with Pinia stores, providing a modern, type-safe reactive state management API for all third-party app extensions. Introduced web v9.0.0. Essential for all extension developers targeting web v9.0.0+.
- pyocclient OCS Federated Share API— Protocol Integration
- pyocclient exposes OCS federation share types (`OCS_SHARE_TYPE_REMOTE=6`) with `accept_remote_share()` and `decline_remote_share()` methods, enabling cross-server federated sharing workflows from Python automation scripts. Distinct from local user/group sharing operations.
- pyocclient OCS Capabilities Discovery and DAV Version Negotiation— Protocol Integration
- `get_capabilities()` fetches the server's full capability map and uses it to auto-negotiate the DAV endpoint version (v1 vs v2), enabling version-adaptive Python automation against both ownCloud Server and oCIS without hard-coded endpoint paths.
- pyocclient OCS App Lifecycle Management— Protocol Integration
- `get_apps()`, `enable_app()`, and `disable_app()` expose the provisioning API's app management surface, allowing Python automation of app enable/disable state on ownCloud servers — distinct from file operations, sharing, and user/group management.
- pyocclient OCS Private Data / App Attribute Store— Protocol Integration
- `get_attribute()`, `set_attribute()`, and `delete_attribute()` expose the OCS privatedata API for per-app, per-user key-value storage, enabling Python clients to read and write app-specific server-side state without custom database access.
- pyocclient DAV v2 Chunked Upload with Auto-Negotiation— Protocol Integration
- `put_file()` defaults to chunked upload using the `OC-CHUNKED` header protocol with configurable chunk size (default 10 MB) and auto-selects the DAV v2 `/remote.php/dav/files/` endpoint based on server capabilities. Enables reliable large-file uploads from Python.
- pyocclient Public Link Anonymous WebDAV Session— Protocol Integration
- `anon_login()` and `from_public_link()` connect via a public share token without user credentials using `/public.php/webdav`, supporting password-protected public shares. Enables Python automation to read from public ownCloud share links.
- iOS SDK: OCBookmark Multi-Server Identity and Keychain Management— SDK Framework
- `OCBookmark` objects serialize ownCloud server references (URL and credentials) and transparently store and retrieve OAuth2 tokens from the iOS system keychain. Bookmarks are persistable for multi-server storage, carry a live `userDisplayName` updated on every connect, and are the primary unit of account identity in SDK-based apps.
- iOS SDK: Live Query Engine with Observable Change Sets— SDK Framework
- `OCQuery` provides a long-running, observable interface to any directory or file path. Queries accept pluggable `OCQueryFilter` protocol objects for search and perspective filtering, NSComparator-based sorting, and deliver coalesced `OCQueryChangeSet` objects to an `OCQueryDelegate` — enabling animated, incremental UI updates without full re-fetches.
- iOS SDK: OCItem and OCShare First-Class Data Model— SDK Framework
- `OCItem` encapsulates file/folder metadata and sync status. `OCShare` encapsulates all share metadata (link shares, user shares, incoming and outgoing). Both are the primary typed data model objects exposed to host app developers building on the SDK.
- iOS SDK: Server Certificate and Authenticity Delegate Extension Point— SDK Framework
- `OCConnection` notifies a delegate implemented by the host app about server certificate or authenticity issues, giving the host app full control over whether to proceed. This is the primary extension point for MDM-managed certificate pinning and custom trust policy enforcement.
- iOS SDK: Files App FileProvider Extension Support— SDK Framework
- `OCCore+FileProvider` enables integration with Apple's iOS Files app via the FileProvider extension mechanism. Third-party apps built on the SDK can surface ownCloud content natively in iOS Files, making it accessible to all Files-compatible apps on the device.
- iOS SDK: OCVault Isolated Per-Account Local Storage— SDK Framework
- `OCVault` manages all local storage for a bookmark: cached thumbnails, the SQLite metadata database, offline files, and folder structures. Each bookmark has its own isolated vault directory — removing the root directory atomically purges all local data for that account.
- iOS SDK: NSProgress-Based Command Cancellation— SDK Framework
- All file operation commands (copy, move, rename, delete, download, upload, thumbnail retrieval) return an `NSProgress` object. Host apps display real-time progress and can cancel in-flight or queued operations at any point during execution.
- iOS SDK: OIDC Dynamic Client Registration— SDK Framework
- The SDK supports OpenID Connect Dynamic Client Registration, automatically registering a new OAuth2 client with the server on first connect and falling back to a configured `client_id`/`client_secret` if registration fails. Fully configurable via the class settings framework.
- iOS SDK: Webfinger-Based Server URL Discovery— SDK Framework
- The SDK locates the actual oCIS service URL for a user account via a Webfinger lookup (or a static lookup table override), enabling multi-tenant and enterprise SSO deployments where the service URL is not known in advance by the host app.
- iOS SDK: MDM and Branding Class Settings Framework— SDK Framework
- A modular class settings system (`OCClassSetting`) allows all SDK parameters — connection timeouts, scan intervals, authentication policies, certificate rules, localization strings — to be overridden via MDM profile payloads or a `Branding.plist` file without modifying source code. Settings are observable and self-documenting with type metadata.
- iOS SDK: Server-Side Thumbnail Retrieval and Vault Caching— SDK Framework
- The core exposes a `retrieveThumbnails` command that downloads server-generated thumbnails for files and caches them in the per-account vault. Used to populate file browser previews; distinct from the offline file transfer system.
- iOS SDK: Multi-Process Scan Coordinator (App and FileProvider Extension)— SDK Framework
- `OCCore+ItemList` implements a cross-process scan coordinator that synchronizes change detection between the main app process and any active FileProvider extension, prioritizing the foreground app to prevent duplicate server requests when both are running simultaneously.
- iOS SDK: Streaming Infinite-Depth PROPFIND for Account Pre-Population— SDK Framework
- The SDK supports streaming, infinite-depth PROPFIND to pre-populate the full directory tree on first connect, reducing round-trips when initially accessing a large oCIS instance with many nested folders.
- iOS SDK: OAuth2 Token Rotation Race Condition Handling— SDK Framework
- The SDK tracks an `OCAuthenticationDataID` per request and automatically reschedules requests that received a 401 with a stale token using the freshly refreshed token. Prevents auth failures during concurrent background transfers when a token refresh races with in-flight requests.
- iOS SDK: Built-In Host Simulator for Offline Integration Testing— SDK Framework
- An `OCHostSimulator` framework bundled with the SDK provides built-in server simulation scenarios — auth race conditions, action timeouts, maintenance mode — enabling offline integration testing of SDK-based apps without a live oCIS server.
- ocis-php-sdk: Role-Based User and Group Share Invitation— SDK Integration Library
- `OcisResource::invite()` and `Drive::invite()` create user/group shares with named role-based permissions (Viewer, Editor, Manager). The caller queries available roles from the resource or drive first, then invites recipients with an optional expiration date.
- ocis-php-sdk: Public Link Creation and Post-Creation Management— SDK Integration Library
- `OcisResource::createSharingLink()` creates public links with configurable type (view, edit, upload), optional password, optional expiration, and display name. `ShareLink` objects expose `setType()`, `setPassword()`, `setDisplayName()`, and `updateLinkOfPermission()` for modifying links after creation.
- ocis-php-sdk: Outbound and Inbound Share Enumeration— SDK Integration Library
- `Ocis::getSharedByMe()` returns all `ShareCreated` and `ShareLink` objects the current user has created. `Ocis::getSharedWithMe()` returns `ShareReceived` objects for all resources shared with the current user.
- ocis-php-sdk: Share Role and Expiration Mutation— SDK Integration Library
- `ShareCreated::setRole()` and `Drive::setPermissionRole()` update the role of an existing share. `Drive::setPermissionExpiration()` changes or removes the expiration date. `Drive::deletePermission()` revokes a share entirely.
- ocis-php-sdk: Server-Rendered File Preview (Thumbnail)— SDK Integration Library
- `OcisResource::getPreview(int $width, int $height)` fetches a server-rendered preview image at the requested dimensions with aspect-ratio preservation, using the resource's ETag as a cache key for HTTP conditional requests.
- ocis-php-sdk: File Content Retrieval as String or Stream— SDK Integration Library
- `OcisResource::getContent()` returns file content as a string; `OcisResource::getContentStream()` returns a PHP stream resource for memory-efficient reading of large files. `Drive::getFile()` and `Drive::getFileStream()` provide path-level equivalents.
- ocis-php-sdk: Global and Drive-Scoped Resource Search— SDK Integration Library
- `Ocis::searchResource()` sends a WebDAV REPORT request supporting name patterns (`name:*foo*`), media type patterns (`mediatype:*png*`), and free-text patterns. Results are optionally scoped to a specific drive or folder via `$scopeId` and capped by a `$limit` parameter.
- ocis-php-sdk: Resource Retrieval by oCIS File ID— SDK Integration Library
- `Ocis::getResourceById(string $fileId)` performs a WebDAV PROPFIND on `/dav/spaces/<fileId>` to retrieve an `OcisResource` directly by its stable file ID, without requiring knowledge of the drive or file path.
- ocis-php-sdk: Drive Lifecycle Management (Disable, Enable, Delete)— SDK Integration Library
- `Drive::disable()` soft-deletes a project space (prerequisite for hard deletion). `Drive::enable()` restores it. `Drive::delete()` permanently purges it. `Drive::isDisabled()` checks current state. Full space lifecycle management from PHP.
- ocis-php-sdk: Drive Metadata Updates (Name and Description)— SDK Integration Library
- `Drive::setName()` and `Drive::setDescription()` update mutable properties of a project space via the Libre Graph API. `Drive::getQuota()`, `Drive::getWebUrl()`, and `Drive::getWebDavUrl()` expose space metadata and access URLs.
- ocis-php-sdk: Drive Trash-Bin Purge and Resource Deletion— SDK Integration Library
- `Drive::emptyTrashbin()` permanently purges all items in a drive's trash bin via WebDAV DELETE. `Drive::deleteResource()` moves a file or folder to the trash bin. Both are separate operations supporting two-phase deletion.
- ocis-php-sdk: Resource Move and Rename via WebDAV MOVE— SDK Integration Library
- `Drive::moveResource(string $sourcePath, string $destinationPath)` issues a WebDAV MOVE request, handling both rename and cross-folder move operations within a drive in a single method.
- ocis-php-sdk: Group CRUD and Membership Management— SDK Integration Library
- `Ocis::createGroup()`, `getGroups()`, `getGroupById()`, `deleteGroupByID()` provide full group lifecycle. `Group::addUser()`, `removeUser()`, `rename()`, and `delete()` manage group state at the object level.
- ocis-php-sdk: Notification Retrieval and Dismissal— SDK Integration Library
- `Ocis::getNotifications()` fetches all unread notifications for the current user via the OCS notifications endpoint. Each `Notification` exposes app, subject, message, object type/ID, and rich message parameters; individual notifications are dismissible (mark-as-read/delete).
- ocis-php-sdk: oCIS Version Detection for Feature Gating— SDK Integration Library
- `Ocis::getOcisVersion()` parses the semantic version from `/ocs/v1.php/cloud/capabilities`. Used internally to gate SDK features (e.g., drive invitations require oCIS 6.0.0+) and exposed to application code for conditional feature availability.
- ocis-php-sdk: Webfinger Multi-Tenant Service URL Discovery— SDK Integration Library
- When `webfinger: true` is configured, the SDK decodes the OIDC access token's `iss` claim, performs a Webfinger lookup, and resolves the actual oCIS service URL — enabling PHP applications to support multi-tenant deployments where the server URL is not known ahead of time.
- ocis-php-sdk: Education School Management— SDK Integration Library
- `Ocis::getEducationSchools()`, `getEducationSchoolById()`, and `EducationSchool::addUser()` provide school entity listing, retrieval, and user enrollment — distinct from education user CRUD already documented in the library.
- ocis-php-sdk: Scheduled Resource Deletion via Lifecycle Tag— SDK Integration Library
- `OcisResource::setLifecycleDelete(string
- ocis-php-sdk: Resource Favoriting and Server Checksum Metadata— SDK Integration Library
- `OcisResource::isFavorited()` reads the WebDAV `favorite` property. `OcisResource::getCheckSums()` returns the server-provided checksum array (algorithm and value). Both are part of the standard PROPFIND property set fetched on every listing.
- ocis-php-sdk: Private Link Retrieval— SDK Integration Library
- `OcisResource::getPrivatelink()` returns a URL-decoded private link for a resource that any user with correct permissions can use to navigate directly to that item in the oCIS web UI — enabling PHP applications to generate stable deep links to specific files and folders.
- Pluggable Thumbnail Image Processor— Thumbnail Processing
- Operators can register custom image processing pipelines for specific MIME types in the thumbnail service, enabling custom rendering logic beyond the built-in libvips processor.
- Share Permission Creation Timestamp in Graph API— Graph API
- Adds a createdDateTime field to permission objects returned by the Graph API permissions endpoints, giving API consumers and clients visibility into exactly when each sharing permission was granted.
- Get Drive Item by Resource ID Endpoint— Graph API
- Introduces a GET /graph/v1beta1/drives/{driveId}/items/{itemId} endpoint allowing clients to fetch a single drive item directly by its resource ID without enumerating a parent container.
- Graph API Public Link Token Information Endpoint— Graph API
- Adds a Graph API endpoint for retrieving metadata about a public share token, providing a standards-aligned alternative to the existing OCS tokeninfo endpoint for inspecting share link properties.
- Shared-By-Me Endpoint Parent Reference Fields— Graph API
- Adds parentReference.name and parentReference.path fields to items in the sharedByMe Graph API response, giving API consumers the parent folder context of each item the user has shared.
- Photo and Image Metadata DAV Properties— WebDAV Client
- The WebDAV client's default PROPFIND property set includes photo and image metadata fields, allowing extensions and integrations to access image metadata directly from WebDAV responses without additional requests.
- iOS SBOM Auto-Generation for Swift Packages— Build Pipeline
- The iOS app's build pipeline automatically generates a Software Bill of Materials for all Swift package dependencies during CI builds, providing supply chain transparency for enterprise customers and compliance auditors.
- Graph API Sorting for Users and Groups— Graph API
- Developers and administrators can retrieve users and groups from the Graph API in sorted order using OData $orderby, supporting displayName, mail, and onPremisesSamAccountName for users and displayName for groups.
- Single Space Lookup by ID Endpoint— Graph API Endpoints
- A new GET /graph/v1.0/drives/{driveId} endpoint allows clients and integrations to retrieve a single space by its ID without fetching all available drives, enabling efficient space-detail lookups.
- Microsoft Graph API Service for oCIS— Graph API Integration
- Developers and administrators gain access to oCIS user and resource data through a Microsoft Graph-compatible REST API endpoint, enabling integration with tools and client applications that speak the Microsoft Graph protocol.
- Graph API Explorer Web UI— API Developer Tools
- Developers can explore and interactively test the oCIS Graph API through a built-in browser-based explorer, accelerating development and debugging of Graph-compatible integrations.
- Drive Web URL in Graph API Response— Graph API
- Developers can retrieve a direct browser-accessible web URL for each drive via the Graph API drives endpoint, enabling non-browser clients to open a drive in the ownCloud Web interface with a single link.
- On-Demand Drive Root Expansion via Graph API— Graph API
- Developers can append `$expand=root` to the Graph API drives listing request to include root resource details only when needed, reducing unnecessary stat load on storage when listing drives at scale.
- Expand User Group Memberships via Graph API— Graph API
- Developers can retrieve a user's full group membership list in a single call by appending `$expand=memberOf` to the `/me` or user Graph API endpoint, reducing the number of round-trips needed to build user context.
- Open-With-Web App Provider Endpoint— App Provider API
- Non-browser clients and native desktop or mobile apps can open documents in collaborative web applications by calling the new `/app/open-with-web` endpoint, which returns a Web URL that launches the editing session in the browser.
- Personal Drive Expansion on Graph API User Endpoint— Graph API
- Developers can retrieve a user's personal drive details alongside user profile data in a single API call by appending `$expand=drive` to the Graph API user endpoint, including quota, WebDAV URL, and drive metadata.
- Users and Groups Member Relationships in Graph API— Graph API
- Developers can retrieve full group membership relationships from the Graph API in a single request, with `/users` endpoints returning a user's `memberOf` groups and `/groups` endpoints returning their `members` list.
- Spaces API Updated Reference Types— Space Management API
- Clients and developers interacting with the Spaces API receive file and folder references using an updated, consistent reference type that enables more reliable and extensible addressing of resources across different storage backends.
- Personal Drives Graph API Endpoint— Space Management API
- Clients and developers can enumerate a user's available storage drives via the /me/drives Graph-compatible API endpoint, providing a standardized interface to discover personal and shared storage spaces assigned to an account.
- OIDC CLI Login for Bearer Token Retrieval— CLI Authentication
- Developers and administrators can obtain an OAuth2 bearer token from the command line using the oCIS OIDC login command, enabling authenticated API calls via tools like curl without a browser-based authentication flow.
- Lightweight oCIS Binary for Extension Development— Development Build
- Developers can build a minimal oCIS binary with a focused subset of core services using `TAGS=simple make build`, reducing setup overhead when developing and testing custom extensions against the platform.
- Graph API Explorer Integrated into oCIS— API Exploration Tools
- Developers and administrators can browse and interact with the oCIS Microsoft Graph-compatible API using the built-in Graph Explorer UI, enabling API discovery and live testing without external tooling.
- Auto-Generated Configuration Reference Documentation— Configuration Documentation
- Developers and administrators can generate up-to-date configuration reference documentation for all oCIS services using `make config-docs-build`, keeping documentation synchronized with actual CLI flags and environment variables.
- X-Request-ID on All API Responses— Request Tracing
- All oCIS API responses now include an X-Request-ID header, enabling developers and support teams to correlate client requests with server-side log entries for easier troubleshooting and incident analysis.
- Full-Text Search Capability Advertisement— Search API
- The oCIS capabilities API now reports whether full-text search is available in the deployment, allowing web and sync clients to conditionally display full-text search controls only when the feature is supported.
- Graph API User Capability Discovery— Graph API
- The Graph API now exposes user capability information, allowing clients to query which operations a user is authorized to perform and adapt the user interface to show only available actions.
- OData OR Filter for Multi-Group User Queries— Graph API
- Developers can combine Graph API /users filters using logical OR to retrieve all users who are members of any of several specified groups in a single API request, enabling efficient multi-group user lookups for provisioning and reporting integrations.
- OData Filter for App Role Assignments on Users— Graph API
- Developers can filter Graph API /users queries by app role assignment ID to retrieve all users holding a specific oCIS role, and combine this with group membership filters for complex provisioning queries compatible with the OData specification.
- HTTP Endpoint for User Permission Listing— Settings API
- A new HTTP endpoint exposes the complete list of permission names assigned to a specific user account, enabling integrations and UI components to make permission-aware decisions without parsing role and bundle definitions.
- Personal Drive Retrieval via Graph API— Graph API
- Developers and administrators can retrieve a user's personal drive details including quota usage, drive type, owner, and last modification timestamp using GET /graph/v1.0/me/drive or /graph/v1.0/users/{userid}/drive.
- OData Group Membership Filter for User Listing— Graph API
- Developers can use OData $filter syntax on the Graph API /users endpoint to retrieve only users who belong to a specified group, enabling efficient group-scoped user lookups in directory management and provisioning integrations.
- Custom File Extension Handler for App Developers— Application Extension Points
- App developers can define a customHandler property on file extension registrations to implement completely custom open/create flows instead of the default editor routing, enabling specialized integrations for specific file types.
- Quick Actions Extension Point with File-Type Filtering— Application Extension Points
- App developers can register custom quick actions that appear inline in the file list, with optional file extension or MIME type filters to restrict the action to relevant file types.
- Pluggable File Viewer and Editor App Framework— Application Extension Points
- Developers can register custom file viewer and editor applications that integrate with the ownCloud Web file action system, allowing third-party apps to open specific file types in dedicated editing or preview experiences.
- Graph v1 Beta Drive CRUD Endpoints— Graph API
- Developers can use Graph v1 beta API endpoints to create, retrieve, and update individual drives, gaining access to proper role IDs and richer metadata that the older listing-only endpoints do not provide.
- Machine-Readable Error Codes in DAV Responses— WebDAV Protocol
- WebDAV error responses now include structured error codes alongside human-readable messages, enabling client applications to programmatically distinguish and respond to specific server-side error conditions rather than parsing message strings.
- Drive Item Lookup by Identifier Endpoint— Graph API
- Developers and clients can fetch a specific DriveItem directly by its ID via `GET /v1beta1/drives/{driveid}/items/{itemid}`, eliminating the expensive list-all-shares-and-filter-client-side workaround previously required for share management.
- Read-Only User Management Capability Flag— Capabilities API
- oCIS exposes whether the identity backend supports user mutations via the capabilities API (e.g., `usersMutatable: false`), allowing client applications to automatically disable user-editing UI controls when the backend is read-only.
- Prefer-Minimal Response for API Mutations— Graph API
- Developers can include the `Prefer: return=minimal` header on create and update API operations to receive an empty response body instead of the full resource representation, reducing bandwidth overhead for high-throughput or resource-constrained integrations.
- Dynamic Sharing Roles Discovery Endpoint— Sharing API
- Clients can query a dedicated API endpoint to retrieve the current set of available sharing roles and their associated permissions, eliminating the need to hardcode role definitions in client applications and enabling future role changes to propagate automatically.
- Role Field Exposure on Graph Users Endpoint— Graph API
- Developers can retrieve each user's assigned role directly from the Graph API `/users` endpoint response, enabling clients to render role-specific UI without making additional separate requests to the roles API.
- Dedicated StorageId Property in PROPFIND— WebDAV Protocol
- WebDAV PROPFIND responses include a dedicated `storageId` DAV property for all resource types including trashbin entries, allowing clients to reliably extract the storage identifier without parsing it out of composite file ID strings.
- Ordered Drive Listing via Graph API— Graph API
- Clients can request drive listings sorted by name in ascending or descending order via the `listMyDrives` Graph API endpoint, enabling predictable and consistent Space display ordering in client applications without client-side sorting.
- App Provider Feature Capability Announcement— Capabilities API
- oCIS advertises app provider support via the capabilities API, allowing clients to conditionally enable the "Open in application" workflow and fetch the application list only when the server confirms the feature is configured and available.
- Education Class Lookup by External ID— Graph API
- Administrators and integrators can perform PATCH, GET, and DELETE operations on education classes using their `externalId` attribute as an alternative unique identifier, enabling management by externally assigned identifiers rather than oCIS-generated internal UUIDs.
Extensibility and Integration
- Extension Registry and Disabled-Extension Filtering— Extensions
- Web maintains a runtime extension registry and can filter configured disabled extensions before menus, actions, or components are resolved.
- App Menu, Default Action, and Custom Component Extension Points— Extensions
- Shipped extension points cover app menu entries, default file actions, and custom component injection so extensions can change navigation, opening behavior, and runtime chrome.
- Draw.io Editing Extension— Editors
- The draw.io package adds a pluggable diagram editor for creating and editing `.draw` files directly in ownCloud Web. Note: `.vsdx` import is not a documented feature of this extension (the upstream draw.io tool supports it, but the ownCloud extension does not expose it).
- External Sites Navigation Extension— Navigation
- Configured external sites become app entries that can open embedded or external destinations inside the web shell.
- JSON Viewer File Handler— File Handlers
- The JSON viewer registers itself as the default handler for `.json` files and opens them through an app route instead of download-only handling.
- Importer Cloud Import Action— Cloud Import
- The importer extension opens an Uppy-based modal for importing files from OneDrive, Google Drive, and ownCloud 10 instances when the deployment exposes an Uppy Companion service. Note: the source is ownCloud 10 (not generic WebDAV public-link).
- Cast File Action— Device Integration
- The cast extension adds a default and context action that loads the selected non-folder resource into a Google Cast session.
