Documentation

• Welcome
• FileRun homepage
• Changelog
• Get notified about updates
• Contact us

Install

• Requirements
• Install guides
• PHP configuration
• PHP compatibility/upgrade
• Troubleshooting
• Reverse proxies
• Securing FileRun

Configure

• Setting the time zone
• Enabling thumbnails and preview
• Troubleshooting thumbnails
• E-mail notification system
• File preview options
• File indexing
• Authentication integration
• 2FA - 2-step verification
• Google editor integration
• Advanced configuration

Customize

• File plugins
• Translating FileRun
• Custom CSS
• Custom event scripts

Feature Information

• Screenshot sharing
• File searching
• Desktop sync
• Metadata
• Guest users
• Mobile apps
• File-based activity logs
• WebDAV

The API

• Introduction
• • Getting user account information
  • Retrieving lists of files and folders
  • Retrieving metadata
  • Searching files and folders
  • Creating folders
  • Uploading files
  • Downloading files
  • Downloading thumbnails
  • Renaming files or folders
  • Moving files or folders
  • Extracting archives
  • Deleting files or folders
  • Starring files or folders
  • Create web links on files and folders
  • Removing web links
  • Sharing files and folders
  • Unsharing files and folders
  • Get FileRun user account information
  • Add FileRun user accounts
  • Modify FileRun user accounts
  • Delete FileRun user accounts

Maintenance

• Resetting the superuser password
• Updating FileRun
• Backing up the installation
• Changing MySQL connection information
• Deleting old user files
• Migrating to another server
• Command line tools

• FileRun 2026.1.0
  • Overview
  • Sharing with links
  • Sharing with registered users
    • Permissions to role mapping
  • Security fixes and improvements
    • File permission handling
      • File permissions on shared files
      • Previewing without download permissions
      • Commenting system
      • Other
    • Vulnerabilities fixed
    • Authentication security
    • Other
  • Logging
    • File/folder activity logs
    • User activity logging
  • E-mail notifications
  • Related to third-party apps
  • Performance
  • Error handling
  • Files plugins
  • Uploading
    • New streaming file upload
      • Remarks
  • Control Panel
  • Zipping
  • The user interface
    • The Details panel
      • The Activity tab
  • Other/Unorganized
  • The Media section
  • Other admin
  • ⚠️ Breaking changes
  • The API
  • Updating and maintenance information
    • Things you need to do before updating:
    • Things you need to do after updating:
    • Other changes and remarks

FileRun 2026.1.0🔗

[This page is a work in progress.]

Overview🔗

File sharing is easier and more intuitive.
Accessing files and folders shared with links is now done in the fully-featured interface.

Uploading large files is now faster and even more reliable.

Office documents can be edited collaboratively with Collabora Online or Office 365.

The new FileRun version includes a complete refactoring of the backend, with focus on security, reliability and performance.

The architecture was improved so that all operations use the same business logic code. Regardless of how one is accessing a file, be it via the web interface, WebDAV, desktop sync, mobile or API, the processing is now always handled exactly the same and there can be no differences in the outcome.

The error handling, logging, and reporting have been overhauled. A complete audit trail is now being kept.

File access security has been tightened considerably, with many edge cases now being handled properly.

The authentication security has been improved and several vulnerabilities were fixed.

This update comes with breaking changes. Pay attention to the items marked with the warning sign icon ⚠️. Read this page carefuly before proceeding, at least the updating and maintenance information section.

Sharing with links🔗

The same beautiful and fully-featured interface that registered users are enjoying is now available to all visitors.

Depending on given permissions, visitors can:

• select and download multiple files and folders in one action.
• open files with the various plugins enabled in the system.
• read and write comments.
• read and write metadata and tags.
• etc...

All this just like it was until now possible only when files were shared with registered users.

Sharing with links is now done from the unified sharing panel:

Roles make it easy to set permissions using one click:

• All unauthenticated activity done via shared links is being logged under the system user account Visitor. If the user is signed in, the activity is done under their own accounts.
• Access to shared links can be now suspended system-wide by deactivating the Visitor user account.
• Access permissions can be fine-tunned through the Visitor account's permissions.
• ⚠️ Web links with upload permission are limited to that action. Existing links shared with upload permissions and other permissions will only keep the upload permission after this update.
• ⚠️ Creating a web link without enabling any permission (browse-only) is no longer possible. Existing links shared like this will be automatically removed.
• ⚠️ When sharing files/folders with a link, the option of sharing the metadata is no longer separate but included in the Commenter sharing role.
• ⚠️ Files/folders shared with links, with the permission Share the file comments with the visitors. but without the option Share the metadata with the visitors. will lose this permission after the update. That is because the two permissions are now combined into a single one, and you might not want to automatically give access to your shared files metadata. After the update, if you still wish to give these permissions, you can update the created links to use the Commmenter role instead of the Viewer one.
• ⚠️ Files/folders shared with links without either download or upload permission will be removed by this update. The links that qualify for this case are the ones without any of the following two options checked: Allow visitors to download files from the folder., Allow visitors to upload files in this folder..
• ⚠️ The option Allow visitors to edit the files inside this folder. is no longer available. Editing permissions can be applied only to files shared individually, by assigning the Editor role.
• The Download limit option:
  • When the download limit is reached for a file, the download is no longer possible, but the web link is no longer removed. This allows the owner of the file to see that the file was shared with a link, check the share settings, and eventually renew or remove the limit to allow the link to work.
  • Setting a download limit of 0 will prevent any further downloading. To remove the limit, leave the field blank (remove also the number 0).
  • Loading a file's thumbnail or other type of previews will count towards the download limit.
• The option Receive e-mail notifications is no longer available as it was entirely redundant. You will be notified based on any other available notification rules (folder-based or account-based).
• Access to web-linked folders is no longer logged to the user actvity log.
• Expired web links, while they continue to be inaccessible, they are no longer automatically removed from files/folders/collections, so that the user can see them and the old settings, and renew if needed.
• Collections shared with web links are now also listed under Shared by me > Shared with link.
• Added prompt letting the user know that a file/folder/collection does not have a link on and gives the option to create one. Before the link would get automatically created, without being clear that the link was created right then.
• When trying to make a change to a web link setting, existing settings are being revalidated as well.
• Fixed logging information about the collection a web link was created on.
• Making changes to a web link now logs details about the changed settings.
• Failed attempts at creating, updating, or deleting web links are now logged.
• There is no longer any option of using a URL shortener from within FileRun. Existing short links will still be accessible though, for now.
• The option Hide "Download all" option under the Interface control panel section is no longer available. To achieve similar, remove the permission User can download folders and collections from the Visitor user account.

