Documentation

• Welcome
• FileRun homepage
• Changelog
• Get notified about updates
• Contact us

Install

• Requirements
• Install guides
• PHP configuration
• PHP compatibility/upgrade
• Troubleshooting
• Reverse proxies
• Securing FileRun
• Server optimization

Configure

• Setting the time zone
• Enabling thumbnails and preview
• Troubleshooting thumbnails
• E-mail notification system
• File preview options
• File indexing
• Authentication integration
• 2FA - 2-step verification
• Google editor integration
• Advanced configuration

Customize

• File plugins
• Translating FileRun
• Custom CSS
• Custom event scripts

Feature Information

• Screenshot sharing
• File searching
• Desktop sync
• Metadata
• Mobile apps
• File-based activity logs
• WebDAV

The API

• Introduction
• API Methods

Maintenance

• Resetting the superuser password
• Updating FileRun
• Backing up the installation
• Changing MySQL connection information
• Deleting old user files
• Migrating to another server
• Command line tools

• FileRun 2026.1.0
  • Overview
  • Sharing with links
  • Sharing with registered users
    • Permissions to role mapping
  • Sharing with Guests
  • Security fixes and improvements
    • File permission handling
      • File permissions on shared files
      • Previewing without download permissions
      • Commenting system
      • Other
    • Vulnerabilities fixed
    • Authentication security
    • Other
  • Logging
    • File/folder activity logs
    • User activity logging
  • E-mail notifications
  • Related to third-party apps
  • Performance
  • Error handling
  • Files plugins
  • Uploading
    • New streaming file upload
      • Remarks
  • File Management
  • Control Panel
  • Other admin-related
  • Zipping
  • The user interface
    • The Details panel
      • The Activity tab
  • Other
  • The Media section
  • ⚠️ Breaking changes
  • The API
    • Other changes and remarks
  • Updating
    • 1. Things you need to do before updating
      • For users of the official FileRun Docker image:
      • If you are running NGINX
    • 2. Things you need to do after updating

FileRun 2026.1.0🔗

⚠️ This is a beta update.
Join the discussion here.
If you cannot risk having to restore a full backup, please do not install.

⚠️ This update includes breaking changes.
They are marked with a warning symbol.
Read this page carefully before proceeding.
Do not skip the updating section.

Overview🔗

FileRun 2026.1.0 is a major upgrade that makes sharing feel like a modern collaboration platform, speeds up large uploads, and significantly raises the security and reliability bar through a rebuilt backend.

• Shared links open in the full FileRun interface: People opening shared links get the complete browsing and collaboration interface (multi-select downloads, plugins, comments, metadata/tags), not a limited “public link” view.
• Simpler, safer sharing controls: One unified sharing panel (users + links) with role-based permissions makes it easier to grant the right access quickly and consistently.
• Faster, more reliable large uploads: New streaming, resumable uploads can continue from the last byte and avoid extra buffering, improving speed and resilience for big transfers.
• Collaboration-ready documents: Support for collaborative editing via Collabora Online and Microsoft 365.
• Security and governance upgrades: Tightened file permission handling, improved authentication security, expanded logging/audit capabilities, and multiple vulnerability fixes.
• Consistent operation handling: All file operations now run through the same backend business-logic path across the web interface, WebDAV, desktop sync, mobile, and API—so processing is uniform and outcomes don’t vary by access method.
• Support for PHP 8.4.

Sharing with links🔗

The same beautiful and fully-featured interface that registered users are enjoying is now available to all visitors.

Depending on given permissions, visitors can:

• select and download multiple files/folders in one action.
• open files with the various plugins enabled in the system.
• read and write comments.
• read and write metadata and tags.
• etc...

All this just like it was until now possible only when files were shared with registered users.

Sharing with links is now done from the unified sharing panel:

Roles make it easy to set permissions using one click:

• All unauthenticated activity done via shared links is logged under the system user account Visitor. If the user is signed in, the activity is done under their own accounts.
• Access to shared links can now be suspended system-wide by deactivating the Visitor user account.
• Access permissions can be fine-tuned through the Visitor account's permissions.
• ⚠️ Web links with upload permission are limited to that action. Existing links shared with upload permissions and other permissions will only keep the upload permission after this update.
• ⚠️ Creating a web link without enabling any permission (browse-only) is no longer possible. Existing links shared like this will be automatically removed.
• ⚠️ When sharing files/folders with a link, the option of sharing the metadata is no longer separate but included in the Commenter sharing role.
• ⚠️ Files/folders shared with links, with the permission Share the file comments with the visitors. but without the option Share the metadata with the visitors. will lose this permission after the update. That is because the two permissions are now combined into a single one, and you might not want to automatically give access to your shared files metadata. After the update, if you still wish to give these permissions, you can update the created links to use the Commenter role instead of the Viewer one.
• ⚠️ Files/folders shared with links without either download or upload permission will be removed by this update. The links that qualify for this case are the ones without any of the following two options checked: Allow visitors to download files from the folder., Allow visitors to upload files in this folder..
• ⚠️ The option Allow visitors to edit the files inside this folder. is no longer available. Editing permissions can be applied only to files shared individually, by assigning the Editor role.
• The Download limit option:
  • When the download limit is reached for a file, the download is no longer possible, but the web link is no longer removed. This allows the owner of the file to see that the file was shared with a link, check the share settings, and eventually renew or remove the limit to allow the link to work.
  • Setting a download limit of 0 will prevent any further downloading. To remove the limit, leave the field blank (remove also the number 0).
  • Loading a file's thumbnail or other type of previews will count towards the download limit.
• The option Receive e-mail notifications is no longer available as it was entirely redundant. You will be notified based on any other available notification rules (folder-based or account-based).
• Access to web-linked folders is no longer logged to the user activity log.
• Expired web links, while they continue to be inaccessible, they are no longer automatically removed from files/folders/collections, so that the user can see them and the old settings, and renew if needed.
• Collections shared with web links are now also listed under Shared by me > Shared with link.
• Added prompt letting the user know that a file/folder/collection does not have a link on and gives the option to create one. Before the link would get automatically created, without being clear that the link was created right then.
• When trying to make a change to a web link setting, existing settings are being revalidated as well.
• Fixed logging information about the collection a web link was created on.
• Making changes to a web link now logs details about the changed settings.
• Failed attempts at creating, updating, or deleting web links are now logged.
• There is no longer any option of using a URL shortener from within FileRun. Existing short links will still be accessible though, for now.
• The option Hide "Download all" option under the Interface control panel section is no longer available. To achieve similar, remove the permission User can download folders and collections from the Visitor user account.
• Collections can now be shared via links with file editing permission.

Sharing with registered users🔗

Sharing with users or with a link is now done from the same panel.

Adding new users to a share is more intuitive than before, and you can send an e-mail notifications with custom messages directly from the sharing panel.

The sharing permissions are now assigned with a single click, using predefined roles.

• Users can choose between the following roles, from the most capable to the least:
  • Content manager
    • Typical use case: Team leads or admins managing content and access.
    • Can preview and download.
    • Can view and add comments.
    • Can view and edit tags, ratings and metadata.
    • Can edit existing files.
    • Can upload and create new files and folders.
    • Can rename, move and delete.
    • Can share items via links.
  • Contributor
    • Typical use case: Teams producing and adding new material.
    • Can preview and download.
    • Can view and add comments.
    • Can view and edit tags, ratings and metadata.
    • Can edit existing files.
    • Can upload and create new files and folders.
  • Editor
    • Typical use case: Collaborative document editing.
    • Can preview and download.
    • Can view and add comments.
    • Can view and edit tags, ratings and metadata.
    • Can edit existing files.
  • Commenter
    • Typical use case: Feedback workflows, reviews, approvals.
    • Can preview and download.
    • Can view and add comments.
    • Can view and edit tags, ratings and metadata.
  • Viewer
    • Typical use case: Sharing documents for review or reference.
    • Can preview and download.
  • Uploader
    • Typical use case: file requests.
    • Can upload new files and folders.
    • Cannot overwrite existing files.
    • Can list files, but cannot preview nor download.

Permissions to role mapping🔗

Here is how the existing shares will be automatically reconfigured by this update:

• Download + Upload + Make changes → Content manager

  • They gain the permission to share with links, if they didn't have it already.
  • They gain the permission to add and view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Upload → Contributor

  • They lose the permission to share with links, if they had it.
  • They gain the permission to edit existing files.
  • They gain the permission to add and view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Make changes → Commenter

  • They lose the permission to rename, move, delete.
  • They gain the permission to add and view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Read comments → Commenter

  • They gain the permission to add comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Write comments → Commenter

  • They gain the permission to view comments, if they didn't have it already.
  • They gain the permission to add and view metadata.