- Progress Bar Preference Extension— Extensions
- The progress-bars package contributes a user-selectable custom component for the global progress bar, including the shipped Nyan Cat variant.
- Moodle OAuth2 Repository Provisioning— Moodle Integration
- The Moodle plugin provisions its repository instance and OAuth2 service integration so Moodle can authenticate against oCIS instead of storing a static password in the picker flow.
- Moodle Personal, Shares, and Project Drive Browsing— Moodle Integration
- The repository browser can list configurable personal, shared, and project drive classes and navigate them by encoded drive-and-path references.
- Moodle Drive Visibility, Icon Customization, and Upload Limit Enforcement— Moodle Integration
- Admins can hide drive classes, override drive icons, skip disabled drives, and the plugin enforces Moodle upload-size limits when importing selected files.
- App Registry MIME-to-App Resolution— App Registry
- app-registry maps MIME types to application metadata including extension, name, description, icon, and default application. Clients and middleware can resolve which app should open a file type without duplicating the mapping in every consumer.
- App Registry File Creation Eligibility— App Registry
- registry entries also declare whether creation is allowed for a MIME type, which separates "can open" from "can create new" for integrated editors. This matters for editor integrations that can view many types but only create a subset.
- OCS Signing Key Endpoint— OCS API
- OCS exposes `/v1.php` and `/v2.php` signing-key routes that return the current user's signing key material from a store-backed service. This is a dedicated API surface rather than a side effect of the general settings API.
- OCS Format Negotiation— OCS API
- OCS middleware switches response serialization between JSON and XML based on the `format` query parameter and Accept handling. That keeps legacy OCS client behavior compatible without duplicating handlers per format.
- Custom App Asset Mounting— App Delivery
- the web service mounts custom app assets under `/assets/apps` and merges configured external apps into the runtime config. This is the server-side delivery path for optional web apps and branded add-ons.
- Web Manifest and Config Merge for Custom Apps— App Delivery
- custom web apps can be loaded from `WEB_ASSET_APPS_PATH` with `manifest.json`, optional `config.json`, and `apps.yaml` overrides, with local config taking precedence and apps also supporting a `disabled` flag.
- App Registry Available Apps Listing API— Editors
- the app-registry `/app/list` endpoint returns registered MIME types, app providers, icons, default applications, and creation flags so clients can build open-with and new-file menus dynamically.
- App Registry Browser Session Opening— Editors
- the `/app/open-with-web` endpoint returns a browser URI for opening a file in the selected app while letting ownCloud Web handle login or session establishment if needed.
- App Registry Direct App Provider Opening— Editors
- the `/app/open` endpoint opens a file with the selected app provider for bearer, basic, REVA-token, or public-link authenticated contexts.
- Web App Store UI— App Delivery
- the web `app-store` extension lets users browse and download additional apps and extensions directly from the web interface.
- Web App Skeleton Development Scaffold— Extensions
- `web-app-skeleton` provides a starter repo with Docker-based local development, watch builds, unit-test setup, and production build output for new Web apps or extensions.
- Awesome oCIS App Catalog— Ecosystem
- `awesome-ocis` curates apps, editors, file actions, sidebar panels, and community extensions available for oCIS deployments.
- Web App Store Repository Metadata and Asset Conventions— App Delivery
- the `awesome-ocis` web app store repo defines `apps.json` metadata, cover and screenshot asset layout, and downloadable `.zip` plus root `manifest.json` requirements for distributable web apps.
- Moodle Webfinger Server Discovery— Moodle Integration
- the Moodle repository can use a `webfinger_endpoint` to discover the user-assigned oCIS server instead of hardcoding a single service base URL.
- AI Document Summary Extension— AI Extensions
- `web-app-ai-doc-summary` adds a sidebar action that generates an AI summary of the selected document. Backed by the shared `ai-llm-proxy` service which routes requests to the configured LLM endpoint.
- AI Data Insights Sidebar Extension— AI Extensions
- `web-app-ai-data-insights-sidebar` adds a sidebar panel with AI-generated data insights for structured files. Part of the ownCloud AI extension suite backed by `ai-llm-proxy`.
- AI Folder Brief Sidebar Extension— AI Extensions
- `web-app-ai-folder-brief-sidebar` adds a sidebar panel that generates an AI-produced brief describing the contents of a folder. Backed by `ai-llm-proxy`.
- AI Image Alt-Text Sidebar Extension— AI Extensions
- `web-app-ai-image-alt-text-sidebar` adds a sidebar action that generates an accessibility-oriented alt-text description for the selected image file. Backed by `ai-llm-proxy`.
- AI Sensitive Data Scanner Extension— AI Extensions
- `web-app-ai-sensitive-data-scanner` adds a file action that scans the selected document for sensitive data patterns using an AI model. Backed by `ai-llm-proxy`.
- AI LLM Proxy Service— AI Extensions
- `ai-llm-proxy` is a shared backend service that routes requests from all ownCloud AI web extensions to the configured LLM endpoint. Centralizing LLM access through a proxy allows credential management, rate limiting, and endpoint switching without reconfiguring individual extension packages.
- Chat with File AI Extension— AI Extensions
- `web-app-chat-with-file` adds a sidebar panel that enables conversational interaction with the contents of the selected file using an AI model. Backed by `ai-llm-proxy`.
- File Comments Extension— Extensions
- `web-app-file-comments` adds a file-level comments panel, enabling users to annotate files with threaded comments visible to others with access to the resource.
- Group Management UI Extension— Extensions
- `web-app-group-management` adds a dedicated group management interface to ownCloud Web, providing group listing, creation, and membership management outside the admin-settings surface.
- Version Changelog Viewer Extension— Extensions
- `web-app-version-changelog` adds a UI panel that displays the oCIS server version changelog, helping administrators and power users track what changed in the current deployment.
- Graph API Unified-Role Endpoint Alias— Graph API
- A Graph API endpoint alias exposes drive permissions using the unified role model instead of CS3 legacy permission bitmasks. API consumers targeting this alias receive consistent role representations without translation from CS3, simplifying integration for third-party developers. Introduced v8.0.0.
- Embed Mode Share-Links Event with Passwords— Embed API
- Web embed mode emits `owncloud-embed:share-links` (web v12.2.0+), an array of `{url, password}` objects for all selected share links. Host applications embedding oCIS receive both the link and its password programmatically. Supersedes the deprecated `owncloud-embed:share` event.
- Excalidraw File Icon— File Type Recognition
- The web UI displays the Excalidraw logo icon for `.excalidraw` files (web v12.2.0). Provides visual recognition for Excalidraw diagrams alongside the existing draw.io integration.
- Visio File Icons— File Type Recognition
- The web UI recognizes nine Microsoft Visio extensions (`.vsd`, `.vsdm`, `.vsdx`, `.vss`, `.vssm`, `.vssx`, `.vst`, `.vstm`, `.vstx`) and displays a Visio-specific icon. Improves visual recognition of Visio files; native editing is not provided by oCIS. Introduced web v12.2.0.
- Dynamic Theme-Color Meta Tag— Theming
- The web shell dynamically updates the `<meta name="theme-color">` tag from the active oCIS theme's brand color (web v12.3.0). Safari's tab bar and PWA chrome adapt automatically to custom themes without hardcoded color values.
- Per-App Local Configuration Override— App Lifecycle
- Each web application can have a local configuration file that overrides the global `apps.yaml` configuration, with priority order: local.config > global.config > manifest.config. Applications can also be individually disabled via config. Introduced v6.3.0.
- Named Extension Points Framework— Extension API
- A formal extension point system allows third-party apps to register capabilities into named integration slots — context menus, batch actions, header center, search providers, sidebar panels, app menu items — with per-user preference storage for multi-extension conflicts. Introduced web v9.0.0.
- Custom Component Extension Type— Extension API
- A `customComponent` extension type allows third-party apps to render arbitrary Vue components into named extension point render targets in the shell (e.g., the header bar center position). Enables fully custom UI embedding without fork. Introduced web v9.0.0.
- Search Provider Extension Point— Extension API
- Third-party apps can register additional search providers via the `app.search.provider` extension point, feeding results directly into the global search bar alongside server-side results. Introduced web v9.0.0.
- Multiple Sidebar Root Panels— Extension API
- The right sidebar supports rendering multiple root panels simultaneously for files that have multiple applicable panels (e.g., DICOM + sharing), separated by dividers. Enables richer contextual information without UI conflict. Introduced web v9.0.0.
- New File Creation via App Provider— App Integration
- Users can create new files of registered WOPI types directly in the web UI (e.g., "New Document", "New Spreadsheet") using the app provider's create-file capability. Registered via the app-registry MIME type config. Introduced web v5.0.0.
- Unzip Web Extension— Web Extensions
- Extracts ZIP archives directly in the oCIS web UI without downloading the archive first. Official extension in `owncloud/web-extensions`, released as `unzip v0.5.0`.
- JSON Viewer Web Extension— Web Extensions
- Renders JSON files in a formatted, syntax-highlighted, collapsible tree view inside the web UI. Official extension in `owncloud/web-extensions`, released as `json-viewer v0.4.1`.
- Transfer Progress Bars Web Extension— Web Extensions
- Displays visual upload/download/operation progress bars in real time within the web UI. Official extension in `owncloud/web-extensions`, released as `progress-bars v0.4.1`.
- External Sites Web Extension— Web Extensions
- Adds configurable external website links as navigation items in the oCIS sidebar, allowing admins to surface third-party portals or internal tools inside the oCIS interface. Official extension in `owncloud/web-extensions`, released as `external-sites v0.4.1`.
- Cast to Chromecast Web Extension— Web Extensions
- Casts/streams media files stored in oCIS to Chromecast and compatible devices directly from the web UI without downloading first. Official extension in `owncloud/web-extensions`, released as `cast v0.4.1`.
- In-App Extension Store— App Store
- A web extension providing an in-app marketplace/store interface for browsing and installing available web extensions without leaving the oCIS interface. Introduced web v6.3.0.
- WebDAV Client Extra Property Registration— WebDAV Client API
- A `registerExtraProp` API function in the web-pkg WebDAV client allows developers to declaratively register additional WebDAV properties that are fetched and exposed in PROPFIND responses for custom app integrations.
- Multi-WOPI-Provider Simultaneous Deployment— WOPI Integration
- Enables running Collabora, OnlyOffice, and Microsoft 365 WOPI apps side by side on a single oCIS instance, with each provider receiving only the CheckFileInfo properties it understands, preventing cross-provider conflicts.
- Embed Mode File Picker Save As Dialog— Embed Mode
- The Save As and Export dialogs in embed mode listen for incoming postMessage events from the host page, enabling host applications to programmatically trigger file save and location selection via the postMessage API.
- iOS CSS-Based App Theming System— Theming
- The iOS app supports a CSS-based theming system that allows organisations to customise colours, fonts, and visual styling to match their brand identity, applied via MDM configuration without rebuilding the app.
- iOS Post-Build Branding via URL Scheme Override— Theming
- The app's URL scheme and branding assets can be overridden after build time via a configuration file, enabling OEM partners and resellers to rebrand the iOS app without modifying source code.
- App Template Conversion Capability Advertisement— App Registry and WOPI
- The app provider registry exposes which MIME types each application supports for template-based document creation, enabling clients to show a correctly filtered list of templates when users create new files from templates.
- GeoGebra File Type Support (GGP and GGS)— App Registry and WOPI
- oCIS recognizes GeoGebra pinboard (`.ggp`) and GeoGebra suite (`.ggs`) MIME types in the app registry, enabling organizations that use GeoGebra in education or STEM workflows to open and create these files directly in oCIS.
- ONLYOFFICE DOCXF Form Template Support— App Registry and WOPI
- The `.docxf` ONLYOFFICE form template MIME type is registered in the app registry, allowing users to create and open fillable form templates through the ONLYOFFICE integration without file type errors.
- App Provider and App Registry— Extensibility and Integration
- oCIS includes a built-in app provider service and app registry. Administrators can register external WOPI-compatible applications (such as Collabora or OnlyOffice) that users can open directly from the file manager.
- Webfinger Discovery Service— Extensibility and Integration
- oCIS provides a dedicated Webfinger service that allows clients to discover the correct service endpoints for a given user or domain. This enables multi-instance deployments and third-party integrations to locate the right oCIS instance automatically.
- WOPI Collaboration Chat Toggle— Extensibility and Integration
- The collaboration service exposes a configuration option to disable the in-editor chat panel for WOPI-based editors (Collabora, OnlyOffice). Administrators can enforce a no-chat policy for regulated environments.
- Draw.io Visio File Import— Diagram Editing
- Files with the `.vsdx` extension (Visio format) open automatically inside the Draw.io editor, allowing you to view and edit Visio diagrams without a separate Visio license or download.
- Draw.io Self-Hosted Endpoint Configuration— Diagram Editing
- Administrators can point the Draw.io extension at a privately hosted diagrams.net instance by setting a custom `url` in the app config, keeping diagram data entirely within the organization's infrastructure.
- Draw.io Editor Theme Selection— Diagram Editing
- The Draw.io app theme (e.g. `minimal`) is configurable by the administrator, allowing the editor appearance to match the organization branding or user preference.
- Importer Dark Theme Support— Cloud Import
- The file import modal respects the active ownCloud Web theme: when dark mode is enabled the Uppy dashboard renders in its dark variant, maintaining visual consistency during cloud import sessions.
- Importer Google Drive Source— Cloud Import
- The Importer extension supports Google Drive as an import source, letting users transfer files directly from their Google account into oCIS without downloading and re-uploading.
- Importer OneDrive Source— Cloud Import
- The Importer extension supports Microsoft OneDrive as an import source, letting users transfer files directly from their Microsoft account into oCIS without downloading and re-uploading.
- Importer WebDAV Public Link Source— Cloud Import
- The Importer extension supports WebDAV public links from ownCloud 10, oCIS, and Nextcloud as import sources, allowing migration of shared content directly into the destination folder.
- AI LLM Proxy Per-User Rate Limiting— AI Extensions
- The AI LLM proxy sidecar enforces a configurable maximum number of LLM requests per authenticated user per rolling minute, preventing individual users from exhausting the LLM quota for the entire organization.
- AI LLM Proxy Model Override Lock— AI Extensions
- Administrators can configure the proxy to override the model field in every incoming request with a server-side value, ensuring all AI extension traffic uses only the provisioned model regardless of what individual extensions request.
- App Provider New File URL Capability— App Provider
- The OCS capabilities response now advertises the app provider's new-file creation URL, allowing clients to discover and expose to users the ability to create new files directly in integrated online editors.
- MIME Type File Creation Permission Control— App Provider
- Administrators can set an allow_creation flag per MIME type in the app provider configuration, controlling whether users are permitted to create new files of that type through integrated online editors.
- App Registry Static Driver Configuration— App Registry
- Administrators can configure the app registry with a static driver using declarative settings, enabling defined app-to-file-type associations without requiring a dynamic app provider registration service.
- Configurable MIME Type App Allow List— App Provider
- Administrators can define which MIME types are advertised on the /app/list endpoint and configure per-type metadata (labels, icons, default application) through a configuration file, giving full control over which file types are offered for online editing.
- OnlyOffice Document Editor Extension— Document Editing
- Users can open and edit documents stored in oCIS using an OnlyOffice Docs server, with the editor launched directly from the oCIS web interface in a new browser tab for a seamless document editing experience.
- Custom Application Entries in Web App Switcher— Web UI Configuration
- Administrators can add custom applications to the Web UI app switcher via the `web.yaml` configuration, specifying icon, URL, link target, and multilingual titles for each entry.
- App Provider Registry Service— Collaborative Editing Integration
- Administrators can deploy an app provider service that connects oCIS to WOPI-compatible document editors such as OnlyOffice or Collabora, enabling users to open and collaboratively edit documents directly in browser-based applications via the OpenInApp action.
- Web Application Suite Configurable via CLI Flag— Web App Configuration
- Administrators can specify which applications appear in oCIS Web by passing a comma-separated list to the `--web-config-apps` CLI flag, enabling per-deployment customization of the application suite without editing config files.
- Custom Scripts and Styles Web Injection— Web UI Customization
- Administrators can inject custom JavaScript and CSS into the oCIS web interface via server-side configuration, enabling white-labeling, third-party integrations, or UI enhancements without modifying core application code.
- Custom CSS Scripts and Translation Overrides— Web UI Customization
- Administrators can configure the web service to load additional CSS stylesheets, inject custom JavaScript files, and override specific UI translation strings through environment variables or config files, enabling branded white-label deployments without code changes.
- Settings Bundles Loaded from JSON Config Files— Settings Management
- Administrators can define and load custom settings bundles from external JSON configuration files, enabling deployment-specific settings extensions that survive service restarts without requiring a custom oCIS build.
- Camera Access Permission for External App iframes— External Application Embedding
- External applications embedded in ownCloud Web via iframe can now request camera access, enabling browser-based document scanning, video conferencing, and other camera-dependent workflows within integrated apps.
- Authentication Delegation in Embed Mode— Embed Mode
- When ownCloud Web is embedded in a parent application via embed mode, authentication and token refresh can be delegated to the parent application, enabling seamless SSO integration without duplicate authentication flows.
- External Sites as App Switcher Entries— Embedded External Content
- Administrators can configure external websites to appear as entries in the ownCloud Web app switcher, opening them in an embedded frame within the interface, replicating the external sites feature from ownCloud 10.
- Custom JavaScript and HTML Injection at Runtime— Runtime Customization
- Administrators can inject custom JavaScript snippets and HTML fragments into ownCloud Web at runtime without recompiling the source, enabling use cases such as analytics tracking, user feedback widgets, or custom UI extensions.
- Unified Multi-Client Theming Endpoint— Theming API
- All oCIS clients—web, desktop, mobile, and third-party—can retrieve consistent branding and theming information from a single official theming API endpoint, enabling coordinated brand-consistent experiences across all client platforms.
- OnlyOffice Form Document Creation— Office Integration
- Administrators can allow users to create OnlyOffice form documents (.docxf) directly from the oCIS web interface by adding the file type to the permitted creation list in Helm values.
- oCIS Web Embed Mode Configuration— Web Embed Integration
- Administrators can enable and configure oCIS Web's embed mode through Helm values, specifying whether embedding is active, the embed target type, and the allowed message origin URLs so the web interface runs as an embedded component within a parent application.
- WOPI Folder URI Path Template Setting— Office Integration
- Administrators can configure the wopiFolderURIPathTemplate value through Helm settings, allowing them to suppress the back-navigation button in embedded office editors like OnlyOffice by leaving the folder breadcrumb URL unset.
- WOPI App Provider Folder URL Base— Office Integration
- Administrators can set the base URL used by the oCIS WOPI app provider to construct folder navigation links returned to office editors through Helm values, ensuring correct deep-linking back into the oCIS web interface from within an embedded document editor.
- MIME Type Application Registry Mapping— App Integration
- Administrators can configure which registered application opens each MIME type through Helm values by defining app registry mappings, controlling which office suite or viewer is launched when a user opens a given file type from the oCIS web interface.
- WOPI Office Integration App Provider— Office Integration
- Administrators can configure the oCIS WOPI app provider for in-browser document editing through Helm values, establishing the server-side connection settings needed to link oCIS with WOPI-compatible office editors such as Collabora Online or OnlyOffice.
Federation and Interoperability
- OCM Federated Share Workflows— Federation
- oCIS implements incoming and outgoing OCM flows for creating, accepting, rejecting, and mounting federated shares across providers.
- OCM Recipient Discovery— Federation
- Acceptance coverage and the OCM web app show remote recipient lookup after provider configuration, so federated shares can be targeted from the UI.
- Guest Invitation Payloads and Redemption Controls— Guest Access
- invitations models guest invites with recipient type, display name, email, message body, cc, language, redirect URL, redeem URL, reset-redemption flag, and send-message behavior. The payload structure shows guest access is more than a bare token and carries its own communication and redemption controls.
- Webfinger Relation Filtering— Discovery
- webfinger builds JRD responses for the requested subject and returns either all configured relations or only those matching the `rel` query parameter. This makes discovery selective instead of always returning a fixed relation set.
- OpenID Discovery and ownCloud Instance Relations— Discovery
- shipped webfinger relation providers cover OpenID discovery and ownCloud instance metadata, so the same discovery endpoint can advertise both identity and instance information. The returned relation set depends on service configuration.
- Claim-Based Webfinger Instance Selection— Discovery
- webfinger can choose one or more returned ownCloud instances by matching OpenID Connect userinfo claims against configured regex rules and localized titles.
- Cross-Instance Resource Sharing (Multi-Instance oCIS)— Multi-Instance Federation
- v8.0.0 introduced multi-instance oCIS: multiple oCIS deployments sharing the same Identity Provider can share resources cross-instance without the OCM/ScienceMesh invitation handshake. A new cross-instance sharing permission is added to admin and space-admin roles by default.
- Instance Switcher UI— Multi-Instance Federation
- In multi-instance deployments, the webfinger endpoint returns multiple `server-instance` links (one per accessible instance). The Web UI exposes an instance switcher in the user context menu, with the user endpoint returning all instances the user belongs to as member or guest.
- OCM Provider Authorizer JSON File— Federation
- The `ocmproviderauthorizer` service manages the trusted OCM provider list via `OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE`. The JSON file is the only supported persistence backend; trusted providers must be manually configured before federated sharing can be targeted from the UI.
- OCM Breaking Change — Invitation Migration in v8— Federation
- All OCM invitations and federated shares created in oCIS v7.x are invalidated after upgrading to v8.0.0. The entire OCM stack was reworked in v8 for full OCM specification compliance and interoperability with non-ownCloud implementations (Nextcloud, CERNBox). All invitations must be recreated post-upgrade.
- ScienceMesh Mesh Directory Integration— OCM Infrastructure
- `OCM_MESH_DIRECTORY_URL` specifies the URL of the ScienceMesh mesh directory service, enabling oCIS to discover and federate with other registered research data platforms via the ScienceMesh network.
- OCM Webapp URL Template— OCM Sharing
- `OCM_WEBAPP_TEMPLATE` provides a URL template used to construct the web application deep-link embedded in outgoing OCM share notifications, allowing admins to customize the URL used by recipients to open federated shares in a browser.
- OCM Invite Token Expiration— OCM Invitations
- `OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION` sets the validity duration for OCM cross-instance invite tokens. Expired tokens are rejected at acceptance, giving admins control over the invitation acceptance window. Introduced v6.0.1.
- OCM Endpoint Request Timeout— OCM Infrastructure
- `OCM_OCM_INVITE_MANAGER_TIMEOUT` sets a request timeout for all outbound calls to remote OCM endpoints, preventing hung connections from stalling the invite manager when remote instances are slow or unreachable. Introduced v6.0.1.
- OCM Storage Data Server URL— OCM Storage
- `OCM_OCM_STORAGE_DATA_SERVER_URL` specifies the URL of the data server for the OCM storage provider. Must be reachable by the frontend data gateway or directly by users, enabling binary data transfers for federated file access. Introduced v7.0.0.
- Federated User Type in Graph API— OCM Discovery
- The Graph `/users` endpoint returns a `userType: 'Federated'` property for OCM users and supports `$filter=userType eq 'Federated'` queries. Federated users are only returned when explicitly requested. Introduced v6.3.0.
- OCM Recipient Display Name in API Responses— OCM Sharing
- `OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME` controls whether the display name of OCM share recipients is included in federated sharing API responses. When enabled, remote instances can present human-readable names during cross-instance share creation.
- Graph API Cross-Instance User Enumeration— Multi-Instance Federation
- Extends the Graph API to surface and enumerate users from remote federated oCIS instances, allowing administrators to list and manage identities across multiple connected deployments.
- External Collaborator Search Filter in Share Dialog— Federated Sharing
- A dedicated filter in the share recipient search restricts results to external (federated) collaborators only, making it easier to find and invite users from other ownCloud instances without scrolling past internal users.