Sharing with registered users🔗

Sharing with users or with a link is now done from the same panel.

Adding new users to a share is more intuitive than before, and you can send an e-mail notifications with custom messages directly from the sharing panel.

The sharing permissions are now assigned with a single click, using predefined roles.

• Users can choose between the following roles, from the most capable to the least:
  • Content manager
    • Typical use case: Team leads or admins managing content and access.
    • Can download files and folders.
    • Can add and view comments.
    • Can add and view tags, ratings and metadata.
    • Can edit existing files.
    • Can upload files and folders.
    • Can implicitly create new folders.
    • Can rename, move and delete files and folders.
    • Can share files and folders via links.
  • Contributor
    • Typical use case: Teams producing and adding new material.
    • Can download files and folders.
    • Can add and view comments.
    • Can add and view tags, ratings and metadata.
    • Can edit existing files.
    • Can upload files and folders.
    • Can implicitly create new folders.
  • Editor
    • Typical use case: Collaborative document editing.
    • Can download files and folders.
    • Can add and view comments.
    • Can add and view tags, ratings and metadata.
    • Can edit existing files.
  • Commenter
    • Typical use case: Feedback workflows, reviews, approvals.
    • Can download files and folders.
    • Can add and view comments.
    • Can add and view tags, ratings and metadata.
  • Viewer
    • Typical use case: Sharing documents for review or reference.
    • Can only download files and folders.
  • Uploader
    • Typical use case: file requests.
    • Can only upload files, or folders.
    • Can implicitly create new folders.
    • Can see the list of existing files and folders.
    • Cannot preview, download or do anything else.

Permissions to role mapping🔗

Here is how the existing shares will be automatically reconfigured by this update:

• Download + Upload + Make changes → Content manager

  • They gain the permission to share with links, if they didn't have it already.
  • They gain the permission to add and view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Upload → Contributor

  • They loose the permission to share with links, if they had it.
  • They gain the permission to edit existing files.
  • They gain the permission to add and view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Make changes → Commenter

  • They loose the permission to rename, move, delete.
  • They gain the permission to add and view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Read comments → Commenter

  • They gain the permission to add comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Write comments → Commenter

  • They gain the permission to view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Share links → Viewer

  • They loose the permission to share with links.

• Download → Viewer

  • No change.

• Upload + Make changes → Uploader

• Upload + (Read comments or Write comments) → Uploader

• Upload + Share links → Uploader

  • They loose all permissions except being able to upload files and folders.

• Upload → Uploader

  • They can no longer view metadata.

• Shares with any other combination of permissions will just be removed.

Security fixes and improvements🔗

File permission handling🔗

• The following actions are no longer applicable to files/folders when downloading is not allowed: viewing the thumbnails, previewing, overwriting, renaming, deleting, moving, reading/writing tags, reading/changing the rating, reading/writing metadata, locking.
• The previewing permission now includes viewing file thumbnails.
• Locking a file now also prevents any metadata change (including tags, rating, etc...).
• Files/folders can no longer be added to zip archives which are locked.
• File locks placed by file owners (the file is located inside user's own home folder) can no longer be lifted by other users, unless they have admin priviledges. File locks placed by visitors with editing permissions (for example: when editing a file via a shared link) can be lifted by anybody.
• Overwriting files by archive extraction now saves the current versions if versioning is enabled.
• If a user can read file/folder metadata (metadata file type, metadata, tags, ratings) now it can always also make changes to it.