• Download + Share links → Viewer

  • They lose the permission to share with links.

• Download → Viewer

  • No change.

• Upload + Make changes → Uploader

• Upload + (Read comments or Write comments) → Uploader

• Upload + Share links → Uploader

  • They loose all permissions except being able to upload files and folders.

• Upload → Uploader

  • They can no longer view metadata.

• Shares with any other combination of permissions will just be removed.

Sharing with Guests🔗

The guest users (users assigned the system role Guests):

• Can now sign-in also with username and password.
• Can use 2FA, change own passwords if allowed, recover forgotten passwords, etc.
• They can still use the special login link, for convenience and where the security requirements are less strict.

It is no longer possible for Guest users to:

• Access FileRun via mobile apps, desktop apps, WebDAV or API.
• Upload and download at the same time from a share. If the share role allows upload, the download permission will automatically be off.
• Make any changes to files/folders and associated data (such as tags, ratings, metadata, color or comments).
• Share with a link.
• Access the files' activity logs.
• Perform file management operations (delete, rename, move, etc.).

If these permissions are too strict for your current users, you will want to create a new role for them, and assign them to the new, more permissive role.

• Fixed sharing multiple files/folders at the same time while adding guest users.
• Fixed adding guest users while exceeding license limits.

Security fixes and improvements🔗

File permission handling🔗

• The following actions are no longer applicable to files/folders when downloading is not allowed:
  • viewing the thumbnails, previewing.
  • overwriting, renaming, deleting, moving, locking.
  • reading/writing tags
  • reading/changing the rating
  • reading/writing metadata
  • reading/writing comments
• Locking a file now also prevents any metadata change (including tags, rating, etc...).
• Files/folders can no longer be added to zip archives which are locked.
• File locks placed by file owners (the file is located inside user's own home folder) can no longer be lifted by other users, unless they have admin privileges. File locks placed by visitors with editing permissions (for example: when editing a file via a shared link) can be lifted by anybody.
• Overwriting files by archive extraction now saves the current versions if versioning is enabled.

File permissions on shared files🔗

• It is no longer possible to access files/folders shared by user accounts which have been deactivated.
• It is no longer possible to access files/folders shared by users who no longer have the permission to share files.
• It is no longer possible to rename or delete files/folders shared by other users when the files/folders are shared separately and not inside a folder. This prevents confusion and avoids potential phishing attacks and other social engineering actions.
• A user's Space quota limitation applies now also when other users upload files inside a folder shared by the user with the limitation.
• It is no longer possible to enable upload permissions on shared links when the target folders are shared by users who no longer have permission to upload files themselves.
• It is no longer possible to access metadata from files/folders which are shared by users which no longer have permission to access metadata themselves.
• ⚠️ The option to share files/folders with aliases has been removed. ⚠️The actual names of the files/folders will be shown to the users. ⚠️ This applies also to existing shares.
  • When sharing an entire home folder with another user, given that sharing aliases no longer exist, the name of the shared folder will be My Files (translated accordingly).
• ⚠️ The concept of an anonymous share no longer exists. Existing shares which were marked as anonymous will be shown under the name of the user sharing, after applying this update.
  • With anonymous shares no longer being a thing, any relative paths of the type /ROOT/123:456 (where 123 is the user id and 456 is the share id) are no longer valid and have to be adjusted by replacing the : (colon character) with a / (forward slash character). This is applicable to saved path that are being used via the API.
• Files/folders shared by link are now no longer accessible the moment the permissions of the original internal share (between FileRun users) no longer allows link sharing. The links are not destroyed, and can still be accessed if the original user reenables the sharing permission.
• Users without the User can download folders and collections permission can now share folders. Files can be downloaded from the shared folders but entire folders cannot.

Previewing without download permissions🔗

• The User can preview files permission has been removed. Previewing always requires download permission.
• Options such as Allow opening PDF files without download permission are no longer available.
• Fix: Permissions are now being checked also before creating a web link that allows uploading or editing, to prevent the link creation and prevent future confusion. This is mainly for when web links are being created via the API.
• Open in browser: The option Allow opening PDF files without download permission is no longer available.
• Audio Player: The option Allow playback without download permission is no longer available.
• Video Player: The option Allow playback without download permission is no longer available.
• The Zoho plugin no longer allows opening documents without the download permission.