- OCM Real-Time Federated Change Notifications— OCM Federated Share Notifications
- When a federated peer updates or revokes a shared resource, oCIS automatically receives an OCM notification and reflects the change to the receiving user without requiring a manual refresh.
- OCM Federated Permission Sync— OCM Federated Share Notifications
- Permission changes made by the sharer on a federated (OCM) share are automatically propagated to the receiving instance, so remote collaborators always see up-to-date access rights without reconnecting.
- OCM Well-Known Discovery Endpoint— OCM Federated Sharing
- oCIS publishes a standard `/.well-known/ocm` endpoint so that other federated platforms can automatically discover the instance's OCM capabilities and endpoints without manual configuration.
- OCM Wildcard Domain Federation— OCM Federated Sharing
- Administrators can configure OCM federation using wildcard domain patterns (e.g., `*.example.com`), allowing entire organizational domain ranges to federate without listing every host individually.
- OCM File Locking Support— OCM Federated Sharing
- Users with access to an OCM federated share can lock and unlock files through the federated connection, preventing concurrent edits from remote collaborators just as they would with local files.
- OwnCloud SQL Auth Provider for Side-by-Side Deployment— Authentication Integration
- Administrators can configure oCIS to authenticate users directly against an existing ownCloud 10 MySQL/MariaDB database by setting the owncloudsql driver in auth-basic, enabling a live side-by-side migration where both platforms share the same user store and file storage.
- WebFinger Service Discovery Endpoint— Service Discovery
- oCIS provides a WebFinger (RFC 7033) endpoint that returns the OpenID Connect issuer and ownCloud instance relations, enabling standard-compliant client and application discovery of authentication and storage services.
- Remove remote.php Prefix from WebDAV Paths— WebDAV Protocol
- The ownCloud Web client no longer prepends the legacy remote.php prefix to WebDAV paths, aligning with the modern oCIS path format while remaining backward compatible with servers that still strip the prefix.
- Pending Remote Shares in Shared-With-Me View— Federated Share Inbox
- Incoming federated shares from remote ownCloud or oCIS instances appear in the "Shared with me" section with pending status, allowing users to accept or decline cross-instance shares from the standard shares inbox.
- Explanatory Tooltips in OCM Connections Panel— OCM User Guidance
- Users working with Open Cloud Mesh connections see tooltips that explain the difference between Users and Institutions in the connections panel, reducing confusion when setting up federated sharing.
- Optional remote.php WebDAV URL Prefix— WebDAV Protocol
- The `remote.php` path prefix is fully optional in WebDAV endpoint URLs and is no longer returned in server responses, simplifying client URL construction while remaining backward-compatible with legacy clients that still send it.
- Email Notification for OCM Invitations— OCM Invitation Flow
- Users receive an email notification when an Open Cloud Mesh (OCM) federation invitation is generated, ensuring invited parties from external instances are promptly informed and can act on the invitation.
- Configurable OCM Invite Token Expiration— OCM Configuration
- Administrators can set custom expiration durations for OCM federation invitation tokens and adjust per-request timeouts to remote instances via `OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION` and `OCM_OCM_INVITE_MANAGER_TIMEOUT`, adapting federation behavior to organizational security and network policies.
- Graph API Open Cloud Mesh Share Management— OCM Federation
- Users can create and accept Open Cloud Mesh (OCM) federated shares through the Graph API and web interface, enabling cross-instance collaboration without leaving their home oCIS instance.
- RFC 7033 Webfinger Service Implementation— Service Discovery
- oCIS provides a standards-compliant Webfinger endpoint (RFC 7033) that returns the OIDC issuer relation and ownCloud instance relations, enabling clients and federated systems to automatically discover the server's identity provider and capabilities.
- Open Cloud Mesh Federation Helm Deployment— OCM Federation
- Administrators can enable and configure Open Cloud Mesh (OCM/ScienceMesh) federation support in the oCIS Helm chart, including a complete two-instance deployment example that allows users on separate oCIS instances to share files across organizational boundaries.
Identity and Access
- Auth-App API Token Creation Endpoint— Application Authentication
- `POST /auth-app/tokens` creates an app token for the authenticated user. The `expiry` query parameter is required (Go duration string, e.g. `30m` or `72h`); invalid or missing expiry returns HTTP 400. The response JSON contains exactly four fields: `token` (plaintext, only ever shown once), `expiration_date`, `created_date`, and `label`.
- Auth-App API Token Listing Endpoint— Application Authentication
- `GET /auth-app/tokens` lists the current user's stored app tokens and returns hashed token material plus metadata, so the original plaintext token is only available at creation time.
- Auth-App API Token Deletion Endpoint— Application Authentication
- `DELETE /auth-app/tokens?token=...` invalidates a specific token and rejects requests that omit the `token` query parameter.
- Auth-App API Custom Labeling— Application Authentication
- The create endpoint accepts a `label` query parameter that overrides the default generated labels, making later token lists easier to interpret.
- Auth-App API User-Name Targeting— Application Authentication
- Admin impersonation requests can target another account with `userName=...`. The service authenticates via machine auth using `ClientId: "username:" + userName`; a mismatch between the returned identity and the requested username returns HTTP 400 rather than HTTP 404.
- Auth-App API User-ID Targeting— Application Authentication
- Impersonation requests can also target `userID=...`. The service verifies the anti-spoofing assertion: if `authRes.GetUser().GetId().GetOpaqueId() != userID`, it returns HTTP 400 — the machine-auth response must confirm the opaque ID matches before a token is issued.
- Auth-App API Admin Impersonation— Application Authentication
- Requires `AUTH_APP_ENABLE_IMPERSONATION=true`. Two sequential checks gate access: (1) if impersonation is disabled → HTTP 403; (2) if the caller lacks `AccountManagementPermission` → HTTP 403. When both pass, the service uses machine auth to mint a token on behalf of the target user.
- Auth-App API Expiry-Based Tokens— Application Authentication
- API-created tokens require a duration such as `30m` or `72h`, and the service stores the resulting expiration timestamp with the token.
- Auth-App API Missing-Expiry Rejection— Application Authentication
- Empty or invalid `expiry` values are rejected with a bad-request response instead of falling back to unlimited tokens.
- Auth-App CLI Flag-Based Creation— Application Authentication
- The `auth-app create` CLI command accepts `--user-name` and `--expiration` (default: `72h`). The label is hardcoded as `"Generated via CLI"` — there is no `--label` flag (unlike the API). Output format: `"App token created for <username>\n token: <token>\n"`, printed once.
- Auth-App CLI Interactive Username Prompt— Application Authentication
- If `--user-name` is omitted, the CLI prompts interactively for the username before generating the token.
- Auth-App Tokens for Graph and Admin API Calls— Application Authentication
- Acceptance coverage shows auth-app tokens can authorize Graph operations such as user creation and drive listing, not only auth-app management calls.
- Auth-App Cross-User DAV Isolation— Application Authentication
- Owning or creating an auth-app token does not let a different account access the token holder's DAV resources, and cross-user DAV requests are expected to fail.
- Auth-App Expired Token Rejection— Application Authentication
- Expired auth-app tokens stop authorizing requests after their expiry time, including tokens created through impersonation flows.
- OIDC Login and Session Verification— Authentication
- The proxy handles OIDC login, callback, token validation, and provider metadata resolution before establishing the authenticated user context for downstream services.
- OIDC User Autoprovisioning— Authentication
- When enabled, missing accounts are created from OIDC claims through Graph-backed account creation instead of requiring pre-created local users.
- OIDC Group Membership Sync— Authentication
- Autoprovisioned users can also have group memberships reconciled from claims, extending provisioning beyond base account creation.
- OIDC Claim-Based Role Assignment— Authorization
- Configurable claim mapping can assign a single ownCloud role from IdP claim values so external identity attributes control role selection.
- Basic Authentication with LDAP Backend— Authentication
- auth-basic supports the `ldap` auth manager in oCIS v8.0.5. The `json` and `owncloudsql` config structs exist in the codebase but are not officially supported — the README states "Currently only one auth manager is supported: ldap." The active backend is selected via `AUTH_BASIC_AUTH_MANAGER`.
- LDAP Login Attribute and Disabled-User Controls— Authentication
- in LDAP mode, auth-basic can use configurable login attributes and disabled-user detection, including a disabled-users group DN and schema-driven mappings. This lets deployments authenticate against directory identifiers without assuming `uid` alone.
- OIDC Bearer Token Validation Service— Authentication
- auth-bearer validates OIDC bearer tokens against a configured issuer and maps identity, UID, and GID claims into the Reva auth context. It also exposes an insecure-issuer toggle for environments where strict issuer verification is not possible.
- Machine API Key Authentication (User Impersonation)— Authentication
- auth-machine enables one oCIS service to act on behalf of a user by authenticating with a machine API key (`OCIS_MACHINE_AUTH_API_KEY`). This is specifically for inter-service user impersonation, not generic service-to-service auth (which auth-service covers). auth-app uses this path when minting tokens for impersonated users.
- Service Account Authentication— Authentication
- auth-service validates a static service-account ID and secret (`OCIS_SERVICE_ACCOUNT_ID`, `OCIS_SERVICE_ACCOUNT_SECRET`) so internal automation can authenticate without OIDC or interactive login. Currently supports one service account (the admin service user). The secret is held only in memory — never persisted — so all consuming services must be restarted together if it is rotated. Service accounts cannot log in via the UI, have no personal space, and do not appear in user lists.
- Frontend MFA and Configurable Notification Capabilities— Authentication
- frontend surfaces whether MFA is enabled, which auth-level names exist, and whether per-user notification preferences are configurable. This lets clients gate settings UI and admin actions on live server policy instead of static build-time assumptions.
- Graph Self-Service Password Change— Identity Management
- `ChangeOwnPassword` verifies the caller's current password through gateway basic auth, rejects empty or unchanged passwords, updates the backing profile store, and publishes a user-feature change event. The flow is self-service rather than an unrestricted admin password reset.
- Graph Restricted User and Group Search— Directory Search
- user and group listing support `startswith` and `contains` filters, and unrestricted browsing can be restricted or require filters so the API does not become an open directory dump by default. Group patching also validates input size and structure.
- Group Provider Driver Selection— Group Management
- groups supports `json`, `ldap`, and `rest` provider drivers, allowing directory data to come from embedded data, LDAP, or an external REST-backed identity layer. The provider is selected by service config rather than by separate binaries.
- REST Group Provider with OAuth and Redis Caching— Group Management
- the REST group driver can authenticate with client credentials, fetch tokens from an OIDC endpoint, and cache results in Redis. It also supports an ID provider setting and a dedicated target API base URL.
- Embedded IDM Password Reset CLI— Identity Management
- the IDM `resetpassword` CLI updates the embedded LibreGraph LDAP BoltDB directly, prompts twice for the new password, and defaults to the `admin` account if no username is supplied. It requires exclusive access to the DB, so it is an operational tool rather than a runtime API.
- Built-In OIDC Identity Provider— Identity Provider
- idp exposes issuer, signin, signout, and authorization endpoints and can use `ldap`, `cs3`, `libregraph`, or `guest` identity-manager backends. This lets oCIS run its own OIDC provider rather than always delegating login to an external IdP.
- Dynamic Client Registration and Guest Clients— Identity Provider
- idp can enable or disable dynamic client registration and separately allow guest clients, which changes how third-party apps are onboarded. These are operator toggles, not unconditional defaults.
- Custom IDP Branding and Client Definitions— Identity Provider
- idp configuration includes custom assets such as background and client definitions with IDs, secrets, redirect URIs, origins, trust, and app type. Branding and client metadata are deployment-managed rather than fixed in the web app.
- Proxy Multi-Instance Member and Guest Claim Gating— Authentication
- proxy can validate member and guest claims for multi-instance setups and assign a configured guest role when guest assertions are present. This is separate from base OIDC login and controls how external or guest identities are classified.
- Proxy User Login Event Publication— Authentication
- proxy publishes a `UserSignedIn` event on new sessions after resolving or provisioning the account. That gives downstream services a durable login signal instead of only an HTTP session.
- Role Assignments and Permission Resolution— Authorization
- settings exposes role listing, assignment listing, filtered assignment listing, assign or remove operations, and permission lookup by account, resource, ID, or name. It is the central service for translating roles into concrete abilities.
- User Provider Driver Selection— User Management
- users supports `json`, `ldap`, and `owncloudsql` provider drivers, so account data can come from embedded data, directory services, or migrated ownCloud SQL sources. This provider layer sits underneath higher-level Graph and auth services.
- LDAP User State and Type Mapping— User Management
- the LDAP user provider can map disabled-user state, user type, schema fields, and disabled-users group membership. ownCloud SQL mode also exposes `enable_medial_search`, showing that user lookup behavior is backend-specific.
- Auth-Machine User Impersonation— Authentication
- `auth-machine` supports interservice user impersonation so one oCIS service can act on behalf of a user when calling another service, with those actions still appearing as that user's actions in logs.
- Auth-App Manual Startup Requirement— Application Authentication
- auth-app is not started by default. It must be enabled via `OCIS_ADD_RUN_SERVICES=auth-app` or an explicit CLI start. `PROXY_ENABLE_APP_AUTH=true` must also be set so the proxy routes app-auth requests. Both settings are required; missing either silently breaks the feature.
- Auth-App CLI Label Hardcoded— Application Authentication
- The CLI `auth-app create` command labels all tokens `"Generated via CLI"` with no `--label` flag, unlike the API which accepts a `?label=` parameter. This distinction matters for operators auditing token lists.
- Auth-App Skip User Groups in Token— Application Authentication
- `AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN=true` omits group membership claims from the access token generated by app auth. This reduces token size for users with many groups at the cost of downstream group-claim availability.
- Auth-App Machine Auth Key for Impersonation— Application Authentication
- When `AUTH_APP_ENABLE_IMPERSONATION=true`, the auth-app service also requires `OCIS_MACHINE_AUTH_API_KEY` / `AUTH_APP_MACHINE_AUTH_API_KEY` to machine-authenticate the target user before minting their token. Missing this key makes impersonation fail even when the impersonation flag is set.
- Auth-Basic Proxy Activation Flag— Authentication
- auth-basic is not active unless `PROXY_ENABLE_BASIC_AUTH=true` is set on the proxy. Parallel to auth-app's `PROXY_ENABLE_APP_AUTH`. Both activation flags are required in addition to the service being started.
- Auth-Basic Skip User Groups in Token— Authentication
- `AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN=true` omits group membership from basic-auth tokens, reducing size for users with many groups.
- Auth-Bearer Skip User Groups in Token— Authentication
- `AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN=true` omits group membership from OIDC bearer token mappings. Consistent with the same flag on auth-app and auth-basic; all three can be set independently.
- Auth-Service In-Memory-Only Secret— Authentication
- The service account secret (`OCIS_SERVICE_ACCOUNT_SECRET`) is held only in memory and never written to persistent storage. Rotating it requires restarting all consuming services simultaneously to avoid authentication failures during the transition window.
- Auth-Service Account Behavioral Restrictions— Authentication
- Service accounts cannot log in via the UI, have no personal space, and do not appear in user lists. These are hard-coded restrictions distinguishing service accounts from regular user accounts, not configurable policy.
- OIDC Claim-to-Space Membership Provisioning— Authentication
- The proxy and/or Helm chart support `spaceAssignment` configuration that maps OIDC claim values to drive/space memberships, automatically provisioning users into spaces based on IdP claim values. Set via `features.externalUserManagement.oidc.spaceAssignment.*` in the Helm chart.
- LDAP Group Additional ObjectClasses— Group Management
- `OCIS_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES` / `GRAPH_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES` (added v8.0.5) configures additional LDAP objectClasses included when creating groups via the Graph API, enabling compatibility with directory schemas that require extra classes.
- User Search Displayed Attributes Configuration— Directory Search
- `OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES` (introduced v8.0.0, replaces the removed `OCIS_SHOW_USER_EMAIL_IN_RESULTS`) configures which user attributes are returned and displayed in user search results. The old env var is removed in v8 and must not be referenced in v8 configurations.
- OCM Sharees Included in User Listings— Group Management
- `GRAPH_INCLUDE_OCM_SHAREES` / `OCIS_ENABLE_OCM` — when enabled, federated OCM sharees are included alongside local users in Graph API user-listing responses so share dialogs surface remote users without a separate lookup.
- LDAP Education Resources— Directory Services
- `GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED` enables LDAP-backed management of education-specific resources: schools and classes. Activates school-specific schema attributes (`GRAPH_LDAP_SCHOOL_BASE_DN`, `GRAPH_LDAP_SCHOOL_OBJECTCLASS`) for deployments in the education vertical.
- External LDAP ID as Primary Provisioning Key— Directory Services
- `GRAPH_LDAP_REQUIRE_EXTERNAL_ID` makes the external-ID attribute (`OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID`) the authoritative lookup key in the Graph Provisioning API, enabling organizations to provision users under their own HR or IdP identifier namespace rather than oCIS-generated UUIDs.
- LDAP Write via Graph API— Directory Services
- `OCIS_LDAP_SERVER_WRITE_ENABLED` / `GRAPH_LDAP_SERVER_WRITE_ENABLED` allows the Graph API to create, modify, and delete LDAP users and groups directly. Only compatible with the default oCIS LDAP schema attribute set.
- LDAP User Disable Mechanism— Directory Services
- `OCIS_LDAP_DISABLE_USER_MECHANISM` / `GRAPH_DISABLE_USER_MECHANISM` controls how disabling a user is implemented: `attribute` flags the user entry, `group` adds them to a dedicated disabled-users group, `none` blocks the operation. Allows organizations to align oCIS disabling with their LDAP directory policy.
- Keycloak Provisioning Backend— Directory Services
- `OCIS_KEYCLOAK_BASE_PATH` / `GRAPH_KEYCLOAK_BASE_PATH` plus client and realm vars link the Graph service to Keycloak as a provisioning and sync backend via client-credential OAuth2 flow.
- Automatic User Provisioning on First Login— Authentication
- `PROXY_AUTOPROVISION_ACCOUNTS=true` auto-creates users absent from the user store on their first OIDC login using claim values for username, email, display name, and group membership (`PROXY_AUTOPROVISION_CLAIM_*`). Eliminates pre-provisioning overhead for OIDC-backed deployments.
- OIDC-Based Role Assignment— Authentication
- `PROXY_ROLE_ASSIGNMENT_DRIVER=oidc` and `PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM` automatically assign oCIS roles (admin, spaceadmin, user, guest) based on values in a configurable OIDC claim, including regex/wildcard matching. Eliminates manual role assignment for large user bases.
- Presigned URL Download Authentication— Authentication
- `PROXY_ENABLE_PRESIGNEDURLS=true` enables time-limited signed URLs for unauthenticated file access via `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE`. Used by the archiver, thumbnails, and other services to provide short-lived download links without requiring the recipient to authenticate.
- LDAP Guest vs. Member User Type— User Type Differentiation
- An LDAP attribute (`OCIS_LDAP_USER_SCHEMA_USER_TYPE`, default `ownCloudUserType`) drives the distinction between Member and Guest user types. Enables differentiated access policies, licensing tiers, and feature availability based on directory-stored user classification.
- LDAP Binary UUID Support (Active Directory objectGUID)— Directory Schema Mapping
- `OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` and `OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` enable native Active Directory binary UUID (`objectGUID`) usage as user and group identifiers without additional attribute mapping layers. Required for AD environments.
- LDAP Substring Filter Type Control— Directory Search
- `USERS_LDAP_USER_SUBSTRING_FILTER_TYPE` and `GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE` configure substring filter positioning (initial, final, or any) for LDAP searches. Allows matching specific LDAP server capabilities and performance characteristics.
- Disable Auto Home Space Creation on Login— Home Space Lifecycle
- `GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN` suppresses automatic home space provisioning on first login. Allows operators to control when and how user home spaces are created, supporting pre-provisioning workflows and bulk onboarding.
- LDAP Password Modify Extended Operation (RFC 3062)— Directory Authentication
- `OCIS_LDAP_PASSWORD_MODIFY_EXOP_ENABLED` (Helm: `ldap.passwordModifyExOpEnabled`) uses the LDAP Password Modify Extended Operation for password changes instead of a plain attribute update. Required for compatibility with certain LDAP servers (e.g., OpenLDAP with password policy enforcement).
- LDAP Create-BaseDN for Groups— Directory Schema Mapping
- A separate `createBaseDN` for groups instructs oCIS to write new groups only into a specific sub-tree while treating all other existing group DNs as read-only. Enables read-write split directory topology for group management.
- LDAP Username Match Restriction— Directory Authentication
- `OCIS_LDAP_USER_USERNAME_MATCH` controls whether usernames are restricted to ASCII-only without leading digits (`default`) or have no restrictions (`none`). Allows compliance with specific directory security policies.
- OIDC Space Assignment from Token Claim— Token-Based Authorization
- Spaces can be assigned to users directly via an OIDC token claim (`oidc.spaceAssignment` in Helm). A configurable regexp extracts space ID and role from the claim with a role translation mapping. Distinct from role assignment; enables IdP-driven space governance.
- OIDC Access Token Verify Method— Token Verification
- `OCIS_OIDC_ACCESS_TOKEN_VERIFY_METHOD` (Helm: `oidc.accessTokenVerifyMethod`) selects `jwt` (full JWT validation, default) or `none` (bypass for trusted internal environments). Allows optimization of token verification overhead in controlled deployments.
- Skip OIDC UserInfo Endpoint Lookup— Token Optimization
- `PROXY_OIDC_SKIP_USER_INFO` instructs oCIS to read all user claims directly from the access token rather than calling the IdP userinfo endpoint. Reduces latency and external IdP dependency in high-throughput deployments.
- IDP Password Reset Redirect— Authentication Flows
- `IDP_PASSWORD_RESET_URI` configures an external URI to which users are redirected when requesting a password reset from the built-in IDP login page. Allows organizations to point users to a self-service portal (Keycloak, LDAP reset service) without modifying the embedded IDP.
- IDP Guest Client Access— Guest Access
- `IDP_ALLOW_CLIENT_GUESTS` (default false) enables guest-type OAuth2 clients to authenticate against the built-in IDP. When enabled, the IDP issues tokens to clients registered as guests, extending access to limited-trust external applications.
- IDP Identity Manager Backend Selection— Authentication Backends
- `IDP_IDENTITY_MANAGER` selects the identity backend: `ldap` (default, uses IDM service), `cs3` (CS3 storage-based), `libregraph` (LibreGraph API), or `guest` (guest-only mode). Allows switching the IDP user source without replacing the IDP service.
- Deny Access / Cannot-Access Role— Access Control
- A unified "Cannot access" role explicitly denies access to resources, allowing editors and space managers to lock specific users out of sub-resources within a share or space. Provides fine-grained access restriction below folder level.
- TLS for Internal gRPC Services— Transport Security
- Internal gRPC service communication between oCIS microservices can be secured with TLS certificates, enabling encrypted service-to-service communication within the cluster for high-security deployments.
- Graph API User Password Change Endpoint— Self-Service API
- `POST /me/changePassword` provides a Microsoft Graph-compatible endpoint for authenticated users to change their own password programmatically, enabling self-service password management from third-party apps.
- Viewer and Editor Roles with ListGrants Permission— Share Roles
- Built-in `SpaceViewerListGrants` and `SpaceEditorListGrants` roles include permission to list ACL grants on resources, enabling users to see who else has access to a shared space or folder. Introduced v6.4.0.
- Editor Role with ListGrants and Version History— Share Roles
- Built-in roles combining editor permissions with ListGrants and file version management permissions in a single role definition, enabling finer-grained role composition for enterprise deployments. Introduced v7.1.0.
- OIDC Backchannel Logout Support— Session Management
- oCIS supports OIDC backchannel logout, allowing the IdP to force-terminate all active sessions for a user by notifying oCIS directly rather than waiting for token expiry. Critical for immediate access revocation during offboarding. Introduced v6.1.0.