File permissions on shared files🔗

• It is no longer possible to access files and folders shared by users who no longer have the permission to share files.
• It is no longer possible to rename or delete files/folders shared by other users when the files/folders are shared separately and not inside a folder. This prevents confusion and avoids potential phishing attacks and other social engineering actions.
• The Upload max file size limitation applies also when other users without this limitation upload files inside a folder shared by a user with the limitation.
• It is no longer possible to enable upload permissions on shared links when the target folders are shared by users who no longer have permission to upload files themselves.
• It is no longer possible to access metadata from files/folders which are shared by users which no longer have permission to access metadata themselves.
• ⚠️ The option to share files/folders with aliases has been removed. ⚠️The actual names of the files/folders will be shown to the users. ⚠️ This applies also to existing shares.
  • When sharing an entire home folder with another user, given that sharing aliases no longer exist, the name of the shared folder will be the name of the user sharing.
• ⚠️ The concept of an anonymous share no longer exists. Existing shares which were marked as anonymous will be shown under the name of the user sharing, after applying this update.
  • With anonymous shares no longer being a thing, any relative paths of the type /ROOT/123:456 (where 123 is the user id and 456 is the share id) are no longer valid and have to be adjusted by replacing the : (colon character) with a / (forward slash character). This is applicable to saved path that are being used via the API.
• Files and folders shared by link are now no longer accessible the moment the permissions of the original internal share (between FileRun users) no longer allows link sharing. The links are not destroyed, and can still be accessed if the original user reenables the sharing permission.

Previewing without download permissions🔗

• Options such as Allow opening PDF files without download permission are no longer available.
• Fix: Permissions are now being checked also before creating a web link that allows uploading or editing, to prevent the link creation and prevent future confusion. This is mainly for when web links are being created via the API.
• Open in browser: The option Allow opening PDF files without download permission is no longer available.
• Audio Player: The option Allow playback without download permission is no longer available.
• Video Player: The option Allow playback without download permission is no longer available.
• The Zoho plugin no longer allows opening documents without the download permission.

Commenting system🔗

• If a user does not have permission to read comments on a file/folder, the user can no longer write one either. He also cannot read comments written in the past (before the file/folder was shared) on these files/folders.
• If a user has permission to read comments of a file/folder, they also have permission to write comments, unless disabled on the account.
• If user A does not have permission to write comments on a file/folder, user B can no longer write comments on the same file/folder when shared by user A.
• A user can no longer give permission to write comments without the permission to read comments.
• Author names and dates are now visible for comments on shared files/folders, and there is no longer any option for hiding this information.

Other🔗

• The size limit configured per user account can no longer be exceeded when creating or updating files using editors or functions other than uploading (such as converting, merging, zipping, etc.).
• The Text Editor plugin now checks quota usage and prevents it from being exceeding through writing large file contents.
• It is no longer possible to restore a file from trash if the user is not allowed to use that file type anymore.
• Giving upload or editing permissions on a web link is now blocked before the changes are saved, if the current folder conditions (permissions, locking) do not allow the actions.
• CloudConvert: conversion can no longer be started for files located inside a folder that doesn't allow uploading.
• CloudConvert: storage quotas are now being checked to prevent the download of the converted versions if there is no space available.
• The option of editing files can no longer be enabled when sharing a file/folder if the current filesystem permissions of the file/folder do not allow modifications.

Vulnerabilities fixed🔗

• Medium severity security fix: User id numbers are no longer exposed. Instead, unguessable public ids are used. This prevents account existence confirmation and user initials enumeration vulnerability via the avatar URL.
• Medium severity security fix: Fixed e-mail address enumeration via the password reset request.
• Fixed XSS vulnerability. * the xss vulnerability is possible by placing HTML-encoded content in filenames (for example: »)
• Added CSRF protection to the login form and several other places (like the control panel option for logging in as another user).
• For security reasons, the possibility of using a custom external login or registration form is no longer available.
• For security reasons, the FileRun[redirectURLAfterLogin] cookie is no longer in use.

Authentication security🔗

• Improved brute force password attacks protection. Accounts are no longer automatically deactivated on incorrect password tries. Instead, incremental throttling is applied, up to 25 seconds per request. After 10 failed attempts, the user can retry once every 30 minutes. Additionally, the CSRF token is reset after each failed attempt, requiring the login page to be reloaded for a new attempt.
• Accounts now get automatically deactivated after five failed 2FA authorization attempts. This applies also when trying to diable 2FA or to change the password from an already logged-in account.
• Changing the password while 2FA is enabled now requires 2FA verification.
• Disabling 2FA now requires 2FA verification.
• The passwords are now using Argon2id encryption.
• The users can now change their passwords also when the option User can change personal information is unchecked.
• The form for changing the password can no longer be bypassed. The users will not have access to the files unless they change their passwords when their accounts are configured with the Require user to change the password option.
• The superuser password is now also subject to the password policy rules.

Other🔗

• Added HTTP security headers.
• Limited avatar image uploading to 15MB.

Logging🔗

File/folder activity logs🔗

• File/folder activity logs are no longer deleted when a file/folder is being deleted.
  • File activity logs are now saved per absolute file/folder path instead of internal file/folder id.
  • Renaming or moving a file will not update the paths stored on the existing activity logs, preserving a better history for the file.
• Simple users can see only the activity log related to the specific file, while admin users will see all activity on the particular file/folder path.
• To improve performance for small users, file logging is now disabled by default in FileRun. (Applies only to new installations.)
• The Activity log (the one opened via the contextual menu via Information):
  • Has been moved under the File control panel.
  • For a folder now shows records recursively, for all files and folders inside that folder. Clearing the logs also works recursively, deleting logs for all files and folders inside that folder.
• Files and folders which are located inside moved folders no longer get an activity log entry when they are moved along with the parent folder.
• Extracting an archive, each file and folder created as the result of the action now gets log entries both in the user activity log and in the file/folder log.
• The FileRun superuser can now check (and also clear) the activity log for files via shared folders/files.
• Subfolders no longer get entries in their activity logs when they are moved along with a parent folder. The entry Folder moved with parent folder no longer exists.
• The file copy action now logs two activity records, one on the original file and one on the copy made. The file action File copied now refers to the source file, not the target. The file action which refers to the target file is now called File copy created.
• The Create photo proof sheet now logs a download action on each read image file.