Commenting system🔗

• If a user does not have permission to read comments on a file/folder, the user can no longer write one either. He also cannot read comments written in the past (before the file/folder was shared) on these files/folders.
• If a user has permission to read comments of a file/folder, they also have permission to write comments, unless disabled on the account.
• If user A does not have permission to write comments on a file/folder, user B can no longer write comments on the same file/folder when shared by user A.
• A user can no longer give permission to write comments without the permission to read comments.
• Author names and dates are now visible for comments on shared files/folders, and there is no longer any option for hiding this information.

Other🔗

• The size limit configured per user account can no longer be exceeded when creating or updating files using editors or functions other than uploading (such as converting, merging, zipping, etc.).
• The Text Editor plugin now checks quota usage and prevents it from being exceeded through writing large file contents.
• It is no longer possible to restore a file from trash if the user is not allowed to use that file type anymore.
• Giving upload or editing permissions on a web link is now blocked before the changes are saved, if the current folder conditions (permissions, locking) do not allow the actions.
• CloudConvert: conversion can no longer be started for files located inside a folder that doesn't allow uploading.
• CloudConvert: storage quotas are now being checked to prevent the download of the converted versions if there is no space available.
• The option of editing files can no longer be enabled when sharing a file/folder if the current filesystem permissions of the file/folder do not allow modifications.

Vulnerabilities fixed🔗

• Medium severity security fix: User id numbers are no longer exposed. Instead, unguessable public ids are used. This prevents account existence confirmation and user initials enumeration vulnerability via the avatar URL.
• Medium severity security fix: Fixed e-mail address enumeration via the password reset request.
• Medium severity security fix: username enumeration attack via the password reset process.
• Fixed XSS vulnerability. * the xss vulnerability is possible by placing HTML-encoded content in filenames (for example: »)
• Added CSRF protection to the login form and several other places (like the control panel option for logging in as another user).
• For security reasons, the possibility of using a custom external login or registration form is no longer available.
• For security reasons, the FileRun[redirectURLAfterLogin] cookie is no longer in use.

Authentication security🔗

• Changing a user's password invalidates other authentication sessions.
  • Done by the user, this does not include OAuth2 tokens. The user can remove those manually from under Account settings → Connected apps.
  • Done by an admin from the control panel, will invalidate also the user's OAuth2 tokens.
• Improved brute force password attacks protection. Accounts are no longer automatically deactivated on incorrect password tries. Instead, incremental throttling is applied, up to 25 seconds per request. After 10 failed attempts, the user can retry once every 30 minutes. Additionally, the CSRF token is reset after each failed attempt, requiring the login page to be reloaded for a new attempt.
• Accounts now get automatically deactivated after five failed 2FA authorization attempts. This applies also when trying to disable 2FA or to change the password from an already logged-in account.
• Changing the password while 2FA is enabled now requires 2FA verification.
• Disabling 2FA now requires 2FA verification.
• The passwords are now using Argon2id encryption.
• The users can now change their passwords also when the option User can change personal information is unchecked.
• The form for changing the password can no longer be bypassed. The users will not have access to the files unless they change their passwords when their accounts are configured with the Require user to change the password option.
• The superuser password is now also subject to the password policy rules.
• Removing an account from a Nextcloud app now automatically clears the app password from the FileRun user profile.
• Fixed ability of signing in with local account, when an SSO-only authentication plugin is enabled.
• All password recovery attempts are now being logged to the user activity log.
• The option Number of days users can use the same passwords has been removed.

Other🔗

• Guests cannot change their personal information.
• Added HTTP security headers.
• Limited avatar image uploading to 15MB.
• The default permissions for new user accounts have been tightened for data security:
  • The permissions to share with links is no longer enabled by default.
  • The permission to share with guests users is no longer enabled by default.
  • The permission to access a file's activity is no longer enabled by default.
• Prevented accidentally giving users access to the FileRun installation folder by assigning an invalid home folder path.
• Prevented giving users access to the root of the filesystem (/).
• Improved security of links created for the purpose of downloading and/or editing files with third-party services. Now the links are tied to the user session, so the links are no longer accessible once the user session ends.