- Named Application Token Creation— Application Tokens
- The auth-app token creation API accepts an optional `label` field so tokens can be given human-readable names for easier identification in token management UIs and audit logs.
- Configurable MFA Session Duration— Multi-Factor Authentication
- `OCIS_MFA_SESSION_DURATION` (default 3600 s) sets the MFA session lifetime and advertises it via the capabilities API so the frontend can warn users before session expiry and offer silent re-authentication.
- MFA Session Expiry Warning and Silent Extension— Multi-Factor Authentication
- The web frontend reads the `mfa.session_duration` capability and displays an in-app countdown warning before MFA session expiry, with a one-click option to extend the session without full re-authentication.
- OIDC-Claim-Driven User Type Sync— Automated Provisioning
- On OIDC login, the proxy middleware compares the user-type claim to the stored account type and triggers an automatic upgrade or downgrade between Full and Light account types if they diverge, without admin intervention.
- Configurable OIDC Claim Inspection— Claim-Based Authorization
- The proxy can be configured to evaluate arbitrary OIDC claim values as an access or feature gate, enabling fine-grained conditional access policies tied directly to IdP-issued attributes beyond standard role mapping.
- Step-Up Authentication Reference Deployment— Multi-Factor Authentication
- An example Keycloak deployment configuration demonstrates step-up authentication flows, showing how to require a second factor for sensitive operations (vault mode entry, high-privilege actions) within the standard OIDC/Keycloak integration.
- Keycloak Guest User Provisioning Backend— Guest Provisioning
- The invitations service integrates with Keycloak via `INVITATIONS_KEYCLOAK_BASE_PATH`, `INVITATIONS_KEYCLOAK_CLIENT_ID`, `INVITATIONS_KEYCLOAK_CLIENT_SECRET`, `INVITATIONS_KEYCLOAK_CLIENT_REALM`, and `INVITATIONS_KEYCLOAK_USER_REALM`. Automatically provisions invited guest users in Keycloak IAM rather than in the built-in IDM, supporting large-scale deployments where guest lifecycle must be managed centrally.
- Android App OAuth2/OIDC Token Request Hardening— Authentication
- The Android app correctly sets the `client_secret_post` authorization header only when the server requires it, preventing token request failures for servers that use bearer-token-only flows. The `scope` parameter is correctly included in all token endpoint requests.
- Education User Master ID Assignment— Education Identity
- Introduces a stable master-ID field for Education Keycloak users that persists across provisioning cycles, providing a cross-system identity anchor for reliable user correlation in multi-system education environments.
- OIDC Claim-Driven User Attribute Sync— User Provisioning
- When OIDC autoprovisioning is enabled, oCIS updates an already-provisioned user's display name and email address on every subsequent login if the corresponding OIDC claims have changed, keeping directory data current automatically.
- iOS Webfinger Server Discovery from Username— Authentication
- Users can sign in to the iOS app by entering only their email address or username; the app uses Webfinger to discover the server URL automatically, simplifying initial setup in organisations with a single ownCloud deployment.
- GraphAPI LDAP User and Group Lifecycle Management— Identity and Access
- The Graph API LDAP backend supports creating, modifying, and deleting users and groups directly against the LDAP directory. Administrators can provision and manage identities through the standard Microsoft Graph API surface without needing direct LDAP access.
- User Settings Service Capability— Identity and Access
- oCIS advertises user-settings capabilities via the OCS endpoint. Clients read these capabilities to determine which user-preferences features are available before presenting settings UI to end users.
- Machine Auth Provider for Internal Services— Identity and Access
- A machine authentication provider enables internal oCIS services (such as the notifications and audit services) to authenticate to the storage layer without user credentials. This enables secure service-to-service communication.
- User Profile Picture Capability Advertisement— Identity and Access
- oCIS advertises profile picture support in OCS capabilities. Clients use this capability flag to show or hide avatar upload UI, ensuring consistent behavior across different server configurations.
- User Deprovisioning via OCS API— Identity and Access
- Administrators can fully deprovision a user account through the OCS API, removing the account and its associated data. This enables automated lifecycle management workflows triggered by HR or IdM systems.
- Proxy Claims-Based Policy Selector— Identity and Access
- The oCIS proxy evaluates OIDC token claims to select which upstream policy to apply to a request. Administrators can route requests to different backends or apply different rules based on user attributes present in the identity token.
- Group-Based Space Drive Permissions— Identity and Access
- Project space permissions can be assigned to entire LDAP groups rather than individual users. Space managers add a group as a member with a specific role, and all group members inherit that role automatically.
- Username Change via Admin API— Identity and Access
- Administrators can update a user's username (the `onPremisesSamAccountName` attribute) through the Graph API. This enables username migration and name correction without recreating the account.
- Group Management Read-Only Group Badge— Group Management
- Groups marked with groupTypes ReadOnly display a clearly visible badge in the group list and detail panel, and all mutate actions (rename, delete, add and remove members) are automatically disabled for those groups.
- Group Management Bulk Member Add with Per-User Reporting— Group Management
- When adding multiple users to a group in one operation, the extension sends one API call per user and settles them independently, reporting individual success or failure for each user in a single modal confirmation.
- Group Management Server-Side Name Search— Group Management
- The group list uses a debounced server-side search query as you type rather than filtering a pre-loaded list client-side, making it accurate and fast even in organizations with thousands of groups.
- Group Management Two-Pane Detail Layout— Group Management
- The group management view uses a two-pane layout: the left panel lists and searches groups, while the right panel shows the selected group members and action controls, keeping context visible without page navigation.
- Proxy Auto-Provisioning via LibreGraph API— User Provisioning
- Administrators can enable automatic user account creation via the PROXY_AUTOPROVISION_ACCOUNTS setting; when a user authenticates but has no existing cs3 account, oCIS automatically provisions one through the LibreGraph API.
- Self-Service Password Change via Graph API— User Management
- Users can change their own password through the Graph API /me/changePassword endpoint when oCIS is backed by an LDAP directory, with a change event emitted for audit trail purposes.
- Configurable Password Reset Link on Login Page— Authentication UI
- Administrators can configure a custom password reset URL via IDP_PASSWORD_RESET_URI that is displayed as a link on the oCIS login page, allowing users to self-serve password resets without contacting a helpdesk.
- Role-Based Access Control for Graph API User Management— Authorization Controls
- Only users holding the account management role can create, update, delete, or enumerate all users and groups via the Graph API, enforcing least-privilege access to identity management operations.
- Graph LDAP Backend TLS Skip Flag— LDAP Backend Configuration
- Administrators can configure the Graph API's LDAP backend to skip TLS certificate verification, enabling connectivity to LDAP servers that present self-signed certificates in development or controlled environments.
- Graph API LDAP User Create and Delete— User Lifecycle Management
- Administrators can create and delete users via the Microsoft Graph-compatible REST API (POST /graph/v1.0/users) when oCIS uses an LDAP backend, enabling automated user provisioning and deprovisioning workflows.
- Graph API Read-Only LDAP Backend— LDAP Backend Configuration
- Administrators can configure the Graph API's /users and /groups endpoints to query an existing LDAP directory in read-only mode, exposing directory users and groups through a Microsoft Graph-compatible interface without requiring user migration.
- Independent LDAP Schemas for Users and Groups— LDAP Directory Integration
- Administrators can define separate LDAP schemas for user and group objects, allowing organizations with heterogeneous directory structures to map each object class independently rather than sharing a single schema.
- Switchable Proxy Account Backend Type— Identity Backend Configuration
- Administrators can configure the oCIS proxy to resolve user accounts against either the built-in accounts service or an external CS3-compatible user API, enabling integration with existing enterprise LDAP directories without replacing the internal accounts service.
- User-Agent-Specific Authentication Challenges— Authentication Configuration
- Administrators can configure oCIS to issue different HTTP 401 authentication challenge types (basic or bearer) for specific client User-Agent strings, enabling correct authentication behavior for legacy desktop sync clients alongside modern browser-based and OAuth clients simultaneously.
- Configurable GLAuth TLS Certificate Paths— LDAP Service Configuration
- Administrators can configure custom file paths for the embedded GLAuth LDAP server's TLS certificate and key, and the service now only generates new certificates when they do not already exist, preventing accidental overwrites.
- Permission-Gated Role Assignment— Role-Based Access Control
- Administrators can ensure that only users holding the role management permission are able to assign or remove roles from other users, preventing unauthorized privilege escalation through the role management UI or API.
- Configurable Proxy UserInfo Claims Cache— OIDC Authentication
- Administrators can configure the oCIS proxy to cache OIDC userinfo claims with a TTL derived from the access token expiry, reducing repeated round-trips to the identity provider and improving throughput under concurrent user load.
- Dynamic OIDC Client Registration— OIDC Identity Provider
- OIDC-compliant client applications can register themselves dynamically with the oCIS identity provider without requiring manual pre-registration by administrators, enabling self-service onboarding of new integrations and applications.
- Basic Authentication Credential Cache— Authentication Performance
- The oCIS proxy caches validated basic authentication credentials to avoid repeated backend lookups on every request, improving response times and reducing load on the identity provider for clients using HTTP basic authentication.
- IDM Admin Password Reset CLI Subcommand— Admin CLI
- Administrators can reset the oCIS admin user's password offline using the `ocis idm resetpassword` subcommand when the service is not running, providing a recovery path for deployments using the built-in LDAP server.
- OIDC Well-Known Endpoint Rewrite for External IdPs— External Identity Provider
- Administrators can enable the `PROXY_OIDC_REWRITE_WELLKNOWN` option so that oCIS transparently proxies the OIDC discovery endpoint of a configured external identity provider, allowing native desktop and mobile clients to auto-discover the IdP without an additional reverse proxy.
- LDAP Password Modify Extended Operation for Password Changes— LDAP Integration
- Administrators benefit from improved LDAP server compatibility as oCIS now uses the LDAP Password Modify Extended Operation for user password changes by default, allowing the directory server to apply its own hashing policy; the legacy behavior can be restored via `GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP=false`.
- ownCloudSQL User Provider Backend— User Provider Integration
- Administrators can configure oCIS to use an existing ownCloud SQL database as the user provider backend, enabling migration and parallel-deployment scenarios where user accounts remain managed in a legacy ownCloud installation.
- Claims and Regex Proxy Routing Selectors— Proxy Policy Routing
- Administrators can configure the oCIS proxy to route requests based on an IdP-issued ocis.routing.policy claim or by matching username, email, or user ID against regular expressions, enabling fine-grained per-user backend routing without code changes.
- Basic Auth to OIDC Token Forwarding— Authentication Protocol
- Legacy clients using HTTP Basic Authentication can authenticate against oCIS by having their credentials automatically forwarded to the OpenID Connect token endpoint, improving compatibility with applications that do not support native OAuth 2.0 flows.
- Configurable OIDC Dynamic Client Registration— OpenID Connect Configuration
- Administrators can control whether OpenID Connect dynamic client registration is enabled in the IDP service, with a secure-off-by-default setting that prevents unauthorized client registrations while allowing opt-in enablement for trusted environments.
- Automatic Default Role Assignment— Role Management
- Users who authenticate via the IdP without any pre-assigned role automatically receive the default user role, allowing them to access oCIS immediately without requiring manual administrator intervention for every new account.
- Keycloak Unrestricted Dynamic Client Registration— Keycloak Integration
- Administrators deploying oCIS with Keycloak can disable the Trusted Host restriction to allow OpenID Connect dynamic client registration from any host, enabling mobile clients (iOS and Android apps) to register without requiring each origin to be pre-approved.
- Autoincrement-Based UID and GID Assignment— User Identity Management
- oCIS now automatically generates unique numeric user IDs and group IDs using an autoincrement index, ensuring POSIX-compatible identity assignment for new accounts without manual configuration.
- ownCloud-Branded Konnectd Authentication UI— Login UI Branding
- The Konnectd OIDC login and consent pages are rendered with an ownCloud brand theme including custom logo and favicon, giving users a consistent branded authentication experience during sign-in.
- GLAuth Configurable Fallback Directory Backend— LDAP Backend Configuration
- Administrators can configure a secondary fallback datastore in GLAuth so that authentication requests are retried against a second directory (such as ownCloud 10) when the primary backend returns no results, supporting bridge deployments where users exist in multiple directories.
- Proxy Auto-Provisioning of External OIDC Users— Account Provisioning
- Administrators can enable automatic oCIS account creation via the `PROXY_AUTOPROVISION_ACCOUNTS` environment variable, allowing users from an external identity provider to have accounts provisioned on first login without manual pre-provisioning.
- Configurable HTTP Basic Auth at Proxy— Authentication Protocols
- Administrators can enable HTTP Basic Authentication in the oCIS proxy via the `PROXY_ENABLE_BASIC_AUTH` environment variable, allowing legacy clients that do not support OIDC to authenticate against the accounts service.
- GLAuth Multi-Datastore Backend Selection— LDAP Backend Configuration
- Administrators can select which datastore GLAuth uses for directory lookups by configuring the `backend-datastore` option, choosing between the native oCIS accounts service, ownCloud 10 via GraphAPI, or an external LDAP server.
- External Identity Provider Configuration Support— External Identity Provider
- Administrators can configure oCIS to delegate authentication to an external identity provider, enabling seamless integration with existing enterprise SSO solutions and IdP infrastructure.
- Role and Permission Management Endpoints in Settings— Role-Based Access Control
- Administrators can assign and manage roles and permissions through dedicated API endpoints in the oCIS settings service, enabling granular, UUID-based access control assignments across the platform.
- Built-in Konnectd OIDC Provider Integration— OIDC Provider Integration
- oCIS bundles the Konnectd OIDC provider as an integrated service, enabling out-of-the-box OpenID Connect authentication without requiring operators to deploy and configure a separate identity provider.
- GLAuth as Default Built-in LDAP Directory— LDAP Directory Service
- oCIS now uses GLAuth as its default embedded LDAP directory service, replacing the previous development-only devldap backend with a more capable and configurable implementation suitable for production deployments.
- Education School Termination Date— Education Management
- Administrators can set a termination date on education schools via the Graph API, with a configurable minimum grace period (GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS), preventing deletion until after the termination date has passed.
- Service Accounts for Automated Services— Service Identity
- Administrators can create and manage dedicated service accounts for automated processes and integrations, allowing background services to authenticate with oCIS without using regular user credentials.
- Selective LDAP Updates When Write Disabled— LDAP Configuration
- When LDAP write is globally disabled, administrators can still manage user enable/disable state via group membership and create local groups in a dedicated base DN, providing fine-grained control without granting full LDAP write access.
- Binary LDAP UUID User Identity Support— LDAP Integration
- Administrators deploying oCIS against Active Directory can enable binary UUID attribute support for user and group identity, allowing AD objectGUID attributes in binary syntax to be used as unique identifiers.
- Keycloak Backchannel Logout Support— SSO Integration
- The Keycloak OIDC deployment example now enables backchannel logout for the web client, ensuring server-side sessions are properly invalidated when a user logs out from any connected application, preventing session reuse after logout.
- LDAP-Backed Education Classes CRUD API— Education Management
- Administrators can create, delete, list, and manage class memberships via the Graph education/classes API with an LDAP backend, integrating oCIS with existing school directory services for class lifecycle management.
- Graph givenName LDAP Attribute Sync— Graph User Attributes
- Administrators managing users via the Graph API can set the givenName attribute and have it automatically synchronized to the corresponding LDAP givenname attribute in the directory backend.
- Application Role Assignments Graph API— Graph API Extensions
- Administrators can manage application role assignments via the Graph appRoleAssignments endpoint, with oCIS represented as a configurable application resource discoverable through the /applications listing endpoint.
- LDAP-Backed Education User Provisioning— Education User Management
- Administrators can create, list, and delete education users via the Graph API using an LDAP directory backend, enabling automated user provisioning that integrates with existing school identity management systems.
- Standalone Graph Service API Token Auth— Graph Service Deployment
- Administrators can deploy the Graph service as a standalone provisioning endpoint secured by a static bearer token backed by an LDAP directory, enabling external systems to provision users and groups independently of the full oCIS stack.
- External Backend User Role Self-Assignment— Role Management
- Users authenticating through an external identity backend such as LDAP are automatically assigned the default user role on first login, eliminating the need for manual role assignment when provisioning new users.
- Multiple OIDC Claim Values Mapped to Roles— OIDC Role Mapping
- Administrators can configure the proxy so that multiple OIDC claim values map to valid oCIS roles; when several claim values match, the first configured mapping is selected, enabling fine-grained role control for complex enterprise identity setups.
- OIDC Back-Channel Logout Endpoint— Authentication
- oCIS implements the OpenID Connect Back-Channel Logout specification, providing a /backchannel_logout endpoint that identity providers can call to remotely and immediately invalidate user sessions across all services upon logout.
- Keycloak OIDC Claim-Based Role Assignment— Keycloak Integration
- The Keycloak deployment example is updated to use the proxy OIDC claim-based role assignment driver, enabling role management entirely within Keycloak without a dedicated oCIS admin bootstrap user or automatic default role assignments at startup.
- Disable Automatic Default User Role Assignment— Role Management
- Administrators can set GRAPH_ASSIGN_DEFAULT_USER_ROLE=false to prevent the automatic assignment of the default User role when new accounts are provisioned, enabling deployments that assign roles exclusively through OIDC claims or manual workflows.
- Member and Guest User Type via Graph API— User Provisioning
- Administrators can set the userType property to Member or Guest when creating users via the Graph API, enabling differentiated access policies and display between internal employees and external collaborators.
- Configurable OIDC Claim-to-Role Mapping in Proxy— OIDC Role Mapping
- Administrators can configure the proxy to read a named OIDC claim and map its values to oCIS role names using a configurable mapping table, enabling automatic role provisioning from any OIDC identity provider without code changes.
- oCIS Roles as Keycloak Realm Roles— Keycloak Integration
- The Keycloak deployment example includes ocisAdmin, ocisSpaceAdmin, ocisUser, and ocisGuest as realm-level roles, allowing oCIS role assignments to be managed and audited directly in the Keycloak admin console and assigned to users and groups there.
- Public Link Write Permission for Role-Based Control— Permission Management
- A new PublicLink.Write permission is introduced and assigned to the Admin role, allowing organizations to restrict the creation and modification of public links to specific roles through the oCIS role-based permission system.
- LDAP Group-Based User Account Disabling— User Management
- Administrators can configure a designated LDAP group that acts as a disable flag; adding a user to this group immediately disables their account, providing a group-management-friendly way to revoke access without modifying individual LDAP user attributes.
- LDAP Attribute-Based Login Filtering in Built-In IDP— User Management
- Administrators can configure the built-in identity provider to check a named LDAP attribute (defaulting to ownCloudUserEnabled) before allowing authentication, enforcing account disable status at the login layer without removing the user record from the directory.
- Account Enabled Property in LDAP Graph Backend— User Management
- Administrators can enable or disable user accounts via the Graph API when using the LDAP backend, with the accountEnabled boolean stored in LDAP and enforced for authentication across all oCIS services.
- MFA-Gated Admin Settings Access— Multi-Factor Authentication
- When MFA is enabled via server capability, users are required to complete a multi-factor authentication step before accessing the admin settings page, protecting administrative functions from unauthorized access.
- Custom Labels for API App Tokens— App Token Management
- Users can attach a descriptive custom label when creating application tokens via the API, making it easier to identify and manage multiple tokens across different integrations and devices.
- Configurable OIDC UserInfo Request Toggle— OIDC Configuration
- Administrators can disable the OIDC userinfo endpoint request via the `loadUserInfo` configuration option, ensuring compatibility with identity providers such as AD FS that reject or do not return standard userinfo responses.
- Hierarchical OIDC Role Claim Parsing— OIDC Configuration
- oCIS correctly parses user roles from hierarchically nested OIDC token claim structures, resolving authentication failures encountered when using Keycloak or other IdPs that embed role assignments in nested JSON paths.
- Granular Sharing and Favorites Permissions— Permission Management
- Administrators can restrict specific user groups from creating shares or managing favorites using new fine-grained permissions (`Favorites.List`, `Favorites.Write`, `Shares.Write`), supporting lightweight account configurations such as read-only or restricted collaboration roles.
- Configurable OIDC Post-Logout Redirect URI— OIDC Configuration
- Administrators can configure the URL to which users are redirected after logging out of oCIS, enabling integration with organizational SSO logout flows or directing users to a custom branded landing page instead of the default oCIS login screen.
- System Service Account Authentication— Service Authentication
- Internal oCIS services can perform authenticated background operations using dedicated service accounts with their own auth provider, removing the dependency on individual user credentials for automated tasks such as search indexing and data cleanup jobs.
- Keycloak Group Synchronization to oCIS— Identity Provider Integration
- Administrators using Keycloak as the identity provider can synchronize Keycloak groups and user group memberships directly into oCIS, eliminating the need to manually recreate group structures and assignments when Keycloak is the organizational source of truth.
- Persistent Auto-Generated IDP Signing Certificate— IDP Configuration
- The built-in IDP auto-generates and persists its signing certificate and secret to disk on first start, ensuring active user sessions remain valid across oCIS process restarts without requiring manual certificate management.
- Configurable Required OIDC Claim Mappings— OIDC Configuration
- Administrators can configure which OIDC token claims map to internal user attributes such as display name and username, enabling compatibility with a broader range of identity providers that use non-standard or organization-specific claim names.
- OIDC Claims and Regex Proxy Policy Selector— Proxy Routing
- Administrators can configure the oCIS proxy to route requests based on OIDC token claims or match users by username, email, or ID using regular expressions, enabling fine-grained routing policies for multi-tenant or hybrid IdP deployments.
- App Passwords for Legacy WebDAV Clients— App Token Management
- Users can generate application-specific passwords or tokens for legacy desktop sync and WebDAV clients that do not support OAuth or OIDC, enabling backward-compatible access to oCIS without exposing the main account password.
- OIDC UserInfo Endpoint Skip Option— OIDC Configuration
- Administrators can configure the oCIS proxy to skip calls to the external OIDC UserInfo endpoint and rely solely on token claims, reducing identity provider load and improving authentication latency in high-traffic deployments.
- LDAP Username Match Pattern Setting— LDAP Configuration
- Administrators can configure the LDAP username matching strategy for the Graph service, enabling flexible username normalization and validation for LDAP directories with non-standard naming conventions.
- Configurable OIDC Web Scopes— OIDC Configuration
- Administrators can specify custom OIDC scopes requested by the oCIS web frontend during the authentication flow, enabling integration with identity providers that require non-standard scope sets for claim delivery.
- OIDC Claim Mapping for Auto-Provisioned Users— User Provisioning
- Administrators can map specific OIDC token claims (username, email, display name, group membership) to oCIS user attributes during automatic account provisioning, enabling seamless identity federation without pre-seeding user records.
- LDAP Auto-Provisioning Account Creation— User Provisioning
- Administrators can enable automatic oCIS account creation for LDAP-authenticated users on their first login via a Helm value, eliminating the need for manual user pre-seeding in externally managed directory environments.
- LDAP Group Creation Base DN— LDAP Configuration
- Administrators can specify the LDAP base distinguished name under which the Graph service creates new groups through Helm configuration, enabling precise control over where group objects appear in the LDAP directory hierarchy.
- LDAP Referential Integrity Plugin Enable— LDAP Configuration
- Administrators using external LDAP user management can enable the LDAP referential integrity overlay through Helm configuration, ensuring that group memberships and directory references are automatically cleaned up when user or group objects are deleted.
- OIDC Token Claim Role Mapping— OIDC Configuration
- Administrators can configure the Helm chart to map OIDC token claims to oCIS user roles, enabling automatic role provisioning from an external identity provider without requiring manual role assignment within the oCIS administration interface.
- Custom Role Permission Definitions— Role Management
- Administrators can define custom oCIS roles with specific permission sets through Helm values, extending the built-in role system to match precise organizational access control requirements without modifying oCIS application code.