User activity logging🔗

• You can now double-click or click View to display more details for any given user activity log entry. The details are many and provide full historical records (user information is hard written so it is preserved if the user accounts change details or get deleted). For example, when somebody downloads a file via a link shared on a file shared by another user, you can see usernames and full names of everybody involved: the downloader, the user which created the link, and the owner of the original share.
  • The file location information is saved with details included. It is no longer generated dynamically. If user A has downloaded a file from user B's shared folder, the logged location will be stored and shows as Shared by B/folder/file.pdf.
  • User activity log entries now store the user information (username and full name) for each record.
  • Deleting or modifying user accounts will no longer affect the log entries.
• Actions made via shared links are logged under the system user Visitor rather than the user which shared the files/folders via links. Information about the owner/creator of the link is available in the details of each activity log entry.
• Renamed the action File permanently deleted to File deleted from trash to clarify what it refers to.
• All actions that are being performed by one user inside another user's folder are now logged to the other user's account and can be used for e-mail notification rules.
  • The actions which are not logged are the ones that are not successful, or the ones that do not concern the other user (adding stars, adding files to collections, etc.).
  • These can be disabled individually via $config['app']['logging']['skip_receive_...'] or alltogheter via $config['app']['logging']['skip_receive_all'].
• All activity logs are now logging the IP address the action was performed from, and the HTTP user agent information.
• The user activity logs are now stored in JSON format. They take less disk space and the logging is faster.
• A new user activity/file log entry titled File updated is now created when overwriting a file, by any means (upload, edit, etc.).
• Archiving the user activity logs is now done by moving the records to a separate database table named df_logs_archive. You can browse the archived logs from the FileRun control panel and delete them permanentely at any time.
• Added a separate action for when updating files. Before it was File uploaded (file_uploaded). Now it is File updated (file_updated).
• Added separate action for when creating files by other means than uploading. For example, by zipping or unzipping archives. The title of this action is File created (new_file).
• The copy actions are now logged twice, once for the read action (file_copied) and once for the write action (file_copy_created). This way one can have notifications when files are "placed" (file_copy_created) inside folders, or files are "downloaded" (file_copied) via copying.
  • This covers cases where some users should only know about the fact that a file/folder was copied, but not where, and the opposite, where the users should know about the fact that a file/folder was pasted, but not from where.
• Accessing a web-linked file is now logged with the action titled Web link file access.
• Accessing a web-linked collection is now logged with the action titled Web link collection access.
• Deleting user accounts via the third-party authentication sync process is now logged to the activity log.
• ⚠️ All existing activity log entries will be removed by this update. If you wish to keep it, export it before proceeding. (The file-based logs will be left untouched.)
  • A consequence of this would be that no e-mail notification will be sent after the update regarding actions performed before the update.

E-mail notifications🔗

• The general e-mail notification template is no longer editable from the FileRun control panel.
  • To customize the e-mail message or translate it to another language you would need to make a copy of apps/Core/!includes/emails/english/notifications.tpl.php to customizables/emails/english/notifications.tpl.php and edit that file.
    • If your currently selected default FileRun language is not English, you would need to rename the path accordingly.
• The folder-based e-mail notification templates from under customizables/emails/folder_notifications are no longer in use.
  • The various action descriptions can now be customized for each language via the translation system. The descriptions are found under the Notifications translation section.
• Improved e-mail notification messages. The relative paths shown are now friendly and descriptive and in many places correctly referencing their location relative to the notified user rather than the user for which the action was logged.
• The folder notification setting New comments is now notifying also about new tags.

Related to third-party apps🔗

• The desktop app now shows when a user's permission to share a file is not enabled.
• The desktop app now shows when files are shared with links.
• The desktop app now shows a button for copying a private link to the file, under the Sharing tab of a file's properties panel.
• Large uploads done via the desktop sync app or mobile apps are now done entirely inside the target folder, without using an external temporary folder, to allow the transferred data to always count towards the user's disk usage quota.
• Large uploads done via the desktop sync app or mobile apps now log to the user activity log the starting and resuming (at 25%, 50%, and 75%).
• The Owncloud apps are no longer officially supported. They might continue to work, but we will no longer check for compatiblity.

Performance🔗

• Downloading large folders as zip archives is now faster and uses less CPU and less memory.
• Made considerable performance optimizations to the WebDAV server.
• Moving large folders is much faster now as individual files are no longer moved one by one.
• Storing and restoring file versions now moves files instead of copying, making the process considerably faster, particularly for large files.