Logging🔗

File/folder activity logs🔗

• File/folder activity logs are no longer deleted when a file/folder is deleted.
  • File activity logs are now saved per absolute file/folder path instead of internal file/folder id.
  • Renaming or moving a file will not update the paths stored on the existing activity logs, preserving a better history for the file.
• Admin users can now see all activity on the particular file/folder, including past activity on the specific path.
• To improve performance for small users, file logging is now disabled by default in FileRun. (Applies only to new installations.)
• The Activity log (the one opened via the contextual menu via Information):
  • Has been moved under the File control panel.
  • For a folder now shows records recursively, for all files/folders inside that folder. Clearing the logs also works recursively, deleting logs for all files/folders inside that folder.
• Files/folders which are located inside moved folders no longer get an activity log entry when they are moved along with the parent folder.
• Extracting an archive, each file and folder created as the result of the action now gets log entries both in the user activity log and in the file/folder log.
• The FileRun superuser can now check (and also clear) the activity log for files via shared folders/files.
• Subfolders no longer get entries in their activity logs when they are moved along with a parent folder. The entry Folder moved with parent folder no longer exists.
• The file copy action now logs two activity records, one on the original file and one on the copy made. The file action File copied now refers to the source file, not the target. The file action which refers to the target file is now called File copy created.
• The Create photo proof sheet now logs a download action on each read image file.

User activity logging🔗

• You can now double-click or click View to display more details for any given user activity log entry. The details are many and provide full historical records (user information is hard written so it is preserved if the user accounts change details or get deleted). For example, when somebody downloads a file via a link shared on a file shared by another user, you can see usernames and full names of everybody involved: the downloader, the user which created the link, and the owner of the original share.
  • The file location information is saved with details included. It is no longer generated dynamically. If user A has downloaded a file from user B's shared folder, the logged location will be stored and shows as Shared by B/folder/file.pdf.
  • User activity log entries now store the user information (username and full name) for each record.
  • Deleting or modifying user accounts will no longer affect the log entries.
• Actions made via shared links are logged under the system user Visitor rather than the user which shared the files/folders via links. Information about the owner/creator of the link is available in the details of each activity log entry.
• Renamed the action File permanently deleted to File deleted from trash to clarify what it refers to.
• All actions that are being performed by one user inside another user's folder are now logged to the other user's account and can be used for e-mail notification rules.
  • The actions which are not logged are the ones that are not successful, or the ones that do not concern the other user (adding stars, adding files to collections, etc.).
  • These can be disabled individually via $config['app']['logging']['skip_receive_...'] or alltogheter via $config['app']['logging']['skip_receive_all'].
• All activity logs are now logging the IP address the action was performed from, and the HTTP user agent information.
• The user activity logs are now stored in JSON format. They take less disk space and the logging is faster.
• A new user activity/file log entry titled File updated is now created when overwriting a file, by any means (upload, edit, etc.).
• Archiving the user activity logs is now done by moving the records to a separate database table named df_logs_archive. You can browse the archived logs from the FileRun control panel and delete them permanently at any time.
• Added a separate action for when updating files. Before it was File uploaded (file_uploaded). Now it is File updated (file_updated).
• Added separate action for when creating files by other means than uploading. For example, by zipping or unzipping archives. The title of this action is File created (new_file).
• The copy actions are now logged twice, once for the read action (file_copied) and once for the write action (file_copy_created). This way one can have notifications when files are "placed" (file_copy_created) inside folders, or files are "downloaded" (file_copied) via copying.
  • This covers cases where some users should only know about the fact that a file/folder was copied, but not where, and the opposite, where the users should know about the fact that a file/folder was pasted, but not from where.
• Accessing a web-linked file is now logged with the action titled Web link file access.
• Accessing a web-linked collection is now logged with the action titled Web link collection access.
• Deleting user accounts via the third-party authentication sync process is now logged to the activity log.
• ⚠️ All existing activity log entries will be removed by this update. If you wish to keep it, export it before proceeding.
  • A consequence of this would be that no e-mail notification will be sent after the update regarding actions performed before the update.

E-mail notifications🔗

• The general e-mail notification template is no longer editable from the FileRun control panel.
  • To customize the e-mail message or translate it to another language you would need to make a copy of apps/Core/!includes/emails/english/notifications.tpl.php to customizables/emails/english/notifications.tpl.php and edit that file.
    • If your currently selected default FileRun language is not English, you would need to rename the path accordingly.
• The folder-based e-mail notification templates from under customizables/emails/folder_notifications are no longer in use.
  • The various action descriptions can now be customized for each language via the translation system. The descriptions are found under the Notifications translation section.
• Improved e-mail notification messages. The relative paths shown are now friendly and descriptive and in many places correctly referencing their location relative to the notified user rather than the user for which the action was logged.
• The folder notification setting New comments is now notifying also about new tags.
• Improved general aspect of e-mail messages FileRun sends.