- External LDAP Directory Write Access— LDAP Configuration
- Administrators can configure the external LDAP directory connection as writable through Helm settings, allowing oCIS to create, update, and delete user and group entries in the external directory rather than treating it as a read-only source.
- External User Management Feature Toggle— Identity Provider Configuration
- Administrators can switch oCIS from its built-in identity management to an externally managed LDAP or OIDC user directory with a single Helm feature flag, enabling enterprise directory integration without rebuilding the deployment.
Notifications and Activity
- Custom Email Notification Templates— Email
- `NOTIFICATIONS_EMAIL_TEMPLATE_PATH` / `OCIS_EMAIL_TEMPLATE_PATH` points to a directory of custom HTML and plain-text notification templates that override the built-in defaults. Supports CID-embedded images. Custom templates take full precedence when present.
- SMTP Security Controls— Email
- `NOTIFICATIONS_SMTP_AUTHENTICATION` sets the SMTP auth mechanism (`login`, `plain`, `crammd5`, `none`, `auto`) and `NOTIFICATIONS_SMTP_ENCRYPTION` controls transport security (`starttls`, `ssltls`, `none`). Required for integration with corporate mail relays mandating specific auth and encryption methods.
- SSE Delivery Disable— Realtime Delivery
- `USERLOG_DISABLE_SSE` / `OCIS_DISABLE_SSE` completely disables server-sent event delivery from the userlog service. Useful in environments where SSE connections are blocked by proxies or firewalls, eliminating persistent connections that would otherwise fail silently.
- Per-User Notification Preferences— User Preferences
- Users configure per-event-type notification preferences in user settings, controlling which events generate in-app notifications and which trigger email delivery. Preferences are stored per-user and honored by all notification services. Introduced v7.1.0.
- Notification Grouping — Daily and Weekly Digest— Email Delivery
- Email notifications can be grouped and delivered on a daily or weekly schedule instead of per-event. Reduces notification volume for active users; schedule is admin-configurable via cron expression. Introduced v7.1.0.
- Share Removed Email Notification— Email Delivery
- The notification service sends an email to recipients when a share is removed from them, keeping users informed when access to shared resources is revoked. Introduced v7.1.0.
- Delete Individual Notification by ID— Notification Management
- Individual notifications can be deleted by ID via `DELETE /ocs/v2.php/apps/notifications/api/v1/notifications/:id`, enabling granular notification dismissal from client apps. Introduced v7.2.0.
- UserSignedIn Event on NATS— Event Bus
- A `UserSignedIn` event is published to NATS when a user successfully authenticates, enabling downstream services and audit systems to react to authentication events in real time.
- Server-Sent Events for Public Link Sessions— Real-Time Events
- Public link recipients receive server-sent events for real-time activity updates during their anonymous session, enabling live collaboration indicators without requiring the recipient to hold an authenticated account.
- ShareeIDs in File-Event Server-Sent Events— Server-Sent Events
- Enriches server-sent events for share-related file actions with the user IDs of all share recipients, enabling precise client-side notification routing per affected user without additional API lookups.
- SpaceID in All Server-Sent Events— Server-Sent Events
- Adds the originating Space ID to every server-sent event payload, enabling clients to efficiently filter and route real-time file system notifications by space without additional API requests.
- Granular Per-Event Notification Settings— Notification Preferences
- A dedicated notifications settings section in the account screen lets users configure per-event notification preferences for both in-app browser notifications and email, including configurable email digest intervals such as immediate, daily, or weekly.
- File Lock and Unlock Events— File Events and Audit
- oCIS emits structured events on the message bus whenever a file is locked or unlocked, enabling downstream services such as audit logs, notification services, and automation workflows to react to locking state changes.
- Space Membership Expiry Event— File Events and Audit
- When a space member's time-limited membership expires, oCIS emits a `SpaceMembershipExpired` event, enabling notification services to inform the former member and allowing audit systems to record the change.
- OCM Invite Generated Event— File Events and Audit
- Generating a federation invitation token now emits an event on the message bus, enabling other services to trigger follow-up actions such as sending a branded invitation email or recording the invitation in an audit log.
- Audit File Event Logging— Notifications and Activity
- The audit service captures and logs file-level events including uploads, downloads, moves, copies, and deletions. Administrators can track all file operations across spaces for compliance and forensic purposes.
- Audit Sharing Event Logging— Notifications and Activity
- The audit service records all sharing-related events including share creation, modification, deletion, and access. Administrators receive detailed logs of who shared what with whom and when.
- Initial Share Received Notification— Notifications and Activity
- The notifications service delivers an email notification to users when they receive a new share. This initial implementation establishes the email delivery pipeline and is the foundation for the full notifications feature set.
- Email Body and Subject Templating— Notifications and Activity
- Notification emails use configurable Go templates for both subject line and body content. Administrators can customize the wording, structure, and branding of all system-generated emails without recompiling the server.
- Event History Service— Notifications and Activity
- oCIS persists a time-limited history of all system events (uploads, shares, space changes) in the event history service. Integrations and audit tools can query past events without needing a real-time NATS subscription.
- Global Notification Service Toggle— Notifications and Activity
- Administrators can globally disable the notifications service via configuration. When disabled, no email or in-app notifications are sent, useful for maintenance or development environments where notification traffic is undesirable.
- Share and Link Expiration Email Notifications— Notifications and Activity
- The notifications service sends email alerts before shares and public links expire. Users receive advance notice so they can extend or renew access before collaborators lose it.
- Server-Sent Events (SSE) Endpoint— Notifications and Activity
- The userlog service exposes a Server-Sent Events endpoint that browsers can subscribe to for real-time push notifications. This eliminates the need for polling and enables instant delivery of share, space, and file notifications in the web UI.
- Audit Log Before-and-After Value Recording— Notifications and Activity
- The audit service records both the old value and the new value when a property changes (e.g., role assignment changes, quota changes). Compliance teams can verify exactly what changed and who authorized the change.
- Templated Email Notifications for Share Events— Email Notifications
- Users receive formatted email notifications when a space is shared with them or a new share is created, using customizable templates that can be tailored to organizational branding.
- SMTP Authentication and Encryption Configuration— Email Configuration
- Administrators can configure SMTP mail encryption (TLS or STARTTLS) and authentication credentials independently in the notifications service, including a distinct username for the sending account to support custom sender addresses.
- SMTP Insecure TLS Certificate Skip Option— Email Configuration
- Administrators can configure the notifications service to skip TLS certificate verification for SMTP servers using `NOTIFICATIONS_SMTP_INSECURE`, enabling email delivery in lab or internal environments using self-signed certificates.
- Deprovisioning Global Notification— Admin Notifications
- Administrators can broadcast a system-wide deprovisioning notification to all users via the notifications API with a configurable date and format, informing users in advance of planned system decommissioning.
- Customizable Email HTML Templates— Email Notifications
- Administrators can replace the built-in HTML email notification templates with custom templates, enabling branded notification emails that match organizational identity and communication standards.
- Share and Space Expiration Notifications— Share Notifications
- Users receive email notifications when their file shares or Space memberships are approaching their expiration date, giving them time to request renewal before losing access.
- Server-Sent Events Notification Hub— Real-Time Events
- Clients can subscribe to a server-sent events (SSE) endpoint for real-time file and Space activity updates, enabling live in-browser notifications without requiring polling.
- Space Group Membership Email Notifications— Space Notifications
- Users receive email notifications when they are added to or removed from a Space through group membership changes, keeping them informed of access rights changes without manual status checks.
- Per-Service Notification Web UI URL— Notification Configuration
- Administrators can configure the Web UI URL embedded in notification emails independently using NOTIFICATIONS_WEB_UI_URL, supporting split-domain deployments where the notifications service endpoint differs from the main oCIS URL.
- Notification Email Subject Templating— Notification Templates
- Administrators can customize notification email subject lines using configurable templates, allowing organizations to align automated email notifications with their corporate communication standards.
- File Activity Service with Scan Timeline— File Activity Feed
- Users can view a timeline of file processing events, including virus scan outcomes, through a dedicated activities service, providing visibility into asynchronous background operations that affect files and Spaces.
- Transifex Email Template Translation Infrastructure— Email Localization
- System notification emails are now fully translatable through Transifex, enabling community and enterprise contributors to provide localized share and invitation email content in multiple languages.
- User-Preferred Language Email Delivery— Email Localization
- oCIS determines each recipient's preferred language and sends system notification emails in that language, ensuring users receive share alerts and space invitations in their native tongue.
- Server-Sent Events Notification Stream— Real-Time Notifications
- Users can subscribe to a persistent Server-Sent Events stream to receive real-time notifications for shares and space invitations without polling, with language preference changes reflected in future events without requiring reconnection.
- Policy Service File Deletion Notifications— Policy Notifications
- Users receive an in-app notification when the Policies service automatically deletes a file due to a configured rule, providing transparency about why content was removed.
- Suppress Notifications for Self-Initiated Space Actions— Notification Filtering
- Users no longer receive redundant notifications for space deletions or disabling operations that they themselves performed, reducing notification noise for administrators carrying out space management tasks.
- Localized User Activity Notifications— Notification Localization
- Notifications delivered through the userlog service are translated into each user's preferred language, ensuring activity alerts for shares, space invitations, and other events are presented in the user's native language.
- Userlog Service with Rich Notification API— User Activity Log
- The userlog service delivers structured notifications with rich-text message parameters compatible with the ownCloud 10 notifications API, providing users with meaningful, formatted descriptions of share activity and space events.
- Event History Service for Activity Storage— Event Storage
- The eventhistory service persistently stores all system events with full payloads, allowing other services such as userlog to retrieve past events for building user notification feeds and audit trails even after temporary service interruptions.
- Maintenance Mode Banner on 503 Response— System Status
- When the server returns an HTTP 503 status code, users see a persistent maintenance banner across the top of the page; clicking it opens a modal with additional maintenance details, so users are never left in an infinite loading state.
- Server-Sent Events in Public Share Context— Real-Time Updates
- Users viewing files or folders via public links now receive real-time server-sent event notifications, keeping shared content in sync without requiring a manual page refresh.
- Per-Resource and Per-Category Notification Settings— Notification Preferences
- Users can configure which notifications they receive, including marking individual resources to control notification frequency, preventing unwanted notification noise.
- Automatic Space List Refresh on Invitation Notification— Space Membership
- When a user receives a space invitation notification, the spaces list automatically refreshes to include the new space without requiring a page reload or manual navigation.
- Request ID Displayed on All Error Messages— Error Reporting
- When any operation fails, ownCloud Web displays the backend request ID alongside the error message, allowing administrators and support teams to correlate the UI error with specific log entries in the distributed oCIS backend.
- Latest Notifications Shown First in Notification Panel— Notification Display
- The notifications panel displays the most recent events at the top of the list, matching the expected reverse-chronological reading order users are familiar with from other applications.
- Server-Sent Event for New Folder Creation— Real-Time Events
- Clients receive real-time Server-Sent Event (SSE) notifications when new folders are created in spaces they are observing, enabling immediate UI updates without polling the server for directory changes.
- Server-Sent Events for File Lock and Unlock— Real-Time Events
- Clients receive real-time SSE notifications when files are locked or unlocked by another process or user, allowing the UI to immediately reflect file access state and prevent confusing concurrent edit conflicts.
- Automatic SMTP Authentication Method Detection— Email Configuration
- Administrators no longer need to explicitly specify the SMTP authentication method in `NOTIFICATIONS_SMTP_AUTHENTICATION`; oCIS auto-detects supported authentication methods from the mail server, simplifying notification service setup on most production mail providers.
- Email Notification on Share Revocation— Share Notifications
- Users automatically receive an email notification when a file or folder that was shared with them is unshared, keeping them informed of access changes without needing to actively monitor their shares list.
- Distinct Notifications for Space Role Changes— Space Notifications
- Users receive specifically worded notifications when their Space role is changed (e.g., promoted to manager or demoted to editor), rather than a misleading generic "added to Space" message that appeared regardless of whether the action was an add or a role change.
- Descriptive Content in Share Email Notifications— Email Notifications
- Users receive share notification emails with clear, descriptive subject lines and body content identifying what was shared and by whom, replacing generic placeholder messages with actionable information that helps recipients understand the context of the share.
Productivity Experience
- WOPI Editor Registration— Office Integration
- The collaboration service registers WOPI-compatible editors per MIME type and exposes suite-specific capabilities like save, rename, export, and locks.
- WOPI Short Tokens and Extension Deny List— Office Integration
- `COLLABORATION_WOPI_SHORTTOKENS=true` switches WOPI URLs to short-token mode (requires a configured persistent store). `COLLABORATION_WOPI_DISABLED_EXTENSIONS` accepts a comma-separated list of file extensions refused by the collaboration service across all connected editors — the deny list is instance-wide, not per-editor. This extension-blacklist feature was broken before v8.0.0 due to a leading-dot-stripping bug; v8.0.0 is the effective production version. Per-editor restriction requires deploying separate collaboration instances.
- Favorites via WebDAV— File Metadata
- Favorites are persisted through WebDAV properties and remain user-scoped, so favoriting a received share does not alter the owner's state.
- File Versions Listing and Restore— File History
- Version history can be listed, downloaded, and restored when the current user and context have the required permissions.
- Read-Only Versions Panels— File History
- The web versions sidebar can switch into a read-only state in viewer/editor contexts or when the user lacks restore rights.
- Trash Restore for Personal and Project Drives— Lifecycle Recovery
- Trash views support listing and restoring deleted content for personal files and project spaces, with role-specific restrictions on space trash access.
- Activities and Notifications UI— Activity UX
- Web exposes dedicated activity and notification surfaces with unread handling, transport selection, and user notification preferences where the server provides them.
- Public Files Drop Uploads— Uploads
- Public share routes support upload-only and files-drop use cases through dedicated upload handling rather than only authenticated file views.
- Space-Aware Upload Routing— Uploads
- Upload logic chooses the correct DAV target for personal files, spaces, and public contexts and runs conflict, quota, and state checks before transfer.
- Unzip Archive Action— File Actions
- The unzip extension adds a context action for `.zip` files, extracts entries client-side into a new folder, and blocks password-protected or oversized archives.
- Photos Gallery and Lightbox— Media Experience
- The photo add-on provides a chronological photo timeline with selectable date grouping (day, week, month, or year), infinite scroll, and dedicated lightbox viewing for media-centric browsing.
- Photos Map View— Media Experience
- The photo add-on can plot geotagged photos on a map when indexed location metadata is available.
- App Provider WOPI Driver Registration— Office Integration
- app-provider exposes a WOPI driver registration with configurable app name, icon, internal app URL, external app URL, API key, and IOP secret (`APP_PROVIDER_WOPI_APP_WOPI_SERVER_IOP_SECRET`). Two additional flags influence editor presentation: `APP_PROVIDER_WOPI_APP_DESKTOP_ONLY` restricts the app to desktop clients, and `APP_PROVIDER_WOPI_APP_DISABLE_CHAT` suppresses the editor's chat panel.
- App Provider Folder Back-Link Templates— Office Integration
- app-provider can generate folder breadcrumb or return URLs for editors through a base URL plus path template configuration. This keeps editor navigation aligned with the originating file location instead of hardcoding a single return target.
- Clientlog File and Share Event Translation— Activity
- clientlog translates storage, sharing, space, and logout domain events into client-consumable event names such as upload ready, folder created, file moved, share updated, and link removed. The service is an adapter layer between internal event types and browser-facing change signals.
- Client Activity SSE Fanout— Activity
- clientlog publishes translated events as `SendSSE` messages so user-facing SSE consumers can receive updates without subscribing to the full internal event bus. This keeps browser notification payloads narrower than raw backend events.
- User-Scoped SSE Notification Streams— Realtime Delivery
- sse serves `/ocs/v2.php/apps/notifications/api/v1/notifications/sse`, keys streams per user ID, and forwards `SendSSE` events to the correct consumer instead of exposing the raw event bus. Streams are user-scoped and not auto-replayed by default.
- SSE Keepalive Comments— Realtime Delivery
- sse can emit configurable keepalive comments on a ticker so idle connections stay open through intermediaries. This is transport-level behavior, not a synthetic notification feature.
- Thumbnail Resolution Matching— Media Experience
- thumbnails maps requests to the closest configured resolution in `THUMBNAILS_RESOLUTIONS`. Upscaling is supported and enabled by default (up to 10x). The resolution allow-list is an abuse-prevention mechanism, not a strict no-upscale contract.
- Animated GIF Thumbnail Generation— Media Experience
- The GIF thumbnail generator processes all frames with correct disposal behavior, producing an animated output thumbnail. Because animated GIF blobs can exceed gRPC message size limits, the binary is delivered via an HTTP download endpoint rather than inline gRPC.
- Audio Artwork Thumbnails— Media Experience
- thumbnails can extract embedded artwork from audio files and use it as the thumbnail source when present. This extends thumbnail coverage beyond image and office formats.
- User Notifications API— Notifications
- userlog exposes OCS endpoints to list notifications, delete all, or delete individual notifications by ID for the current user. The API is the main read and dismissal surface for stored user notifications.
- Policy, Antivirus, and Share Event Notifications— Notifications
- userlog converts events from policies, antivirus, spaces, shares, and OCM into per-user notifications, stores event IDs per user, and emits SSE unless disabled. It is the notification assembly layer between backend events and user-facing inbox entries.
- Dynamic Web Config JSON— Web Delivery
- the web service serves `/config.json` with runtime configuration, including injected external apps and deployment-specific values, instead of baking all config into static assets. This allows operators to change behavior without rebuilding the frontend bundle.
- Theme and Branding Asset Service— Web Delivery
- the web service serves `/themes/{id}/theme.json`, supports logo upload and reset endpoints, and layers filesystem and embedded theme assets with cache control. Branding is therefore a service-managed asset surface, not only a compile-time theme.
- DICOM Browser Preview and Metadata Sidebar— Medical Imaging
- the DICOM viewer extension opens `.dcm` files directly in the browser, renders the medical image, and can show the file's metadata in a sidebar on demand.
- DICOM Viewer Manipulation Controls— Medical Imaging
- The DICOM viewer (built on cornerstone3D) supports zoom in/out, rotation, flipping, colour inversion, and reset controls. The UI is responsive across device sizes. Note: windowing (WW/WL) and pan are not documented features of this extension.
- Frontend Archive Downloads— Downloads
- the frontend `archiver` endpoint can bundle collections into streamed `.zip` or `.tar` downloads instead of forcing users to fetch files one by one.
- Frontend Data Gateway Routing— Uploads
- the frontend `datagateway` endpoint routes upload and download traffic to the correct CS3 data provider using the handoff token returned by storage services.
- Web Embed Mode— Web Delivery
- the web service can run in a stripped-down embed mode for resource picking and sharing flows, configured through `WEB_OPTION_MODE` and `WEB_OPTION_EMBED_TARGET`.
- WebDAV Thumbnail Fetch Endpoints— Media Experience
- the webdav service exposes authenticated and unauthenticated `GET` endpoints for file and space thumbnails instead of limiting thumbnail retrieval to the main UI.
- EPUB Reader— File Viewing
- the built-in `epub-reader` app opens ebook files directly in the web UI instead of requiring a download to an external reader.
- PDF Viewer— File Viewing
- the built-in `pdf-viewer` app renders PDF files inside the web interface using native browser PDF support.
- Preview App for Audio Video and Images— Media Experience
- the built-in `preview` app opens audio, video, and image files directly in the UI for inline consumption.
- Text Editor for Plain Text and Markdown— Editing
- the built-in `text-editor` app creates and edits plain-text formats such as `.md` and `.txt` within the web interface.
- Audio Metadata Sidebar— File Metadata
- the files app can show audio-specific sidebar metadata such as duration, author, and title for supported media files.
- EXIF Image Information Sidebar— File Metadata
- the files app can show EXIF and image information in the sidebar for photo and image resources.
- Photo Timeline Zoom and Date Grouping— Media Experience
- the photo addon groups photos by day, week, month, or year and lets users change grouping with pinch or scroll-based zoom.
- Burst Photo Stacking— Media Experience
- the photo addon can automatically stack burst photos taken within seconds so galleries stay denser and easier to browse.
- SSE Keepalive Interval Configuration— Realtime Delivery
- `SSE_KEEPALIVE_INTERVAL` configures the periodic SSE comment message interval to prevent intermediate proxy timeouts on idle connections. The browser imposes a limit of 6 concurrent SSE connections per domain; operators should account for this in multi-tab deployments.
- Server-Side Favorites— Files App
- `FRONTEND_ENABLE_FAVORITES=true` enables server-side favorites tracking so a user's starred files persist across sessions and devices, not just in browser local state.
- Web Flat File List View— File Management
- An alternate file list display mode in ownCloud Web shows all files across sub-folders in a flat (non-hierarchical) list without navigating into subdirectories. Introduced web v7.2.0.
- Per-File Activity History Sidebar— Activity Feed
- A sidebar panel shows the activity history (create, modify, share, delete, version restore) for any selected file or folder, powered by the activitylog service API. Introduced web v6.1.0 / activitylog service v6.1.0.
- File Lock Information in Details Sidebar— File Status
- File lock information — who locked the file and when — is shown in the file details sidebar panel when a file is locked by a WOPI editor or desktop client. Introduced web v7.0.0.
- Application Menu Extension Point— Navigation
- Third-party apps inject items into the top-left application switcher menu via `AppMenuItemExtension`, supporting internal routes, external URLs, or custom button handlers. Introduced web v10.0.0.
- In-App File Open from WOPI Editor— Cross-App Workflows
- Files opened in a WOPI editor can be re-opened in another registered app from within the editor session, enabling cross-application file workflows without leaving the browser tab. Introduced web v6.1.0.
- Dark Mode and Light Mode Theme Switcher— UI Customization
- Users manually toggle between light and dark mode from Account Settings, with the preference saved persistently; the initial theme follows the OS/browser system setting. Introduced web v5.0.0; moved to Account Settings in v9.0.0.
- Anonymous User Preferences on Public Link Pages— Public Link UX
- Unauthenticated visitors accessing a public link can open user preferences to change the display language and other preferences without requiring an account. Introduced web v9.0.0.
- Browser Close Warning During Active Upload— Upload Management
- A browser-level "Leave page?" warning appears when the user tries to close or navigate away during an active upload, preventing accidental data loss on large uploads. Introduced web v9.0.0.
- Trash Bin Resource Details Sidebar— Sidebar UX
- Selecting a resource in the trash bin reveals a details sidebar panel showing metadata about the deleted item, consistent with the standard file details panel in the main file list. Introduced web v9.0.0.
- Emoji Space Icons— Space Customization
- Space administrators set an emoji as the space icon using a built-in emoji picker, as an alternative to uploading a custom image. Introduced web v9.0.0.
- Spaces Overview List View Mode— Space Navigation
- The project spaces overview offers a switchable list view mode in addition to the default tile/card view, with the user's preference remembered across sessions. Introduced web v7.1.0.
- Single-File Public Link Dedicated Viewer— Public Link UX
- A file shared via a single-file public link opens in a dedicated viewer rather than the file table, with configurable auto-open in the registered default app. Introduced web v7.1.0.
- Batch File Actions on Search Results— Search UX
- Multi-select batch actions (move, copy, delete, download) are available directly on the search result list, not just in folder views. Introduced web v7.1.0.
- Upload Error Log Download— Upload Management
- A downloadable error log in the upload dialog captures failure details for all failed uploads in the current session, enabling users to share diagnostic information with administrators. Introduced web v7.1.0.
- Space Download as Zip Archive— Space Operations
- The download action is available at the space level, compressing the entire space content into a zip archive respecting configured archiver size limits. Introduced web v7.1.0.
- Imprint and Privacy Statement Links— Legal Links
- Administrators configure imprint and privacy statement URLs that appear in the user account menu, supporting GDPR and legal disclosure requirements without custom web development. Introduced web v7.1.0.
- Whitespace Right-Click Context Menu— File Operations
- Right-clicking on empty space in the file list opens a context menu with folder-level actions (upload, create folder, paste), matching desktop file manager conventions. Introduced web v7.1.0.