Error handling🔗

• The messages shown after performing various file management operations are clearer, providing more details on what change was made, and if no change was made, it provides more information regarding the encountered problem.
• Moving multiple files and folders at the same time while there are errors and one or more of the operations fails, the action now still applies the visual changes for the operations which were successful.
• Fix for error related to sending e-mail notifications when folder notifications are enabled and the actions performed are renaming a file or a folder.
• Better error handling on API authentication.
• Nicer error handling for any request made in the web UI while the authentication is no longer valid.
• Much better error logging. Most failed file actions are now being logged to the user activity logs and the file logs, with very detailed error messages and trace. You will immediately know the reason for the failure.
• Better error handling when having a user-defined plugin class named exactly as an existing system plugin.
• All e-mail messages that fail to send, for whatever reason, are now being logged under E-mail → Logs control panel section. They are also logged to the PHP error log.

Files plugins🔗

• Added support for viewing and editing documents with:
  • Collabora Online (https://www.collaboraonline.com/code/).
  • LibreOffice Online (https://www.libreoffice.org/download/libreoffice-online/).
  • Microsoft 365.
• Fixed Autodesk plugin compatibility with the latest API.
• Added the option to edit PDF documents with Zoho Editor. (It currently requires browsers to allow third-party cookies.)
• Text Viewer can now be used with source code files as well.
• A new user activity log entry entitled File created is now used when creating files with FileRun rather than uploading for the user's device.
• The Zamzar plugin now works also if opened in a separate window.
• Improved the experience of editing documents with Google Docs Editor. Authentication is saved and needs to be done only once per session.
• The plugin Office is now called Local Office app.
• Small change: the Create photo proof sheet plugin now saves the output in the same folder as the first selected image file.
• Fixed dark mode support for the Media Info and Archive Explorer plugins.

Uploading🔗

• The upload process now double-checks with the server the size of the uploaded file. This is to make sure there can be no error causing you to believe that a file uploaded successfully while for whatever reason it is did not complete in reality.
• An upload item can now be retried if it was skipped for server reasons. This is useful if you wish to reupload a file after being told that the file already exists, but you have removed the file from the server.
• Fix: Uploading an empty file now shows the size in the upload panel as 0B instead of 1B.
• Fix: Uploading files via the UI (not by drag&drop) also stops the blocked file types before trying to make any requests to the server.
• The upload now stops when it encounters an authentication problem. This avoids flooding the server with unnecessary requests when uploading a large folder with many small files.
• Resuming a folder's upload now moves the progress bar according to the amount of data is already on the server and does not need reuploading to show accurate information on how much of the entire task is already completed.
• Added the File upload started (upload_started) user activity log entry type, which gets logged when a user starts a resumable file upload (typically for a larger file).
• A log entry is now added to the temporary upload file (.upload), to show which user started the upload, when the uploaded started, and how large the file will be.
• Limited the number of items shown in the upload details panel to prevent the browser from freezing in case of a large number of failed items (as it happens when synching a folder).
• Changed the default max simultaneous file uploads from 7 to 6.
• Fixed icons of the minimize / maximize button in the upload dialog.

New streaming file upload🔗

• Interrupted transfers are now resumed from the last transferred byte, regardless of the cause of the interruption. It no longer has to restart from the last successfully transferred chunk.
• The file upload no longer writes data in the temporary folder (upload_tmp_dir), but straight to the final location of the file. It is no longer being buffered in various places, minimizing server disk I/O and making the transfers quicker.
• The upload is now resumable for files of any size, regardless of how small.
• The temporary files now get a new log entry File upload started when the upload has started but for whatever reason did not complete yet. The entries show information about the total size of the file that will be uploaded and about how much of it was uploaded so far. The log entry remains saved to the final file, for record keeping.
• The temporary files now get new log entries File upload resumed, whenever the upload has progressed passed 25%, 50%, and 75% of the total file transfer.
• The PHP configuration directives post_max_size and upload_max_filesize can no longer limit the upload.

Remarks🔗

• It works automatically when using an HTTP server which streams the request body directly to PHP without buffering. An example of such a configuration would be running a Nginx server, configured with fastcgi_request_buffering Off; and PHP-FPM. Make sure client_max_body_size 10000M; is lower than the configured chunk size.
• For servers which do not support streaming the HTTP request body (such as Apache+FastCGI, or Nginx with fastcgi_request_buffering Off, or servers behind proxies which buffer the data), the chunk size can be lowered from the FileRun control panel section Files. The default is 100 MB. You might want to lower it to have smaller resumable chunks. For servers that support streaming, increasing this value will provide better upload speeds for large files. Increase it as much as you can, up until large uploads fail (due to HTTP servers or proxies limitations). Setting a large value will not allow you to recover an interrupted large chunk. Setting a small value will add overhead and make the overall transfer slower.