Related to third-party apps🔗

• The desktop sync app:
  • Now shows the same filetype icons as the web interface.
  • Now shows when a user's permission to share a file is not enabled.
  • Now shows when files are shared with links.
  • Now shows a button for copying a private link to the file, under the Sharing tab of a file's properties panel.
• Large uploads done via the desktop sync app or mobile apps are now done entirely inside the target folder, without using an external temporary folder, to allow the transferred data to always count towards the user's disk usage quota.
• Large uploads done via the desktop sync app or mobile apps now log to the user activity log the starting and resuming (at 25%, 50%, and 75%).
• The Owncloud apps are no longer officially supported. They might continue to work, but we will no longer check for compatibility.
• Fixed saving multiple share settings at the same time via the Nextcloud apps.
• Added compatibility with Nextcloud apps' favorite feature. You can now see starred files/folders, and add/remove them from Starred/Favorites.

Performance🔗

• Downloading large folders as zip archives is now faster and uses less CPU and less memory.
• Made considerable performance optimizations to the WebDAV server.
• Moving large folders is much faster now as individual files are no longer moved one by one.
• Storing and restoring file versions now moves files instead of copying, making the process considerably faster, particularly for large files.

Error handling🔗

• The messages shown after performing various file management operations are clearer, providing more details on what change was made, and if no change was made, it provides more information regarding the encountered problem.
• Moving multiple files/folders at the same time while there are errors and one or more of the operations fails, the action now still applies the visual changes for the operations which were successful.
• Fix for error related to sending e-mail notifications when folder notifications are enabled and the actions performed are renaming a file or a folder.
• Better error handling on API authentication.
• Nicer error handling for any request made in the web UI while the authentication is no longer valid.
• Much better error logging. Most failed file actions are now being logged to the user activity logs and the file logs, with very detailed error messages and trace. You will immediately know the reason for the failure.
• Better error handling when having a user-defined plugin class named exactly as an existing system plugin.
• All e-mail messages that fail to send, for whatever reason, are now being logged under E-mail → Logs control panel section. They are also logged to the PHP error log.
• Better network error handling when loading the list of users or search result, when using the user/group selector prompt.
• Files which no longer exist are now automatically removed from a collection when browsing the collection.

Files plugins🔗

• Added support for viewing and editing documents with:
  • Collabora Online (https://www.collaboraonline.com/code/).
  • LibreOffice Online (https://www.libreoffice.org/download/libreoffice-online/).
  • Microsoft 365.
• Fixed Autodesk plugin compatibility with the latest API.
• Added the option to edit PDF documents with Zoho Editor. (It currently requires browsers to allow third-party cookies.)
• Text Viewer can now be used with source code files as well.
• A new user activity log entry entitled File created is now used when creating files with FileRun rather than uploading for the user's device.
• The Zamzar plugin now works also if opened in a separate window.
• Improved the experience of editing documents with Google Docs Editor. Authentication is saved and needs to be done only once per session.
• The plugin Office is now called Local Office app.
• Small change: the Create photo proof sheet plugin now saves the output in the same folder as the first selected image file.
• Fixed dark mode support for the Media Info and Archive Explorer plugins.
• The Image Editor is now limited to the file types jpg, png, webp. These are the only formats supported for saving the changes to.
• The Cloud Convert file plugin require PHP version 8.3 or higher.

Uploading🔗

• Folders can now be uploaded from mobile phones.
• The upload process now double-checks with the server the size of the uploaded file. This is to make sure there can be no error causing you to believe that a file uploaded successfully while for whatever reason it is did not complete in reality.
• An upload item can now be retried if it was skipped for server reasons. This is useful if you wish to reupload a file after being told that the file already exists, but you have removed the file from the server.
• Fix: Uploading an empty file now shows the size in the upload panel as 0B instead of 1B.
• Fix: Uploading files via the UI (not by drag&drop) also stops the blocked file types before trying to make any requests to the server.
• The upload now stops when it encounters an authentication problem. This avoids flooding the server with unnecessary requests when uploading a large folder with many small files.
• Resuming a folder's upload now moves the progress bar according to the amount of data is already on the server and does not need reuploading to show accurate information on how much of the entire task is already completed.
• Added the File upload started (upload_started) user activity log entry type, which gets logged when a user starts a resumable file upload (typically for a larger file).
• A log entry is now added to the temporary upload file (.upload), to show which user started the upload, when the upload started, and how large the file will be.
• Limited the number of items shown in the upload details panel to prevent the browser from freezing in case of a large number of failed items (as it happens when synching a folder).
• Changed the default max simultaneous file uploads from 7 to 6.
• Fixed icons of the minimize / maximize button in the upload dialog.