- Lock and Processing Status Indicators in Tiles View— File Status
- File locking and post-processing states (antivirus, thumbnailing) are shown as status indicators in both table view and tiles/grid view, giving users real-time visibility into file state. Introduced web v9.0.0.
- Runtime Theming via JSON Config— Theming
- Administrators supply a custom JSON theme file at runtime to override colors, logos, brand slogan, and favicon without recompiling the web frontend. Introduced web v3.0.0.
- Shared via Link — Dedicated Navigation Page— Sharing UX
- A dedicated "Shared via link" view in the left navigation lists all resources the authenticated user has shared via public link, providing a consolidated outbound link management page. Introduced web v3.0.0.
- Persistent Sort Preferences per View— Sorting
- The user's chosen sort column and direction is remembered per view (All Files, Shared with Others, etc.) in persistent storage and carried across tabs and browser restarts. Introduced web v5.0.0.
- Sliding Panels Sidebar Navigation— Sidebar UX
- The right details sidebar uses iOS-style sliding panel navigation instead of accordion sections, allowing sub-panels (share details, version history, etc.) to push and pop with directional animation. Introduced web v4.0.0.
- Upload on Paste— Upload UX
- Users paste a file from the clipboard anywhere in the file list area to upload it without opening a file picker dialog. Introduced web v7.1.0.
- Drag-and-Drop to Breadcrumb— File Operations
- Files and folders can be dropped onto breadcrumb navigation segments to move them into parent folders without navigating away from the current view. Introduced web v7.1.0.
- Markdown Editor with Live Preview (ToastUI)— File Editing
- A full-featured Markdown editor with toolbar, code syntax highlighting, and live preview panel, replacing the basic plaintext editor for `.md` files. Built on Toast UI Editor. Introduced web v9.0.0.
- Share Role Icon in Shared-with-Me List— Sharing UX
- The "Shared with me" list displays the assigned share role icon with a tooltip showing the role name, so recipients immediately see their access level without opening the share details panel. Introduced web v10.0.0.
- SSE Real-Time File System Push Notifications— Real-Time Collaboration
- The web UI receives live push notifications via Server-Sent Events for file creation, update, rename, delete, move, and lock/unlock events, updating all open browser tabs in real time without polling. Introduced web v9.0.0.
- Auto-Orient Photos in Thumbnails— Image Processing
- The thumbnails service automatically orients photos based on EXIF orientation data when generating thumbnails, ensuring correct display regardless of the camera's physical rotation. Introduced v2.0.0.
- TIFF and BMP Thumbnail Support— Image Processing
- The thumbnails service generates thumbnails for TIFF (`.tif`, `.tiff`) and BMP (`.bmp`) image formats in addition to the core JPEG/PNG/WebP set. Introduced v2.0.0.
- Google Workspace MIME Type Thumbnails— Image Processing
- The thumbnails service generates preview thumbnails for Google Docs, Sheets, and Slides (GGP/GZT MIME types), enabling visual previews for Google-format files stored in oCIS. Introduced v7.0.0.
- Built-In HTML Editor with Live Preview— Content Editing
- A native HTML editor web application provides a split-pane interface with raw HTML source in one pane and a rendered live preview in the other, enabling lightweight HTML content authoring without external tools. Introduced web v13.x.
- Text Editor Support for Log and Config Files— Content Editing
- The built-in text editor recognises `.log` and `.conf` file extensions, allowing administrators and users to view and edit server log excerpts and configuration files directly in the browser.
- Cross-Instance Account Switcher— Multi-Instance UX
- A persistent UI control allows users enrolled in multiple oCIS instances or tenants to switch between them in a single click, eliminating repeated login prompts for multi-instance workflows. Introduced web v13.x.
- Catalan Language Support— Internationalization
- The oCIS web interface is fully translated into Catalan, extending locale coverage for Catalan-speaking user populations and meeting regional language requirements.
- Built-In Share Link Password Generator— Sharing UX
- The public link creation dialog includes an integrated one-click password generator that produces a cryptographically strong random password, lowering the barrier to applying password protection on shared content.
- Tag Input Validation and Character Limits— Tagging
- Tag fields enforce a maximum character count and reject special characters, ensuring tags remain well-formed for search indexing and preventing malformed entries from degrading search quality.
- In-Place File and Folder Duplicate Action— File Operations
- A context-menu action creates an immediate copy of any file or folder within the same location, eliminating the need for a manual copy-paste flow and reducing friction for template-based workflows. Introduced web v7.2.0.
- Themed Sharing Role Icons— Theming
- Administrators override sharing role icons via the theme configuration, allowing branded or localized role visualizations in the sharing sidebar. Introduced web v9.0.0.
- File Size Warning in WOPI/Text Editors— Content Editing
- Editors display a warning banner when the opened file exceeds 2 MB, alerting users to potential performance degradation before editing large files. Introduced web v11.0.0.
- Share Link Deny Access— Sharing UX
- Share editors and space managers explicitly deny access to specific sub-resources within a share or space for individual recipients, enabling fine-grained access restriction below folder level. Introduced web v7.1.0.
- File Rename— File Operations
- Users can rename files and folders directly from the ownCloud Web file list via the right-click context menu or the three-dot action menu. The inline rename field shows the current name pre-filled for editing, and the new name is applied immediately on confirmation with no page reload.
- File Move and Copy— File Operations
- Users can move or copy files and folders between any location — Personal Space, Project Spaces, or sub-folders — using the context menu in ownCloud Web. A destination picker allows navigation to the target location, and copied items appear in the destination without removing them from the source.
- File Download— File Operations
- Users can download individual files from the file list, from within a file viewer, and from public link pages in ownCloud Web. A single click on the download action triggers a browser download of the file at its current version.
- Application Switcher— Navigation
- The application switcher (grid icon in the top navigation bar) lists all installed web apps and extensions, allowing users to jump directly from the Files view to any other app (Draw.io, Photo Gallery, External Sites, etc.) and return to Files.
- Multi-Select Batch File Operations— File Operations
- Users can select multiple files or folders in the ownCloud Web file list using checkboxes and apply a single action (move, copy, download, delete, add to favorites, tag) to all selected items at once. Batch actions are available both in the regular file list and in the Shared-With-Me view.
- File List Pagination Controls— Navigation
- The ownCloud Web file list supports pagination with a configurable items-per-page selector (e.g., 25, 50, 100 items) and page navigation controls for folders with large numbers of files. Users can also toggle visibility of hidden files from the pagination bar.
- Spaces List Pagination Controls— Navigation
- The ownCloud Web Spaces overview supports pagination with items-per-page and page navigation controls for deployments with many Project Spaces, and a toggle to show disabled Spaces alongside active ones.
- Breadcrumb Folder Navigation— Navigation
- ownCloud Web displays a breadcrumb trail at the top of the file list showing the full path from the drive root to the current folder. Users can click any ancestor segment to jump directly to that level, and can drag files onto a breadcrumb segment to move them there.
- Web URL Shortcut Files— File Operations
- Users can create `.url` shortcut files in ownCloud Web that reference an external URL. When a collaborator clicks the shortcut, the linked address opens in a new browser tab. Shortcut files are stored as regular WebDAV resources and can be shared like any other file.
- Per-User UI Language Preference— User Settings
- Each ownCloud Web user can select their preferred interface language from the account settings panel. The selection persists across sessions and immediately re-renders all UI text (menus, dialogs, file action labels) in the chosen language without requiring a page reload.
- Pausable and Resumable Upload Progress— File Operations
- Ongoing file uploads in ownCloud Web can be paused and resumed at any point using the upload progress panel in the bottom-right corner. Resumption continues from where the upload stopped (TUS protocol), so large uploads can be paused and resumed even after network interruptions.
- In-App Contextual Help— User Experience
- ownCloud Web displays small contextual help icons next to key interface elements. Clicking or hovering an icon opens an inline popover with a plain-language explanation of that feature, reducing the need to consult external documentation during first-time use or for infrequently used capabilities.
- Arabic Language Support— Internationalisation
- Adds Arabic locale support including right-to-left text entry and display for Arabic-speaking users across the oCIS web interface and Markdown editor.
- Markdown to PDF Export— File Editors
- Users can export any markdown file to PDF directly from the markdown editor action menu, specifying a destination folder and filename, with the conversion running server-side and a completion notification issued on download readiness.
- TipTap Unified Text Editor— File Editors
- A TipTap-based text editor supports plain text, markdown, HTML, and rich TipTap JSON with content-type-sensitive toolbars and optional slash commands, replacing the legacy markdown-only editor across the web interface.
- Save As Action in App Top Bar— File Actions
- A Save As button in the application top bar allows users to save the current file with a new name or to a different location directly from any open editor without closing or navigating away.
- WebDAV URL in File Details Sidebar— File Details
- The direct WebDAV URL for a file is shown in the file details sidebar panel, allowing advanced users and administrators to copy the path for use in third-party WebDAV-compatible tools and scripts.
- Duplicate Resource In-Place Action— File Actions
- A duplicate action in the context menu and sidebar allows users to copy one or more files or folders into the same space and folder in a single click, without opening the copy dialog or choosing a destination.
- Accessibility Options Quick Link in User Menu— Navigation
- A direct link to accessibility options is available in the user menu, enabling users to configure keyboard navigation and display preferences without searching through general settings.
- WCAG 4.5:1 Colour Contrast in Default Theme— Accessibility
- The default web UI theme has been updated so that all interactive and text elements meet the WCAG 4.5:1 minimum colour contrast ratio, ensuring the platform meets accessibility compliance requirements out of the box.
- iOS Clipboard Cut Copy and Paste for Files— File Actions
- The iOS app supports cut, copy, and paste operations for files and folders using the standard iOS clipboard, enabling users to move and duplicate content using familiar iOS conventions.
- iOS Presentation Mode for Images and Documents— File Viewing
- The iOS app offers a presentation mode that displays images and supported documents full-screen with navigation controls, suitable for presenting content to others from a device without switching apps.
- iOS Full-Screen PDF Viewer with Thumbnail Strip— File Viewing
- The iOS PDF viewer opens documents in full screen and displays a scrollable thumbnail strip for rapid page navigation, making it practical to review and navigate long documents on mobile.
- iOS Dark Mode and Black Theme Options— Personalisation
- The iOS app provides standard dark mode support that follows the system appearance setting, plus an optional true-black theme for OLED displays, giving users control over display comfort.
- iOS Sidebar and Breadcrumb Navigation— Navigation
- The iOS app provides a persistent sidebar for primary navigation and a breadcrumb trail within folder hierarchies, giving users multiple orientation and navigation paths at all times.
- Space Thumbnail Preview Support— Productivity Experience
- Thumbnail generation works for files stored inside project spaces, not just in personal drives. Users browsing space content see consistent image previews in the web UI and WebDAV clients.
- Text File Thumbnail Previews— Productivity Experience
- The thumbnails service generates preview images for plain text (`.txt`) files. Users see a rendered preview snippet in the file manager instead of a generic file icon.
- Photo Lightbox Keyboard and Swipe Navigation— Media Experience
- In the photo lightbox, users can navigate between photos using keyboard arrow keys or swipe gestures on touch devices, and close the viewer with the Escape key.
- Photo EXIF Camera Metadata Display— Media Experience
- The photo add-on shows detailed EXIF camera information alongside each photo, including camera make and model, aperture, ISO, exposure time, and GPS coordinates, without leaving the oCIS interface.
- Photo Timeline Infinite Scroll— Media Experience
- The photo timeline loads photos progressively as you scroll down rather than paginating, providing a continuous browsing experience across large photo libraries.
- Chat with File AI Edit Mode with Diff Preview— AI Assistance
- In edit mode, the Chat with File extension asks the AI to rewrite the entire file according to your instruction, then shows you a unified line-level diff of the proposed changes before you choose to apply or discard them.
- Chat with File ETag Concurrency Guard— AI Assistance
- When saving AI-edited file content, the extension attaches the file ETag to the write request so that if another user modified the file while you were reviewing the diff, the conflict is detected and reported rather than silently overwriting their changes.
- Chat with File Session Message History— AI Assistance
- The chat panel retains the full conversation history for each file within the browser session, so closing and reopening the panel resumes the same conversation without losing context.
- AI Version Changelog On-Demand Per-Version Diff— AI Assistance
- The AI version changelog panel fetches version content pairs on demand and diffs them before sending only the changed lines to the LLM, producing a concise prose description of what changed in each file version.
- AI Version Changelog Session Cache— AI Assistance
- Once generated, a changelog entry for a specific version pair is cached in the browser session, so navigating away and returning to the file does not trigger redundant LLM requests for already-described versions.
- AI Version Changelog Binary File Detection— AI Assistance
- The version changelog panel detects binary files (images, Office documents) by MIME type and shows a clear not-supported notice instead of attempting to diff and summarize them with the LLM.
- AI Image Alt-Text Persistent Save— AI Assistance
- After reviewing and editing the AI-generated alt text for an image, users can save it back to the file as a custom WebDAV property, making the approved description persistent across sessions and available to other oCIS components that read custom DAV properties.
- AI Image Alt-Text Clipboard Copy— AI Assistance
- The alt text sidebar includes a one-click copy-to-clipboard button so approved alt text can be immediately pasted into external content management systems, documents, or emails without manual text selection.
- AI CSV Insights User Consent Disclosure— AI Assistance
- Before sending any file content to the configured AI service, the CSV and TSV insights panel shows a one-time consent disclosure informing the user that data will be transmitted, which the user must acknowledge to proceed.
- AI CSV Insights Column Type and Range Detection— AI Assistance
- The insights panel identifies the data type (number, date, boolean, or string) for each column and reports minimum and maximum value ranges for numeric and date columns, giving a quick statistical overview of the dataset.
- AI Folder Brief Static Fallback— AI Assistance
- When no LLM endpoint is configured, the Folder Brief sidebar panel computes a client-side file-type breakdown from the folder listing alone with no AI call, so the feature degrades gracefully without requiring LLM setup.
- AI Document Summary Capability Probing— AI Assistance
- Before generating a summary, the extension probes the configured LLM endpoint for supported capabilities including structured JSON output, tool calling, streaming, and context window size, and silently adapts its request strategy based on what the model supports.
- AI Document Summary Key Points Output— AI Assistance
- The summary sidebar renders the LLM response as two distinct sections: a 2-3 sentence overview paragraph and a bullet list of 3-4 key takeaway points, making the summary easy to scan at a glance.
- Drive Listing Sort by Name and Modified Date— Graph API
- Users and applications can retrieve drives from the Graph API sorted by name or lastModifiedDateTime in ascending or descending order, enabling consistent and user-friendly drive list presentations in client applications.
- SPA History-Mode Clean URL Serving— Web Client Serving
- The oCIS web service now serves the frontend as a single-page application with clean history-mode URLs (without hash fragments), enabling proper deep-linking, bookmarking, and browser navigation within the web UI.
- Archiver Capacity Limits in Capabilities— File Archiving
- The OCS capabilities response now reports the archiver's maximum number of files and maximum archive size, enabling clients to inform users of and enforce limits when downloading multiple files as a zip or tar archive.
- EXIF-Aware Thumbnail Auto-Orientation— Thumbnail Generation
- Users see correctly oriented thumbnails for photos taken with mobile devices, as the thumbnails service now reads EXIF orientation metadata and rotates images automatically before generating previews.
- Modernized Login Screen Design— User Interface
- Users experience a redesigned login screen that matches the visual design language of the ownCloud Web interface, providing a consistent look and feel across authentication and file management views.
- Configurable Preview-Supported MIME Types— File Preview Configuration
- Administrators can configure which file MIME types the backend supports for preview thumbnails, allowing the Web UI to accurately display preview availability indicators based on the active storage backend capabilities.
- App Provider User Locale Passthrough— App Provider Integration
- Users who open documents through the app provider see the integrated application rendered in their preferred language, as oCIS now passes the user's locale setting to the external application at launch time.
- User Profile Picture Display— User Profile
- Users see profile pictures displayed throughout oCIS interfaces, making it easier to recognize collaborators in shared spaces and adding a personalized touch to the workspace experience.
- Text File Thumbnail Preview— Thumbnail Generation
- Users browsing their files see auto-generated thumbnail previews for plain text (.txt) files, making file contents more identifiable in the file manager without needing to open each file individually.
- ETag-Independent Thumbnail Generation— Thumbnail Generation
- The thumbnails service can generate file previews even when a storage backend does not supply ETag headers, reducing failed thumbnail requests and improving preview availability across diverse storage configurations.
- Accounts and Settings Interface Localization— Localization and Internationalization
- Users can interact with the oCIS accounts and settings interfaces in their preferred language, as both UI components now include full localization support for all user-facing text strings.
- GIF Format Thumbnail Support— Thumbnail Generation
- Users see thumbnail previews for GIF files in the file browser, as the thumbnails service now generates previews for both animated and static GIF images alongside other supported formats.
- Open Files with Default App Setting— Web Configuration
- Administrators can configure whether files open automatically with the associated default application via WEB_OPTION_OPEN_LINKS_WITH_DEFAULT_APP, controlling default file-opening behavior across the web client.
- Portrait Resolution Support in Thumbnail Config— Thumbnail Generation
- The thumbnail service now includes portrait-orientation resolutions in its default configuration, ensuring properly proportioned preview images for vertically oriented photos and documents without manual configuration.
- Markdown Export to PDF Action— File Conversion
- Users can export any markdown file as a PDF directly from the file context menu or the markdown editor, downloading the rendered document without leaving the browser.
- Accessibility Options Dropdown in Top Bar— Accessibility Options
- Users can open an accessibility options panel from a dedicated dropdown in the top bar and from the user menu, providing a central entry point for accessibility settings to meet compliance requirements.
- In-Progress Delete Queue with Spinner Indicator— File Operations Feedback
- When files or folders are being deleted, a delete queue disables the affected resources and replaces their selection checkboxes with a spinner, giving users clear visual feedback that the operation is in progress.
- Autosave Enabled by Default in Text Editor— Document Editing
- The autosave feature in the text editor is now on by default, automatically saving document changes at regular intervals to prevent data loss during network interruptions or accidental logout.
- Theme Switcher Moved to Account Settings Page— Personalization
- Users can switch between light, dark, and automatic themes from the account settings page, decluttering the top bar while adding an auto (system preference) option.
- Persistent Left and Right Sidebar State— User Preferences
- ownCloud Web remembers each user's sidebar open/closed preferences between sessions and page navigations, eliminating the need to re-open sidebars after every login or folder change.
- Video Playback in Built-In Media Viewer— Media Viewing
- Users can play video files directly in the ownCloud Web media viewer without downloading them, alongside existing image preview and audio playback capabilities.
- Autoplay When Opening Media Files— Media Playback
- Clicking on an audio or video file opens the media viewer and immediately begins playback, consistent with how other file types open their respective editors or viewers.
- Paginated File List with URL Page Parameter— File List Navigation
- Large file listings are split into pages, with the current page reflected in the URL so users can bookmark or share a specific page within a folder and navigate directly to it.
- User-Selectable Items per Page in File List— File List Customization
- Users can choose how many files and folders are displayed per page from the view options dropdown, with their preference persisted in local storage.
- User-Configurable Column Visibility in File List— File List Customization
- Users can select which columns (such as size, date modified, or type) are shown in the file list view, allowing personalization of the information density to match their workflow.
- Full Keyboard Navigation in Tiles View— Keyboard Accessibility
- Users can navigate, select, and act on files in the tiles (icon grid) view using the keyboard with the same completeness available in the list view, improving accessibility for keyboard-only users.
- Option to Sort Folders and Files Together by Name— File Sorting
- Users can sort files and folders together in a single alphabetical list rather than always showing folders first, matching the behavior of many OS file explorers when sorting by name.
- Context Menu on Breadcrumb Current Folder— Navigation
- Users can right-click or tap the last breadcrumb segment to access a context menu for the current folder, enabling actions like rename, share, or move without first selecting the folder in the list.
- Favorites List with Parent Folder Context— Quick Access
- Users can mark files and folders as favorites and access them from a dedicated favorites view; each item shows its parent folder path for context when the same name appears in multiple locations.
- Absolute Date Tooltips on Relative Timestamps— Date and Time Display
- Users can hover over any relative time display (such as "2 hours ago") to see the exact absolute date and time in a tooltip, providing precision without cluttering the interface.
- Hidden Files Visibility Toggle in View Options— File View Options
- Users can show or hide hidden files and folders (those starting with a dot) from the view options dropdown, with the preference persisted in local storage between sessions.
- Auto-Scroll to Newly Created File or Folder— File Creation UX
- After creating a new file or folder, the file list automatically scrolls to and highlights the new item, including when pagination means the item was added to a different page than the user was viewing.
- DICOM Medical Image Viewer Extension— Specialized File Viewing
- Users with medical imaging files can preview DICOM images and their metadata directly in the browser through the ownCloud Web DICOM viewer extension, built on the CornerstoneJS library.
- Universal Access Theme Configuration Keys— Accessibility Theming
- Administrators can configure ownCloud theme keys for universal accessibility features in the web interface, with values defaulting to empty (hidden) until an operator explicitly enables them.
- File and Folder Shortcut Creation— File Navigation
- Users can create shortcuts to frequently accessed files or folders in the web drive, reducing time spent navigating deep folder hierarchies to reach important resources.
- Configurable Thumbnail Image Processor Mode— Thumbnail Generation
- Administrators can configure thumbnail generation behavior by selecting from built-in processors (resize, fit, fill, thumbnail) to control how images are cropped or scaled within the preview frame, preventing content cut-off for images with unusual aspect ratios.
- Custom Login Page Background Image Upload— Branding and Theming
- Administrators can upload a custom background image for the oCIS login page, enabling organizations to apply their brand identity to the first user-visible touchpoint of the platform.
- User Language Preference via Graph API— User Preferences
- Users can read and update their preferred interface language through the standard Graph API, giving client applications a consistent, validated mechanism to manage language settings without custom boilerplate code.
- Animated GIF Thumbnail Processing Support— Thumbnail Generation
- The thumbnail service can process and render GIF images including animated GIFs in their entirety, ensuring preview images for GIF files display correctly rather than appearing broken or truncated in the web interface.
- Thumbnail Previews via Spaces WebDAV Endpoint— File Previews
- Users can retrieve thumbnail preview images for files stored in Project Spaces using standard WebDAV URLs with preview parameters, enabling consistent image preview rendering across all space types in the web interface.
- Remix Icons for Share Role Indicators— Sharing UI
- Share roles in the oCIS theme configuration now include Remix icon identifiers (eye for viewers, pencil for editors, user-star for space managers, shield for secure view), providing a consistent icon vocabulary clients can use to render sharing role UI elements.
Search and Discovery
- Search Metadata and Full-Text Querying— Search
- The search service supports metadata fields and extracted-content queries through KQL-style compilation rather than limiting search to names only.
- Search EXIF and Photo Metadata Filters— Search
- Indexed photo metadata such as camera details, dates, ISO, aperture, focal length, and coordinates are queryable when extractor data is available.
- Search Scope Filtering and Shared Remote IDs— Search
- Search can be scoped to a context such as the current folder, and shared-resource responses expose remote item identifiers so clients can resolve hits correctly.
- Search Full-Text UI Controls— Search UX
- Web checks backend capability and switches between title-only and full-text search controls instead of assuming content search is always available.
- Advanced Search Extension— Advanced Search
- The advanced-search add-on builds and parses KQL, exposes structured filters, and supports saved searches and tag-backed filter options.
- Graph Tag Assignment and Removal— Tags
- Graph tag endpoints derive the available tag catalog from search, enforce configured tag-length limits, and publish `TagsAdded` or `TagsRemoved` events when users assign or unassign tags on resources. Tag writes are permission-checked and removal includes rollback logic if event publication fails.
- Search Scope and Mountpoint Search Routing— Search
- search extracts scope from the query, resolves accessible spaces including grant-backed mountpoints, and restricts results to non-trashed content within those scopes. Shared-space routing is therefore computed server-side, not by clients stitching together drive queries.