Control Panel🔗

• Fixed the issue with the username/password fields not being visible when editing a user account and a role other than the Guest role is selected. This applies only to some older installations that might have roles created since before the Guest feature was added.
• Fixed editing users when the role assigned was created before the Guests role was added as a feature to FileRun.
• Fixed user/role permission "User can preview files" not showing when the option "User can download files" is disabled when editing the user/role (without checking again and unchecking the other option).
• The OAuth2 clients for the desktop sync apps and generic WebDAV apps can be now fully edited from the FileRun control panel. You can customize the icon, name, and other details which are shown when trying to authenticate an app. Particularly useful for matching the branding of the specific desktop apps you are using.
• You can now disable specific types of access (API, WebDAV, Destkop, etc.) while keeping others enabled.
• Option to get the tail of the PHP error log from the FileRun control panel section PHP Info.
• Fixed the display of the "PHP configuration" date.timezone value, not displaying the currently active value correctly.
• Added confirmation prompt when deleting a metadata field from a fieldset.
• When activating a user account, the last login date is being reset so that the account does not get deactivated again automatically if it reaches the configured time limit.
• Added the option to reset the theme customizations to default values.
• Listing web links via the control panel Users → Web Links no longer deletes records if the files are not found, to prevent inadvertent loss of web links in case there is a temporary file/folder movement happening.
• Added safety prompt when removing web links from under Shared links.
• Minor cosmetic fixes in the control panel.
• Fixed the "Multiple values" metadata field type to keep values into separate records so that one can search for individual values. It does not alter existing data, it applies only when saving metadata after this update.
• The Date/time metadata field type is now renamed to Date.
• FileRun now logs all emails sent, regardless of type, and displays them, as before under the Email → Logs control panel section.
• Updating translations now clears the users' browser cache right away for the file handlers and metadata.
• Fixed updating display color on color picker field, when loading a color preset, when customizing the color themes (from the control panel section Interface → Branding → Theme).
• Multiple custom themes can be created via apps (code which is outside FileRun own application code). Themes can have separate custom values saved in the database.

Zipping🔗

• Zipping files no longer uses any compression. It is purely a file copy action into a Zip package. This was done to avoid high server CPU loads, as Zip archives are used in FileRun primarily as a way of transfering folder structures, rather than archiving data.
• Empty folders now keep their modification date when added to Zip archives.
• Much better error handling and error logging when zipping files. When zipping a folder fails because of a particular file, the file is being pointed out with the relevant details, both for the user and in the activity logs.
• Better feedback message when adding files to an existing zip archive.
• File-based and user-based activity log records are now added for all successful operations made while zipping files, even if the overall process fails to complete in its entirety.
• Added two new actions, File added to archive and Folder added to archive which are logged both to the user activity log and the file-based logs.

The user interface🔗

• Added colorful icons for common file types to make it easier to locate files by their type.
• Fixed browser history navigation issues.
• Fixed the ability of dragging files/folders from the grid to the folder tree for users without upload permissions.
• The "Shared by me" section now lists all shared files, folders or collections, shared either with internal users or with links. For listing only the items shared with links, the section "Shared links" can still be used, but is now found under the section "Shared by me".
• The permissions of shared files and folders are better reflected in the web user interface, showing/hiding more accurantely function which can or cannot be applied on files/folder which are shared (either via web links, internal shares).
• Fixed the ability of moving files/ folders by using the Organize → Move contextual menu options for users which have the permission to make changes but don't have the permission to upload.
• Better feedback from actions. Complete information on what changes were made is now provided to the user. If an action was requested affecting several files/folders, and it failed for some items but succeeded for others, this information will be provided to the user.
• Better error handling when the UI makes server requests.
• Users who do not have permission to make changes (Checkbox User can make changes to files and folders is not ticked) can no longer see the trash folder.
• The option to get a folder size is now no longer taking into account old FileRun trash, cached thumbnails, old file versions, etc. But instead it returns the total size of data that the user would actually get when downloading the folder.
• Allowed the browser default right-click menu to show on text selection and inside text form fields, to be able to copy text from the UI using the mouse.
• Allowed right-clicking on links in the UI.
• Made full-screen windows obvious that they are on top of the UI, so that returning users don't close the whole browser window/tab.
• The group avatar color now follows the theme.
• The file extension label is no longer hidden from the right-side of the filename when the files do not have a thumbnail. It was creating confusion regarding the file's name.
• Made it clearer in the list layout when filenames have extensions.
• Fixed menus not hiding when clicking on a file/folder in the list.
• Fixed various elements and text selection when dragging tags on Safari.
• Fixed menus not hiding when clicking on a file/folder.
• Fix: The file/folder context menu option Change color now shows the currently set color.
• Better handling when previewing an archive with empty folders and no files.
• Files/folders shared with links are now indicated through the same icon as when they are shared with internal users.
• When using the panel for moving or copying files/folders, one can browse to folders through existing collections.
• Fixed the z-index of masks, being too high and covering dropdown menus. (Example: grid settings dropdown when the grid failed to load for whatever reason)
• Removed the focus outline visible when previewing a file by direct access.
• Added ability of searching users by first and last name when using the uer/group selector prompt.
• The Lock/Unlock options have been moved from under the Information menu to Organize.
• Added shimer animation to loading thumbnails.
• The control panel option to configure the display ratio for thumbnails has been removed. Thumbnails are now always square.
• The config option $config['app']['ui']['grid_short_date'] has been removed. The grid always shows the short and friendly dates. You can hover the short dates to see full dates in the tooltip, formatted automatically using the user's browser locale. Users can also choose to show the new grid columns Modified (ISO 8601) and Created (ISO 8601).
• Removed the Date Format: Files translation string. The long dates are automatically formatted using the user's browser locale.
• Made the CSS sizes use rem units, so that font-sizing can be easily adjusted accross the entire application by changing a single value.

The Details panel🔗

• General cosmetic improvements to the Details panel.
• The list of tags displayed for items on the Details panel is now sorted alphanumerically.
• The Details panel now shows the option to add files/folders to a collection also for those that are not already in a collection.
• ⚠️Potentially breaking change: the Details panel no longer shows options for rating, metadata, and tags for the My files folder.
• README files are no longer displayed on the Details panel. It slowed the loading, caused unnecessary file downloads, while providing little value.

The Activity tab🔗

The format is now different, similar to Google Drive:

• It is now always available for accessible files, including for all shared files and folders.
• Log entries are shown only from users in the user's Can interact with permission list.
• For shared files/folders the activity log is limited to actions logged after the file/folder was shared.
• The number of new activities shown in a balloon on the tab is now counted since the user's last web interface load. (Before it's been counted since either the last login or the last time the user browsed its home folder.)
• The file log entry File deleted now shows the original location.

Other/Unorganized🔗

• The file version number is now inserted in the file's name when downloading an older version.
• Moving folders can no longer result in a partial move due to interruptions. It either moves the whole folder or nothing.
• Filenames are now allowed to use the " (double quote) character when the server is not Windows.
• Removing an account from a Nextcloud app now automatically clears the app password from the FileRun user profile.
• Fixed an error showing when trying to e-mail a file/folder via as a web link with an expiration date.
• Better network error handling when loading the list of users or search result, when using the user/group selector prompt.
• Fix: File versioning: Restoring an old version resends the file for contents and metadata indexing.
• Fix: File versioning: Restoring an old version now keeps the old version in place. In other words, instead of moving the old version to replace the current, a copy is being made.
• When modifying user account credentials via the API, you can POST the variable notify (with any value) to have FileRun e-mail the new credentials to the user. It works the same as the Send a notification now checkbox available when modifiying the user account from the FileRun control panel. //todo: document API changes
• Restoring a file/folder from trash no longer recreates folders. If the original folder no longer exists, the deleted item will be restored to the user's home folder.
• Restoring a deleted file/folder logs information about where the file/folder was originally deleted from.
• When the FileRun installation URL changes (the protocol, the port number, or the path), it is now automatically detected and refreshed.
• Whenever e-mail messages are to be sent in realtime, the SMTP connection timeout is now shortened from 5 minutes to 10 seconds. If your SMTP server fails to connect in under 10 seconds, the operation will fail. This is to force you to provide a somewhat decent user experience by fixing your SMTP server connection.
• Improved general aspect of e-mail messages FileRun sends.
• Made the Recent section work when MySQL has "ONLY_FULL_GROUP_BY" in the sql mode.
• ".ts" files are now recognized as video files. If FFMpeg is enabled, thumbnails will be shown.
• The option $config['app']['weblinks']['logging']['downloads']['disable'] is no longer available.

The Media section🔗

• The items Photos, Videos and Music have been now grouped under the new section Media.
• There is a new section named Documents which shows files of the metadata type Documents.
• The Music section has been renamed to Audio.
• Videos are no longer included under the Photos.
• Each section now includes the option to browse those types of files by tags and see the latest uploads.

Other admin🔗

• reset_superuser_pass.php now takes the optional argument for specifying the new password php reset_superuser_pass.php --password "pa$$word"
• Added control panel section FileRun → PHP info for quicker access to the PHP configuration information page.
• Fixed adding guest users while exceeding license limits.
• Fixed sharing multiple files/folders at the same time while adding guest users.
• Users names (first and last) can no longer contain any filesystem-relevant characters (/*?<>|:).
• MySQL/MariaDB connections are now opened as persistent. This will improve performance in most common setups.
• The option to include HTML into FileRun's web UI via customizables/include.html has been removed. Use the control panel Third party services > Tracker codes option instead.

⚠️ Breaking changes🔗

This also includes a list of features and options that are no longer available.

• The option of sending files via e-mail is no longer available. You can send notifications with custom messages when sharing files and folders with users. For any other purposes users can send e-mail messages from their own e-mail providers.
• The File Encryption, Bing Maps, Google Maps, File Picker for TinyMCE and OpenDocument Viewer plugins are no longer available.
• PDF Viewer, which was used only for mobile devices, is no longer included. PDF files now open with your mobile device default PDF viewer instead.
• Removed the options for shortening URLs. Users can still retrieve the existing short URLs from under the share's "Advanced settings".
• The signup process no longer accepts requests from external forms. The config option $config['app']['signup']['redirect_url_failure'] no longer does anything.
• Making copies of folders is no longer an option. Only files can be now made copies of. In the rare eventuality one needs to make a duplicate of a folder, one can download and reupload the folder.
• Removed the options to share a web link via Gmail or X/Twitter.
• The config option FR::$cfg['zip']['max_folder_size'] has been removed.
• Web linked folders can no longer be opened as RSS or audio playlists.
• Web links that offer both the permission to upload and download at the same time are no longer possible. If both permissions were enabled before the update, the link will only allow uploading after this update.
• User actvity logging related:
  • The old records will be destroyed by the update. Please make a backup of the database if you wish to still have them in some form.
  • The activity logging config option $config['app']['logging']['skip_provide_download'] is now $config['app']['logging']['skip_receive_download'].
  • The user activity File download (via Web link) is no longer available and has been replaced by File downloaded by another user.
  • The user activity File received (via Web link) is no longer available and has been replaced by File received (via upload).

The API🔗

The API is unfortunately no longer compatible. It was not possible to keep it compatible because of the large changes related to user id referencing, file/folder paths and how the file sharing works now.

A migration guide will be made available.