- Search Worker Pool Across Accessible Spaces— Search
- search fans out work across a worker pool over the caller's accessible spaces and skips special directories like `.` and `.space`. The implementation is designed to search many spaces concurrently rather than serially.
- WebDAV Search REPORT Endpoints— Search API
- the webdav service exposes indexed search through DAV `REPORT` endpoints so DAV clients can query search results without switching to Graph-specific flows.
- Pluggable Search Engine Interfaces— Search Backend
- the search service ships with Bleve by default but exposes an engine interface so deployments or developers can extend it with other search backends.
- Metadata-Only and Tika-Based Extraction Modes— Search Backend
- search can run in embedded `basic` metadata mode or a `tika` mode that adds file-content and richer metadata extraction when Apache Tika is installed.
- Advanced Search Search Statistics Panel— Advanced Search
- the advanced-search extension can show index status, space information, and server details alongside search results.
- Advanced Search Multiple Result Views— Advanced Search
- the advanced-search extension supports list, grid, and table layouts instead of a single fixed search-results view.
- Bleve Index Horizontal Scaling Mode— Search Backend
- `SEARCH_ENGINE_BLEVE_SCALE=true` removes the exclusive write lock from the Bleve index so multiple search service replicas can access the same index directory simultaneously. Must be set identically on every instance. Default `false`. Introduced v7.2.0.
- Space ID in WebDAV REPORT Search Responses— Search API
- WebDAV `REPORT` (search) responses now include `spaceid` in result metadata (v8.0.2), matching PROPFIND output format. Clients and extensions can correlate search hits to their source space without a separate drive-lookup round-trip.
- Contextual Search Result Filters and Excerpts— Full-Text Search
- The search results page exposes a full-text content filter, tag filter, and location-scoped filter (space/folder), with highlighted content excerpts from the matching document. Goes beyond KQL syntax to provide a guided post-search refinement experience. Introduced web v7.1.0.
- Reindex All Spaces via CLI Flag— Index Management
- `ocis search index --all-spaces` reindexes all spaces in a single command without needing to specify individual space IDs. Simplifies bulk search index rebuilds after migrations or index corruption.
- Remote Item ID in WebDAV REPORT Search— WebDAV Search
- Adds a remoteItemId WebDAV property to REPORT search results for shared resources, enabling web clients to navigate directly from a search result into the correct share without an additional API round-trip.
- Full-Text Search Mode Toggle— Search UI
- A toggle pill in the search results header allows users to switch between Title Only and Full Text Search modes with a single click, replacing the previous filter-pill interaction and reducing search mode confusion.
- Android Server-Driven Search Minimum Character Threshold— Mobile Search
- The Android search field enforces a server-configured minimum character count before submitting a query, reducing unnecessary server load while providing in-field feedback to the user about the minimum required input.
- iOS Server-Side Full-Text Search— Mobile Search
- The iOS app submits search queries to the oCIS server-side search service, returning results from file content as well as filenames across all spaces the user has access to.
- iOS Account-Wide Local Search with Filters— Mobile Search
- The iOS app provides a local search mode that searches across all configured accounts and applies filters such as file type, date range, and modification date, in addition to server-side search.
- iOS Saved Folder Searches— Mobile Search
- Users can save frequently used search queries with their filter configuration in the iOS app, making recurring searches accessible in one tap without re-entering criteria each time.
- Search Media Type Shorthand Filters— Search Filters
- Users can search with shorthand category terms such as `MimeType:documents`, `MimeType:images`, or `MimeType:spreadsheets` to instantly find files by broad type without knowing exact MIME strings.
- Audio and Location WebDAV Metadata Properties— Search Metadata
- PROPFIND responses include `oc:audio` (track, artist, album metadata) and `oc:location` (GPS coordinates) properties for media files, enabling metadata-rich file browsing and future map-view search experiences.
- Photo and Image WebDAV Metadata Properties— Search Metadata
- PROPFIND responses include `oc:photo` and `oc:image` properties carrying EXIF camera metadata (orientation, focal length, exposure) for image files, powering rich photo timelines and metadata sidebars.
- Drive Type and ID Filters on /me/drives— Search and Discovery
- The Graph API `/me/drives` endpoint supports OData `$filter` expressions using `driveType` and `id` predicates. Clients can request only personal drives, project spaces, or shares without fetching all drives.
- Search Total Match Count— Search and Discovery
- The search REPORT response includes the total number of matching items in addition to the paged result set. Clients display accurate "X results found" counts and can implement proper pagination controls.
- Hidden File State in Search Index— Search and Discovery
- The search index tracks whether a file or folder is hidden (dot-prefixed name). Search queries can include or exclude hidden items, and the index stays in sync with file-system-level hide/show changes.
- Resource Tag Indexing and Search— Search and Discovery
- Files and folders can be tagged with arbitrary labels that are indexed in the search service. Users filter search results by tag, and tags appear in file detail sidebars for quick navigation.
- Extended KQL Metadata Search— Search and Discovery
- The search service supports extended KQL (Keyword Query Language) predicates beyond filename matching, including tag filters, type filters, and date range queries. Users can compose complex queries across multiple metadata dimensions.
- Full-Text Search Content Preview with Term Highlighting— Search and Discovery
- Search results include a content snippet preview with the search term highlighted in context. Users see relevant excerpts from document content directly in the search result list, without opening each file.
- Search Scope Filter by Current Folder— Search and Discovery
- The search REPORT endpoint accepts a scope parameter to restrict results to a specific folder tree. Users can search within the current folder rather than across all spaces, improving precision for large repositories.
- Advanced Search KQL Direct Input with Parse-to-Filters— Advanced Search
- Users can type a raw KQL query string directly into the Advanced Search input and click Apply to Filters to have the query parsed and its clauses populated into the individual filter fields, bridging query and form-based search.
- Advanced Search Photo EXIF Filter Fields— Advanced Search
- The Advanced Search filter panel includes dedicated photo metadata filters — camera make, camera model, date taken, ISO, aperture (f-number), and focal length — for searching indexed photo libraries by technical shooting parameters.
- Advanced Search Saved Search Routes— Advanced Search
- Saved searches in Advanced Search are accessible via a dedicated URL route, so users can bookmark or share a specific saved search and return to it directly without recreating the query.
- Advanced Search Result Context Actions— Advanced Search
- Search results in the Advanced Search app support right-click context-menu actions (download, open in files, copy link, delete) directly from the results list, without navigating to the file location first.
- Full-Text File and Directory Search Extension— Search Service
- Users can search for files and directories from within the oCIS web interface using the new search extension, which indexes file and directory metadata to deliver fast and relevant results.
- Files Favorites Capability Advertisement— Favorites
- oCIS now advertises a files.favorites capability through the OCS API, enabling clients to detect whether favorites support is active on the server and conditionally display favorites-related UI to users.
- WebDAV REPORT Filter Files API— WebDAV Protocol
- Users can retrieve filtered file listings — such as their favorited files — using the standard WebDAV REPORT method with the filter-files filter, enabling efficient client-driven queries without full directory traversal.
- File Tagging Support and Tags Discovery API— Tagging System
- Users can tag files for custom organization and discover all available tags through the experimental tags service, which exposes a list-all-tags endpoint and announces tag support to clients via the capabilities response.
- Search Files and Folders by Tag— Tag-Based Search
- Users can find files and folders across all spaces by searching for their assigned tags, enabling quick retrieval of content grouped by custom organizational labels without knowing exact file names or locations.
- Apache Tika Full-Text Document Content Extraction— Full-Text Search
- Users can search within the text content of uploaded documents, as oCIS integrates with Apache Tika to extract and index file content; administrators configure the extractor type and Tika URL via dedicated environment variables.
- Combined Name, Tags, and Content Search— Multi-Field Search
- Users can find files in a single query that searches across file name, assigned tags, and extracted document content simultaneously, with support for the iOS client search query syntax.
- Search Result Total Match Count Header— Search Results
- Client applications receive the total number of matching results in the `Content-Range` response header for search queries, enabling accurate pagination controls and result count display without issuing additional requests.
- Search Service Available at Legacy WebDAV Endpoint— WebDAV Search Integration
- Legacy WebDAV clients that use the original `/remote.php/dav/` endpoint can now benefit from the oCIS search service through REPORT requests, providing full search capabilities to clients not yet migrated to the Spaces API.
- Search Index Updated on File Touch Events— Search Indexing
- Users see accurate search results after files are created or modified via touch operations, as the search service now subscribes to FileTouched events and updates its index in response.
- OData Query Support for Accounts Indexer— Search Query Protocol
- The oCIS accounts indexer now accepts OData-formatted search queries, allowing clients and services that speak OData to issue structured lookups against the user and group index.
- Search Scope Filter for Locations— Search Filtering
- Users can restrict WebDAV REPORT search results to a specific folder or space using a scope parameter, enabling focused searches within a directory hierarchy rather than across all available spaces.
- Search Result Content Preview Highlighting— Full-Text Search
- When full-text content extraction is configured, search results now include a highlighted content preview showing the surrounding context of matched search terms within the document body.
- Case-Insensitive Field-Based Search— Search Filtering
- Field-based search queries such as name:Document.pdf are now handled case-insensitively and correctly process special characters including colons, providing consistent search results regardless of how users type their query.
- Automatic Space Reindex on Rename— Space Management
- When a space is renamed, the search index is automatically updated to reflect the new name, ensuring search results immediately reference the correct space name without requiring manual reindexing.
- Search Excludes Disabled Spaces— Search Filtering
- Search results no longer include content from disabled spaces, and sub-searches across multiple spaces are now performed concurrently, improving both search accuracy and performance for users with access to many spaces.
- Graph API File Tag Management— File Tags
- Users can create and manage tags on files and folders through the Graph API, enabling flexible content organization and tag-based filtering across Spaces.
- Apache Tika Full-Text Content Extraction— Full-Text Search
- Administrators can configure oCIS to use Apache Tika for extracting text from documents during indexing, enabling users to search within file contents such as PDF and Office document text.
- Quoted String and Operator Search Syntax— Search Query Syntax
- Users can search using quoted strings for exact phrase matching and addition operators to combine terms, enabling more precise and expressive search queries across files and Spaces.
- Automatic Space Reindex on Item Events— Search Index Management
- The search service automatically reindexes a Space whenever events are received for items within it, ensuring that Space-level metadata such as modification time and tree size remain accurate in search results.
- Fulltext Analyzer for Bleve Search Engine— Full-Text Search
- The search service uses a dedicated fulltext analyzer for document indexing in Bleve, improving search relevance and enabling more natural language queries when searching across indexed file content.
- Parent Resource ID in Search Results— Search Results
- Search REPORT responses now include the parent folder ID of each matching resource, allowing clients to construct accurate navigation paths to containing folders directly from search results without additional API calls.
- Per-Space WebDAV REPORT Search— Space Search
- Users and clients can scope a search to a specific Space by sending a WebDAV REPORT request to /dav/spaces, enabling targeted content discovery within a single project Space rather than across all content.
- Hidden Files Filtered from Search— Search Results
- Dotfiles and other hidden files are excluded from search results by default, reducing noise in search queries and presenting users with a cleaner, more relevant set of results.
- Title-Only vs Full-Text Search Toggle— Search Scope
- Users can switch between searching only file titles and searching full file contents using a toggle in the search bar, replacing the previous less-intuitive filter pill.
- Global File Search with Scope Switching— Full-Text Search
- Users can search for files across all their spaces and personal folders using the global search bar, with the ability to narrow the scope to the current folder or expand it to all files.
- Multi-Term Search Query Linking— Advanced Search
- Users can search for multiple tags or values of the same filter type simultaneously, with search results returning files that match any of the linked terms, enabling more flexible discovery across large file sets.
- Configurable and Disableable Search Providers— Search Configuration
- Administrators can configure which search providers are active in ownCloud Web, allowing the default file search provider to be disabled when using alternative or specialized file backends that provide their own search capability.
- Visual Differentiation of Folders vs Spaces in Search Results— Search Result Context
- Search results clearly distinguish between folders and spaces even when they share the same name, preventing users from accidentally navigating to the wrong destination from the search results list.
- Single-Command Search Re-Index All Spaces— Search Administration
- Administrators can trigger a complete re-index of all oCIS spaces using a single `ocis search index` command, with the service account automatically discovering every accessible space without requiring per-space user credentials.
- Search Engine Type Capability Announcement— Search Configuration
- oCIS exposes the configured search engine type (e.g., `bleve`) via the `files.search_engine` capability, allowing clients to tailor their search query syntax and UI filter features to the active backend engine.
- Horizontally Scalable Search Service— Search Indexing
- Administrators can run multiple search service instances with a distributed backend to handle higher search volumes and achieve high availability, replacing the single-node Bleve index that cannot be scaled horizontally across replicas.
- Favorites Feature Capability Announcement— Favorites Management
- oCIS advertises favorites support to clients via the `files.favorites` capability, allowing client applications to conditionally display favorites UI and favorites-related features only when the server indicates the feature is active.
Security and Compliance
- Public Link Brute Force Protection— Link Protection
- Storage-publiclink configuration can rate-limit repeated password failures and block access temporarily once the threshold is crossed.
- Policy-Based Authorization— Policies
- The policies service evaluates OPA/Rego decisions over gRPC so authorization can include conditions beyond static ACL checks.
- Antivirus Post-Processing Scanning— Malware Protection
- Antivirus listens to postprocessing events and scans uploaded content through ClamAV or ICAP backends, including uploads from shares, chunks, public links, and project spaces.
- Audit Event Normalization— Audit
- audit converts raw domain events into normalized audit records for files, shares, public links, spaces, users, groups, and ScienceMesh invitations. The event family mapping is explicit in code so downstream sinks receive stable action names instead of heterogeneous bus payloads.
- Audit Console and File Sinks— Audit
- audit can emit records to stdout or to a file and supports both `json` and `minimal` output formats. Sink choice and format are deployment settings rather than compile-time behavior.
- Public Share Password Policy Enforcement— Link Protection
- sharing enforces password rules such as minimum digits, lower and upper case, special characters, banned-password lists, and whether writable or public shares must have passwords. The hardcoded bcrypt-relevant max length boundary is 72 characters.
- Proxy Middleware Policy Enforcement— Policies
- the policies service can be queried from proxy middleware so HTTP requests can be denied synchronously with a structured `deniedByPolicy` response before the operation proceeds.
- Postprocessing Policy Step— Policies
- policies can run as an asynchronous postprocessing step via `POSTPROCESSING_STEPS=policies`, enabling slower content-aware evaluations after upload.
- Content Security Policy Configuration— HTTP Security
- `PROXY_CSP_CONFIG_FILE_LOCATION` loads a YAML CSP configuration that restricts browser resource loading across the oCIS web interface, WOPI sessions, and external IdP frames. Required for deployments with strict browser hardening policies.
- Secure View Preview-Only App— Secure View
- `FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR` routes "secure view" opens through a dedicated collaboration-service app provider that presents file content without offering a download path. Designed for compliance contexts where files may be reviewed but not extracted.
- Antivirus File Size Cap— Antivirus
- `ANTIVIRUS_MAX_SCAN_SIZE` caps the maximum bytes forwarded to the antivirus scanner per file, preventing out-of-memory conditions on large uploads while ensuring partial scanning continues. Files exceeding the cap are handled according to the configured infected-file policy.
- Antivirus Concurrent Scanning Workers— Antivirus
- `ANTIVIRUS_WORKERS` configures the number of parallel scanning goroutines. Memory impact scales as `ANTIVIRUS_MAX_SCAN_SIZE × ANTIVIRUS_WORKERS`. Allows antivirus throughput to be tuned independently of other services in high-upload environments.
- Postprocessing-Phase Policy Query— Policies
- `POLICIES_POSTPROCESSING_QUERY` defines the OPA/Rego ruleset variable evaluated during async post-processing (separate from the synchronous proxy middleware query), enabling slower, content-aware policy checks after upload without blocking the upload response.
- Referrer-Policy no-referrer Header— HTTP Security
- The proxy service emits `Referrer-Policy: no-referrer` on all responses (changed from `strict-origin-when-cross-origin` in v8.0.0), completely suppressing the `Referer` header on outbound requests. Prevents browsing-context leakage to third-party WOPI editors, embedded iframes, or analytics endpoints.
- Skyhigh Security ICAP Antivirus Support— Antivirus
- The antivirus service supports Skyhigh Security ICAP as an ICAP server endpoint, expanding the range of supported ICAP-compliant antivirus backends beyond ClamAV and generic ICAP. Introduced v6.3.0.
- Cookie Security Hardening (SameSite, Secure, HttpOnly)— Cookie Security
- Session and authentication cookies are set with SameSite, Secure, and HttpOnly flags, protecting against CSRF, man-in-the-middle, and XSS attacks. Introduced v7.2.0.
- Cryptographically Signed Public Link Tokens— Public Link Security
- Public share tokens are signed with a server-side signing key, allowing the server to cryptographically verify their authenticity and detect tampered or forged tokens before granting access.
- Vault Mode Capabilities Advertisement— Data Isolation
- `FRONTEND_ENABLE_VAULT_MODE` activates Vault Mode; the OCS capabilities endpoint advertises `vault.enabled=true` and returns vault-specific capability overrides (public sharing and federation disabled) when queried with `?vault=true`. Enables context-aware client UI enforcement.
- Vault Resource Public-Link Lockdown— Data Isolation
- Files and folders in Vault spaces cannot be shared via public links. The capability is suppressed in API responses and enforced server-side, preventing accidental external exposure of vault-classified content.
- Vault-Scoped Search— Data Isolation
- When Vault Mode is active, search queries are automatically scoped to vault resources only, preventing cross-context result leakage and preserving the data isolation model for sensitive workspaces.
- Android SSL Certificate Verification Enhancement— Transport Security
- Android app SSL certificate verification flow includes enhanced host validation and trusted certificate handling, ensuring certificate pinning and trust decisions meet production security standards across all connection scenarios.
- Android Cookie Header Redaction in Logs— Logging
- Android app log output automatically redacts cookie header values to prevent session token leakage into diagnostic logs shared during support or audit workflows.
- Android Biometric Authentication Security Hardening— Security
- Android biometric authentication uses the highest available security class, rejecting weaker biometric modalities and requiring Class 3 (strong) biometrics, preventing downgrade attacks via less-secure biometric sensors.
- MFA Re-Authentication on Vault Mode Switch— Vault Mode
- Automatically triggers a multi-factor authentication challenge when a user switches into Vault Mode, ensuring that access to vault-protected resources requires step-up verification each time the mode is activated.
- File Transfer Between Vault and Standard Mode— Vault Mode
- Allows users to copy or move files between Vault Mode and the standard workspace, enabling controlled data transfer between high-security and regular storage contexts within the same oCIS instance.
- Vault Permission Runtime Enforcement— Vault Mode
- Adds a runtime permission check that verifies whether the authenticated user holds vault access rights before exposing vault-mode UI elements and operations, preventing access even when URLs are guessed.
- Vault Mode Safe Space Navigation— Vault Mode
- Surfaces safe-personal and safe-space (vault-protected space types) as distinct navigable categories in the oCIS sidebar when vault mode is active, giving users clear access to their vault-scoped storage areas.
- Vault Mode Context-Aware Theme— Vault Mode
- Provides a separate visual theme that activates when a user enters Vault Mode, visually distinguishing the high-security context from the standard workspace to reduce user confusion.
- Secure View WOPI Watermark Text— Secure View
- Injects a configurable plain-text watermark string into documents opened in Collabora under Secure View mode, displaying the viewer's identity on-screen to deter unauthorised redistribution of previewed content.
- Thumbnail Service Input File Size Cap— Thumbnail Service
- Introduces a configurable maximum file size for images submitted to the thumbnail service, causing the service to reject oversized inputs before processing and preventing memory exhaustion.
- Thumbnail Service Input Image Dimension Cap— Thumbnail Service
- Introduces a configurable maximum pixel dimension for images processed by the thumbnail service, protecting against memory-bomb attacks from extremely high-resolution images regardless of compressed file size.
- Vault Context Search Scoping— Vault Mode
- In vault mode, a vault:true token is automatically added to search payloads so results are scoped to vault-accessible resources only, preventing data leakage across security boundaries during search.
- Vault Drive Breadcrumb Navigation— Vault Mode
- The vault drive and personal safe-space appear as navigable segments in the web breadcrumb trail when vault mode is active, keeping users oriented within the protected environment at all times.
- Vault Spaces Visibility in Sidebar— Vault Mode
- Safe-personal and safe-spaces are surfaced in the web sidebar only when vault mode is active, keeping confidential space listings hidden in normal browsing mode.
- Public Link Sharing Disabled in Vault Mode— Vault Mode
- Public link creation is disabled for all resources located inside vault spaces, preventing confidential files from being shared externally via link regardless of the user's link-sharing permissions.
- Password-Protected Folder Metadata File Icon— File Icons
- Files with the .psec extension used internally by password-protected folders display a dedicated lock icon in the file list, making protected folders visually distinguishable at a glance.
- File Version History Permission Gate— Access Controls
- The file version history sidebar panel is hidden from users who do not have sufficient permissions to view or restore versions, preventing unintended exposure of version metadata to read-only collaborators.
- Android Screenshot and Screen Recording Prevention— Mobile Security
- A security lock setting in the Android app prevents screenshots and screen recordings of the app's content at the OS level, protecting sensitive file contents on shared or managed devices.
- Android Mid-Authentication Account Deletion Guard— Mobile Security
- If an account is deleted while an authentication flow is in progress, the Android app safely cancels the flow and returns to the account list rather than entering an undefined state.
- iOS MDM Passcode Lock Enforcement— Mobile Security
- Mobile device management payloads can enforce passcode lock and biometric authentication requirements in the iOS app, ensuring the app complies with organisational device security policies on managed devices.
- iOS TLS Certificate Change Visual Diff— Certificate Management
- When the server's TLS certificate changes, the iOS app presents a side-by-side visual comparison of the old and new certificate details, helping users and administrators verify the change is legitimate before accepting it.
- iOS Biometric Authentication Manual Fallback Button— Mobile Security
- The iOS app's biometric lock screen includes a visible fallback button to switch to passcode entry, ensuring users are not locked out if biometric authentication fails or is unavailable.
- iOS Six-Digit Passcode Lock Support— Authentication
- The iOS app supports six-digit numeric passcodes in addition to four-digit codes and alphanumeric passwords for the in-app lock screen, aligning with common organisational passcode policies.
- Antivirus Scan Data in Upload Sessions— Antivirus and Content Inspection
- The result of an antivirus scan is stored as structured data within the upload session record, enabling administrators to query, audit, and filter uploads by infection status from the server side.
- Antivirus-Infected Upload Session Filter— Antivirus and Content Inspection
- Administrators can filter the list of active upload sessions to show only those flagged as infected by the antivirus post-processor, making targeted cleanup and incident response faster.
- Sharee Email Address Masking in Search— Email Masking and Privacy
- User email addresses are masked in sharee search results and API responses, preventing email address enumeration through the share invite dialog while still allowing users to identify the correct recipient.
- Desktop Password Input Vulnerability Fix— Desktop Client
- A medium-severity security vulnerability in the password input handling of the desktop client was resolved, protecting user credentials from exposure in specific edge-case UI interactions (CVE advisory pending).
- Desktop macOS High-Severity Security Fix— Desktop Client
- A high-severity vulnerability in the macOS desktop client was patched (CVE-2025-64441), hardening the client against a class of local attack vectors on Apple Silicon and Intel Mac platforms.
- Desktop Windows Installer Privilege Escalation Fix— Desktop Client
- A high-severity vulnerability in the Windows installer was remediated (CVE-2025-24926), preventing potential privilege escalation during client installation or update on Windows endpoints.
- Signature Authentication for Public Link WebDAV— Security and Compliance
- Public share WebDAV requests can be authenticated using a URL signature, eliminating the need to send credentials in headers. Clients can construct signed download URLs that expire automatically.