• Changing a user's groups via the API is no longer done via the admin-users/edit endpoint, but via admin-users/edit_groups instead.
• The API endpoint /account/info no longer returns the user id id. Instead, it returns the public id as puid (string).
• /account/avatar requires POST variable puid with the user's public id (puid) instead of the record id (id).
• It no longer returns an image for an invalid puid but instead responds with the HTTP 500 code.
• The API endpoint /files/unshare no longer takes uid (int) but instead it takes puid (string).
• The API endpoint /files/share no longer takes a set of individual permissions, but instead it takes a role (string) which can have one of the values viewer, commenter, uploader or contributor. See this page for details on the permission levels.
  • It no longer takes uid (int) but instead it takes puid (string).
• The endpoints starting with /admin-users/ are now /admin/users. /admin-users/ will still work until the next update.
• Whatever you can access via the web user interface, you can now access via the API and follows the folders structure identically. You can access things like collections, the media folders with albums, etc.
• The error response property has been replaced with the property named "msg" which is expected to by an array of messages. This property also returns messages on successfull actions now.
• The following paths are obsolete, and it is recommended to be updated accordingly:
• The /files/browse endpoint:
  • '/SHARED' => '/ROOT/SharedWithMe'
  • '/SHARES' => '/ROOT/Shares/WithUsers'
  • '/LINKS' => '/ROOT/Shares/WithLinks'
  • '/MUSIC' => '/ROOT/Media/Audio'
  • '/Photos' => '/ROOT/Media/Photos/Latest'
  • The meta[perms] data is no longer included in the response.
  • The items permissions (perms) is no longer included in the response.
• Folder contents can no longer be listed recursively. The request parameter recursive is now ignored.
• The color, tags, rating and filetype (metadata filetype) can be retrieved for files/folders via the browsing endpoing /files/browse/.

Updating and maintenance information🔗

Things you need to do before updating:🔗

• ⚠️ If you are running NGINX, make sure that your configuration location ~ \.php$ is updated to the regex version location ~ ^(.+\.php)(.*)$ which allows URLS like /index.php/sub/path. This regex captures both the PHP file and the PATH_INFO portion.
  • Make sure your location block contains the following two lines:

     1fastcgi_split_path_info ^(.+\.php)(.*)$;
     2fastcgi_param PATH_INFO $fastcgi_path_info;
    

  • Without this, the new FileRun version will not function at all.
• ⚠️ Make sure you run MySQL/MariaDB version 8.0 or higher.
• ⚠️ Make a full backup of your installation. This will allow you to restore the installation to the previously working state in case something goes wrong. Ignore this at your own risk.
• ⚠️ Backup the database, or archive the user activity logs to keep a copy of the old entries. This update will complete remove them.
• Install this update while outside working hours: File uploads that have been started before installing this update will not be able to resume after the update, and they will restart from the beginning.
• Run the queued e-mail notifications. E-mail notifications will not be sent for user activity performed before installing this update, so make sure you run the notifications before installing the update, if any are queued. You can do so by clicking the button Manually run notifications now under the E-mail control panel section, or by running the command line script for sending notifications (see this documentation page).
• Write down the FileRun license key. You can get it from your FileRun client account.

Things you need to do after updating:🔗

• ⚠️ Configure a cronjob task to run email_notifications.php, for sending e-mail notifications. The control panel configuration option Instant email notifications no longer exists. This has been done to provide a better user experience and avoid possible problems caused by failures in the notification system. More details here.
• Configure a daily cronjob to run cron/daily.php. This is required for keeping FileRun's database health and for any time-based functions.
• Review your theme customizations. Changes have been made to the theme, so unless you have made extensive customizations, it is recommended to press the Reset all to default button under Interface → Branding → Themes control panel section, and then reapply the color theme of your choice.
• If you have any custom event script, know that the new FileRun version will run these only for events defined by $config['system']['custom_event_scripts'] = []; inside customizables/config.php.
• If you are using the ONLYOFFICE plugin: You will need to enable WOPI in your ONLYOFFICE (DocumentServer): seee https://api.onlyoffice.com/docs/docs-api/more-information/faq/using-wopi/ and https://api.onlyoffice.com/docs/docs-api/using-wopi/overview/#enabling-wopi
• If you use the plugin Google Editor: The Authorized redirect URI for Google OAuth 2.0 Client IDs changed and needs to be updated. See this page.

Other changes and remarks🔗

• 32-bit servers or clients are no longer supported. The zip archives which FileRun creates are now always in Zip64 format.
• ⚠️ Support for PHP 8.1 is now deprecated. While you can continue to use PHP 8.1, the next FileRun version will require PHP 8.2 or higher.
• ⚠️ The PHP extension "opcache" is no longer just a recommendation, but a requirement. FileRun will continue to work without it, but we won't support those cases.
• Dropped the automatic handling of MySQL connection timeouts (Resulting in server has gone away errors.). You might need to configure your MySQL server not to timeout prematurely. When configuring the database server, take into account tasks that can take a long time, such as uploads and downloads. This has been done for general speed gains.
• ⚠️ Existing e-mail notification logs will be removed by this update.
• The command line scripts no longer require the server hostname as an argument.
• Added support for connecting to the database server via a Unix socket or a Windows named pipe.
• ⚠️ FileRun no longer officially supports cases where the MySQL/MariaDB database is not running on the same machine. While it will always work, it significantly affects performance, and we will not optimize for it. The database is not a microservice but an integral part of FileRun.