- Proxy Request Access Log— Security and Compliance
- The oCIS proxy service writes a structured access log for every incoming HTTP request. Log entries include the method, path, status code, latency, and user identity, enabling audit trails and traffic analysis.
- Automatic TLS Secret Generation— Security and Compliance
- The `ocis init` command generates cryptographically secure signing keys and encryption secrets automatically on first run. Administrators no longer need to manually generate or manage these secrets for a standard deployment.
- AI Sensitive Data Scanner Batch Action— AI Data Governance
- Users can select multiple files and run a single Scan for sensitive data batch action that processes all supported files sequentially, reporting findings per file in a results modal without needing to open each file individually.
- AI Sensitive Data Scanner Finding Categories— AI Data Governance
- Scan findings are categorized as PII (names, email, phone, government IDs), credentials (passwords, API keys, tokens), or confidential content (unreleased financials, legal communications), with redacted excerpts shown for each finding.
- AI Sensitive Data Scanner Per-File Scan Status— AI Data Governance
- The scan results modal shows a distinct status for each file in the selection: waiting, scanning, findings with categories, no sensitive data found, skipped (unsupported type), or error, enabling quick triage across a batch.
- Graph Service LDAP TLS Certificate Verification— Service Configuration
- Administrators can configure a custom TLS certificate in the graph service to verify the LDAP server's identity, ensuring encrypted and trusted communication between oCIS and the directory backend.
- Unified Insecure TLS Environment Controls— TLS Configuration
- All per-service TLS verification skip flags are now individually configurable via environment variables and default to false, with a single OCIS_INSECURE=true global override for development, hardening the security posture of default deployments.
- Settings Service HTTP Write Permission Checks— API Access Control
- The settings service now enforces authorization on all HTTP write endpoints, ensuring that only users with appropriate permissions can create or modify settings values and preventing unauthorized configuration changes.
- HTTP Access Log for All Requests— Audit Logging
- Administrators can enable a structured HTTP access log that records all inbound requests to oCIS, providing the data needed for audit trails, intrusion detection, and compliance reporting.
- Acting User Identity in Audit Log Events— Audit Logging
- Compliance administrators can identify which user performed each audited action, as the identity of the acting user is now recorded in all audit service log events, supporting accountability and forensic investigation.
- Bcrypt Password Hashing for Account Storage— Password Security
- oCIS now stores user passwords hashed with bcrypt instead of SHA-512, providing stronger resistance to offline brute-force attacks and aligning credential storage with current security best practices.
- Audit Log Storage ID for Spaces— Audit Logging
- The audit log now includes the storage ID for space-related events, giving administrators more complete contextual information for compliance reviews and forensic investigations.
- Audit Log Before and After Change Values— Audit Logging
- The audit log now records both old and new values for property change events and includes previously missing role change events, providing a complete before-and-after record for compliance audits and forensic review.
- Audit Service Complete Event Timestamps— Audit Logging
- The audit service now includes accurate timestamps on all events, ensuring audit records meet time-based requirements for forensic analysis and regulatory compliance reporting.
- Policy Block Structured Error Response— Policy Engine
- When a security policy blocks a file operation, the API now returns a structured JSON error body including the policy filename, HTTP method, path, and request ID, enabling clients and developers to provide meaningful feedback to users.
- Antivirus Debug Scan Result Override— Antivirus Configuration
- Administrators can force the antivirus service to return a specific fixed scan result for debugging purposes, enabling thorough testing of antivirus-related upload workflows without requiring actual infected test files.
- Mimetype to File Extension Rego Function— Policy Engine
- Policy authors can use a new built-in Rego function to resolve a file extension from its MIME type, enabling more precise access control rules based on actual file content rather than relying solely on the filename extension.
- HTTP TLS for Internal go-micro Services— Transport Security
- Administrators can enable TLS for all internal HTTP go-micro services using OCIS_HTTP_TLS_ENABLED, OCIS_HTTP_TLS_CERTIFICATE, and OCIS_HTTP_TLS_KEY environment variables, securing inter-service communication within the oCIS cluster.
- Configurable Deny Access Permission— Access Control
- Administrators can enable an experimental deny-access feature (WebDAV permission Z) that allows explicitly blocking specific users or groups from accessing a resource, providing a deny-list override on top of existing ACLs.
- gRPC Service and Client TLS Settings— Transport Security
- Administrators can configure TLS encryption for all internal gRPC service-to-service communication using OCIS_GRPC_TLS_ENABLED, OCIS_GRPC_TLS_CERTIFICATE, OCIS_GRPC_TLS_KEY, OCIS_GRPC_CLIENT_TLS_MODE, and OCIS_GRPC_CLIENT_TLS_CACERT environment variables.
- Per-Service NATS Event Bus TLS Toggle— Event Bus Security
- Administrators can enable TLS encryption for NATS event bus connections using OCIS_EVENTS_ENABLE_TLS or per-service equivalents (e.g., AUDIT_EVENTS_ENABLE_TLS), securing the internal messaging layer independently for each oCIS service.
- NATS Server TLS Self-Signed Cert Fallback— Event Bus Security
- Administrators can enable TLS on the built-in NATS messaging server; when no certificate file is provided oCIS automatically generates a self-signed certificate, reducing friction for secure deployments in internal environments.
- Admin Account Self-Removal Prevention— Admin Access Control
- oCIS prevents administrator accounts from deleting themselves or modifying their own role assignments, ensuring that at least one administrative user always remains available to manage the system.
- Keycloak Session Data in GDPR Export— GDPR Data Export
- The personal data export now includes Keycloak user session records, giving compliance officers and data subjects a complete view of authentication activity for data subject access requests.
- Personal Data GDPR Export API— GDPR Data Export
- Users can request a machine-readable export of all their personal data stored in oCIS through a dedicated API endpoint, satisfying GDPR Article 20 data portability requirements.
- Integrated Antivirus Post-Upload File Scanning— Antivirus Scanning
- Administrators can enable the antivirus service to automatically scan all uploaded files during post-processing, blocking infected content from becoming accessible to users and sending notifications when a threat is detected.
- Password Enforcement for Upload-Capable Public Links— Public Link Security
- Administrators can configure oCIS to require passwords on public links carrying Uploader, Editor, or Contributor permissions, enforcing a minimum security baseline for write-capable externally shared links.
- Open Policy Agent-Based Policies Service— Policy Engine
- Administrators can deploy the Policies service to define and enforce fine-grained access rules using Open Policy Agent, with policies evaluated at the proxy layer for real-time request decisions and during post-processing for async file-based authorization.
- Password-Protected Folder Creation— Password-Protected Folders
- Users can create password-protected folders directly from the "New" menu, set a folder name and password, configure permissions via a dropdown, and share the folder as a password-gated public link that opens in a sandboxed iframe modal.
- Cryptographically Secure Password Generator for Links— Link Security
- When creating password-protected links, users can generate a compliant random password via the built-in generator, which uses the Web Crypto API for cryptographic randomness instead of a weak math-based approach.
- Capability-Driven Public Link Password Enforcement— Link Policy Enforcement
- When the server capability for mandatory public link passwords is enabled, ownCloud Web enforces password entry before creating or saving a public link, preventing policy-violating unprotected links.
- Pre-Signed URL File Downloads— File Download Security
- File downloads use pre-signed URLs generated via the SDK rather than fetching file contents through the application layer, improving download performance and reducing the server load for large files.
- No-Referrer HTTP Referrer Policy— HTTP Security Headers
- Administrators can configure oCIS to strip the Referrer header from all outgoing HTTP requests, preventing the server from leaking origin URL information to third-party services on cross-origin requests.
- Secure View App Flag in App Listings— Secure View
- Clients receive a secure view indicator flag in the app listing HTTP response, allowing them to identify which registered applications support secure view mode and render appropriate UI affordances for protected document workflows.
- Secure CORS Defaults Using OCIS_URL— HTTP Security Headers
- oCIS now defaults to using `OCIS_URL` as the permitted CORS origin and sets `Access-Control-Allow-Credentials` to false, providing a restrictive and secure cross-origin policy out of the box without additional administrator configuration.
- Configurable Content Security Policy Headers— HTTP Security Headers
- Administrators can configure Content Security Policy (CSP) response headers in oCIS, enabling fine-grained control over which external resources the browser is permitted to load and supporting secure embedded web client deployments.
- Mandatory Password for Read-Only Public Links— Public Link Policy
- Administrators can enforce a policy requiring passwords on all read-only public links via a configuration setting and capability announcement, ensuring externally shared files cannot be accessed without a password even when shared with view-only permissions.
- Deliberate Password Opt-Out for Public Links— Public Link Policy
- Administrators can configure oCIS so that public links require a password by default, making the removal of that password an explicit and deliberate user decision rather than the default behavior, improving the security posture of all shared links.
- Cryptographic Signing of oCIS Binary Releases— Software Supply Chain
- Administrators and support teams can verify that downloaded oCIS binaries are authentic official releases by checking their cryptographic signatures, confirming software integrity before deployment in production environments.
- Secure TLS Defaults for LDAP Connections— LDAP Configuration
- oCIS LDAP connections default to verified TLS with explicit `insecure` and `cacert` options available for customization, replacing the previous hardcoded insecure default that left directory traffic unverified out of the box.
- Secure View App Address Configuration— Document Security
- Administrators can configure the secure view application backend address in the Helm chart, enabling the secure-view mode that permits authenticated document preview while blocking file download for controlled content access.
- Content Security Policy Header Configuration— Browser Security Configuration
- Administrators can configure Content Security Policy (CSP) headers for the oCIS web interface via Helm values, hardening browser-side security against cross-site scripting and content injection attacks.
- Userlog Global Notifications Secret— Secret Management
- Administrators can supply a Kubernetes secret containing the USERLOG_GLOBAL_NOTIFICATIONS_SECRET credential, enabling the userlog service to authenticate when delivering system-wide notifications across the oCIS deployment.
- Web Token Local Storage Toggle— Token Storage
- Administrators can control whether the oCIS web client stores authentication tokens in the browser's local storage by setting WEB_OPTION_TOKEN_STORAGE_LOCAL, enabling stricter session isolation policies by disabling persistent browser-side token retention.
- Helm-Managed Service Secret Auto-Generation— Secret Management
- The Helm chart automatically generates Kubernetes secrets for oCIS service credentials not explicitly provided by the operator, ensuring each installation has unique cryptographic secrets without requiring manual secret pre-creation before chart installation.
- CORS Allowed Origins Configuration— Network Security
- Administrators can specify an explicit list of allowed origins for Cross-Origin Resource Sharing in the oCIS proxy through Helm values, enabling controlled cross-domain API access from trusted web frontends while blocking unauthorized origins.
- S3 Backend Credentials Kubernetes Secret— Secret Management
- Administrators can supply S3 object storage credentials through a Kubernetes secret reference in Helm values rather than embedding them as plaintext, preventing sensitive access keys from appearing in Helm release history or version-controlled values files.
- Keycloak GDPR Data Export Hooks— Data Privacy
- Administrators can enable integration between oCIS and Keycloak for GDPR-compliant personal data export through Helm configuration, allowing the Graph service to surface oCIS user data when Keycloak generates a GDPR data export request for a user.
- Antivirus Service Kubernetes Deployment— Malware Protection
- The oCIS antivirus service is deployable as a dedicated Kubernetes workload through the Helm chart, integrating virus scanning into the file upload pipeline so content is inspected before becoming accessible to users.
- Audit Service Stdout Log Output— Audit Logging
- The oCIS audit service writes audit events to standard output, allowing Kubernetes to capture, rotate, and route audit logs to any compatible log aggregation backend such as Loki, Elasticsearch, or Splunk for long-term retention and search.
Storage and Architecture
- Gateway Authentication Registry Dispatch— Service Routing
- gateway registers multiple auth handlers such as app auth, basic, machine, public-share, service-account, and OCM-share auth and dispatches requests by configured rules. This centralizes auth selection instead of duplicating it in each consuming service.
- Gateway Storage Registry and Namespace Mount Rules— Service Routing
- gateway maps namespaces like `/users`, `/projects`, `/users/{current}/Shares`, `/public`, and `/ocm` to storage providers through inline or JSON registry rules. This is the routing layer that turns logical paths into the correct backend storage service.
- oCDAV Namespace Jail Mapping— WebDAV Routing
- ocdav maps separate WebDAV, files, shares, and OCM namespaces into a jailed DAV surface and uses a public URL target for redirect behavior. This keeps legacy DAV endpoints aligned with the gateway-backed storage layout.
- oCDAV Depth-Infinity PROPFIND Control— WebDAV Routing
- ocdav exposes an `allow_propfind_depth_infinity` setting so operators can permit or block expensive depth-infinity PROPFIND requests. The control is service-level because it materially affects DAV query cost and compatibility.
- Postprocessing Step Orchestration— Upload Processing
- postprocessing tracks upload lifecycle events such as bytes received, upload ready, step start, and step finished and keeps per-upload processing state across asynchronous steps. This is the orchestration layer between uploads and follow-up services such as antivirus or metadata extraction.
- Postprocessing Retry Backoff— Upload Processing
- When a postprocessing step returns retry, the service reschedules with exponential backoff: `POSTPROCESSING_RETRY_BACKOFF_DURATION × 2^(failures−1)`. Configurable via `POSTPROCESSING_RETRY_BACKOFF_DURATION` and `POSTPROCESSING_MAX_RETRIES`. Steps exceeding the retry limit automatically move to `abort` state.
- Resume and Cleanup of Upload Processing State— Upload Processing
- Successful uploads are removed from the postprocessing state store after `UploadReady`. Failed ones remain resumable. Operators use `ocis storage-users uploads sessions --clean` (v8; replaces the deprecated `ocis storage-users uploads clean`) to purge stale sessions, and `--restart` / `--resume` flags for explicit recovery.
- Public Share Storage Provider and Publicshares Auth— Public Share Storage
- storage-publiclink wires the public storage provider together with the `publicshares` auth provider and a brute-force tracking store. It is the backend service that lets anonymous public-link traffic resolve to storage without a normal user session.
- Virtual Share Jail Storage Provider— Virtual Storage
- storage-shares exposes a `sharesstorageprovider` backed by the user share provider service and a mount ID, presenting received shares through a dedicated storage namespace. It also supports a read-only interceptor mode for stricter deployments.
- System Metadata Storage with Service User— System Storage
- storage-system provides a local metadata storage stack with an in-memory service user, local gateway, metadata driver, and static storage registry rooted at `/`. It is the internal system storage layer rather than an end-user home or share volume.
- System Storage Machine Auth and Static Registries— System Storage
- storage-system uses machine auth with a system API key and static auth or storage registries, with versioning disabled and datagateway omitted. The service is intentionally simplified for internal metadata use instead of general-purpose file storage.
- User Storage Data Provider and TUS Uploads— User Storage
- storage-users combines the user storage provider and data provider with event publishing, upload expiration handling, TUS CORS controls, and optional read-only mode. It is the primary backend for personal and project-space content I/O.
- WebDAV PROPFIND Request and Multistatus XML Handling— WebDAV
- the standalone webdav service parses PROPFIND bodies, treats an empty body as `allprop`, validates `allprop`, `propname`, `prop`, and `include` combinations, and reads multistatus XML property requests. It is the service-level request parser behind DAV interoperability.
- File Versioning Disable— File Versions
- `OCIS_DISABLE_VERSIONING=true` disables file version creation globally so uploads overwrite the current file without creating version history. Useful in compliance or cost-sensitive contexts where version storage overhead must be eliminated.
- S3ng Multipart Upload Tuning— S3 Backend
- Fine-grained control over S3 multipart behavior: `STORAGE_USERS_S3NG_PUT_OBJECT_PART_SIZE` (part size), `STORAGE_USERS_S3NG_PUT_OBJECT_NUM_THREADS` (parallelism), `STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_MULTIPART` (force single-part), `STORAGE_USERS_S3NG_PUT_OBJECT_SEND_CONTENT_MD5`. Allows tuning for S3-compatible providers with non-standard multipart support.
- Posix Filesystem Watcher— Posix Backend
- `STORAGE_USERS_POSIX_WATCH_TYPE` enables out-of-band filesystem change detection via inotifywait, GPFS Watch Folder, or GPFS File Audit Logging (Kafka). Allows oCIS to reflect changes made directly on the filesystem (e.g., via NFS, SFTP, or HPC workflows) without requiring writes to go through oCIS.
- Posix Space Groups— Posix Backend
- `STORAGE_USERS_POSIX_USE_SPACE_GROUPS=true` uses OS-level POSIX group permissions to enforce space access control in the posix storage driver, aligning oCIS authorization with native filesystem ACLs for HPC and NAS environments.
- Virtual Share Folder Name Configuration— Routing
- The name of the virtual "Shares" folder in each user's home space is configurable via `GATEWAY_SHARE_FOLDER_NAME` (default `Shares`). Allows organizations to rebrand or localize the shared items mount point without code changes.
- Read-Only Shares Storage Mount— Storage Mutability
- `STORAGE_SHARES_READ_ONLY=true` (default false) prevents any write operations through share mounts. Suitable for compliance-restricted or audit environments where received shares must be immutable.
- Storage-System Dedicated Internal System User— Service Identity
- The storage-system service operates under a dedicated internal system user identity (`OCIS_SYSTEM_USER_ID`, `OCIS_SYSTEM_USER_API_KEY`) separate from admin and end-user identities. Provides a least-privilege service account model for internal metadata operations.
- Gateway CS3 Provider Lookup Cache— Routing Performance
- The gateway caches CS3 storage provider lookups using a configurable cache backend (memory, nats-js-kv, redis) with tunable TTL and optional persistence (`GATEWAY_PROVIDER_CACHE_STORE`, `GATEWAY_PROVIDER_CACHE_TTL`). Reduces gRPC round-trips in high-concurrency deployments.
- Private Links (Deep Links by Resource ID)— Resource Addressability
- Private links provide stable bookmarkable URLs to files and folders by internal resource ID, independent of path. Links remain valid after moves and renames. Introduced v2.0.0.
- Group Membership Token Stripping— Token Optimization
- `GATEWAY_SKIP_USER_GROUPS_IN_TOKEN` (and equivalent per-service vars across gateway, groups, users, storage providers) suppresses group membership claims from internal reva access tokens. Reduces token size and limits group data exposure in inter-service communication.
- PosixFS Trash Bin— Storage Drivers
- The PosixFS storage driver now supports a full per-user trash bin, allowing deleted files to be recovered by users and administrators just as they can be on the default decomposedFS driver.
- Configurable S3 Upload Tuning Options— Blobstore Configuration
- Administrators can fine-tune S3 blobstore upload behavior per deployment — setting multipart boundaries, MD5 verification, concurrent stream parts, thread counts, and part sizes — to optimize throughput and compatibility with S3-compatible object stores.
- Archive Download TAR Format Support— Storage Drivers
- Users can choose TAR as the output format when downloading multiple files or a folder as an archive, in addition to the existing ZIP option, by passing `output-format=tar` as a query parameter.
- S3 Blobstore Remaining Space Reporting— Quota and Space Management
- Remaining quota displayed to users and sync clients now correctly reflects logical usage (total minus used) when an S3 blobstore is in use, rather than incorrectly reporting local disk space, ensuring quota indicators are accurate.
- Drive ETag Exposure in List Response— Storage and Architecture
- The Graph API drives listing now includes ETag values for each drive root. Clients can use ETags to detect changes without fetching full content, reducing unnecessary sync overhead for spaces.
- Space Description at Creation— Storage and Architecture
- Administrators and space managers can include a short description when creating a new project space via the Graph API. The description is stored as metadata and visible to all space members.
- Spaces Capability Advertisement— Storage and Architecture
- oCIS advertises the Spaces feature via the OCS capabilities endpoint. Clients check this capability to enable space-aware UI and API paths, ensuring graceful compatibility across deployment versions.
- Single Space Retrieval Endpoint— Storage and Architecture
- A dedicated Graph API endpoint `/drives/{driveID}` returns the full metadata for a single space by its ID. Clients can resolve space information without fetching the complete drives list.
- Space Creation via Graph API— Storage and Architecture
- Users and administrators with the appropriate permission can create new project spaces directly through the Graph API. The API returns the full space metadata immediately after creation.
- S3-Compatible Storage Driver (s3ng)— Storage and Architecture
- oCIS supports an S3-compatible object storage backend (s3ng) for storing file blobs. Deployments can point oCIS at any S3-compatible storage service such as MinIO, Ceph, or AWS S3 for scalable, cloud-native blob storage.
- Storage Home Read-Only Mode— Storage and Architecture
- The storage home and storage-users services can be placed in read-only mode via configuration. No new files can be written while read-only mode is active, useful for maintenance windows and data migration scenarios.
- Parent Resource ID in WebDAV REPORT— Storage and Architecture
- WebDAV REPORT search responses include the parent resource ID for each result item. Clients can navigate directly to a result's parent folder without issuing additional PROPFIND requests.
- Asynchronous Upload Post-Processing— Storage and Architecture
- File uploads trigger asynchronous post-processing pipelines (virus scanning, thumbnail generation, metadata extraction) without blocking the upload response. Users see the file immediately while processing completes in the background.
- Configurable Default Client Upload Protocol— Upload Protocol Configuration
- Administrators can configure which upload protocol (such as TUS) is advertised as the default to connecting clients, giving operators precise control over upload behavior across heterogeneous client environments.
- User Attribute-Based Home Storage Routing— Storage Provider Routing
- Administrators can configure routing rules that direct individual users' home directories to different storage providers based on user attributes, enabling multi-tier, departmental, or geo-distributed storage architectures.
- S3NG Storage Driver Async and Events Configuration— S3 Storage Configuration
- Administrators using the S3-native (S3NG) storage driver can now configure async upload, events integration, and token settings, bringing S3NG to full feature parity with other supported storage backends.
- Graph API Storage Space Creation— Space Management API
- Authorized users can create Storage Spaces programmatically via the Graph API endpoint POST /drive/{drive-name}, specifying quota in bytes and a maximum file count to provision new storage locations without manual administrator steps.
- Configurable WebDAV Namespace— WebDAV Protocol
- Administrators can customize the WebDAV namespace path used across oCIS services, allowing WebDAV URL structures to be adjusted to match specific client expectations or organizational URL conventions without patching code.
- ownCloudSQL Storage Driver Integration— Storage Driver Integration
- Administrators can configure oCIS to use an existing ownCloud SQL database as a storage backend, enabling users to access files from a legacy ownCloud installation without requiring immediate data migration.
- S3 Next-Gen Storage Driver Integration— Object Storage Backend
- Administrators can configure oCIS to use the S3 next-generation (s3ng) storage driver, enabling scalable object-storage deployments that separate file metadata from blob storage for improved performance and operational flexibility.
- Tree Modification Time Tracking in oCIS Driver— Storage Metadata
- The oCIS storage driver now records modification timestamps for folder tree hierarchies, providing accurate last-modified metadata that improves synchronization client behavior and overall metadata consistency.
- MessagePack Binary Metadata Storage Backend— Metadata Backend
- Administrators can configure the MessagePack backend for file metadata storage, which uses compact binary encoding for file attributes and provides an alternative to the default extended attributes backend for environments where xattrs are unavailable or undesirable.
- INI Metadata Backend with Redis Sentinel Cache— Metadata Backend
- The INI file metadata backend now supports a configurable Redis Sentinel cache layer for high-availability setups, significantly improving performance when oCIS is deployed on distributed or network file systems, with per-storage backend selection also supported.
- Post-Processing State in File Versions Sidebar— File Versioning
- Users can see when a specific file version is still being processed in the versions sidebar panel, preventing confusion when a version is temporarily unavailable due to ongoing server-side post-processing.
- File Version History in Sidebar Tab— File Versioning
- Users can view the full version history of a file in the sidebar, see each version's modification date, and restore or download any prior version without leaving the current folder view.