New streaming file upload🔗

• Interrupted transfers are now resumed from the last transferred byte, regardless of the cause of the interruption. It no longer has to restart from the last successfully transferred chunk.
• The file upload no longer writes data in the temporary folder (upload_tmp_dir), but directly inside the destination folder. It is no longer being buffered in various places, minimizing server disk I/O and making the transfers quicker.
• The upload is now resumable for files of any size, regardless of how small.
• The temporary files now get a new log entry File upload started when the upload has started but for whatever reason did not complete yet. The entries show information about the total size of the file that will be uploaded and about how much of it was uploaded so far. The log entry remains saved to the final file, for record keeping.
• The temporary files now get new log entries File upload resumed, whenever the upload has progressed passed 25%, 50%, and 75% of the total file transfer.
• The PHP configuration directives post_max_size and upload_max_filesize can no longer limit the upload.

Remarks🔗

• It works automatically when using an HTTP server which streams the request body directly to PHP without buffering. An example of such a configuration would be running a Nginx server, configured with fastcgi_request_buffering Off; and PHP-FPM. Make sure that the configured chunk size is not higher than client_max_body_size (or set this to 10000M).
• For servers which do not support streaming the HTTP request body (such as Apache+FastCGI, or Nginx with fastcgi_request_buffering On, or servers behind proxies which buffer the data), the chunk size can be lowered from the FileRun control panel section Files. The default is 100 MB. You might want to lower it to have smaller resumable chunks. For servers that support streaming, increasing this value will provide better upload speeds for large files. Increase it as much as you can, up until large uploads fail (due to HTTP servers or proxies limitations). Setting a large value will not allow you to recover an interrupted large chunk. Setting a small value will add overhead and make the overall transfer slower.

File Management🔗

• Moving folders can no longer result in a partial move due to interruptions. It either moves the whole folder or nothing.
• Filenames are now allowed to use the " (double quote) character when the server is not running Windows as the operating system.
• Restoring a file/folder from trash no longer recreates folders. If the original folder no longer exists, the deleted item will be restored to the user's home folder.
• Restoring a deleted file/folder logs information about where the file/folder was originally deleted from.
• .ts files are now recognized as video files. If FFMpeg is enabled, thumbnails will be shown.
• You can now add files from multiple different locations to zip. The zip archive will be created inside the parent folder of the first selected file.
• You can add files to a zip archive even when the file is being accessed via a location such as Starred, Collections or a search result. The zip archive will be created inside the parent folder of the selected file.
• File versioning:
  • Restoring an old version resends the file for contents and metadata indexing.
  • Restoring an old version now keeps the old version in place. In other words, instead of moving the old version to replace the current, a copy is being made.
  • The file version number is now inserted in the file's name when downloading an older version.

Control Panel🔗

• Fixed the issue with the username/password fields not being visible when editing a user account and a role other than the Guest role is selected. This applies only to some older installations that might have roles created since before the Guest feature was added.
• Fixed editing users when the role assigned was created before the Guests role was added as a feature to FileRun.
• The OAuth2 clients for the desktop sync apps and generic WebDAV apps can now be fully edited from the FileRun control panel. You can customize the icon, name, and other details which are shown when trying to authenticate an app. Particularly useful for matching the branding of the specific desktop apps you are using.
• You can now disable specific types of access (API, WebDAV, Desktop, etc.) while keeping others enabled.
• Option to get the tail of the PHP error log from the FileRun control panel section PHP Info.
• Fixed the display of the "PHP configuration" date.timezone value, not displaying the currently active value correctly.
• Added confirmation prompt when deleting a metadata field from a fieldset.
• When activating a user account, the last login date is reset so that the account does not get deactivated again automatically if it reaches the configured time limit.
• Added the option to reset the theme customizations to default values.
• Listing web links via the control panel Users → Web Links no longer deletes records if the files are not found, to prevent inadvertent loss of web links in case there is a temporary file/folder movement happening.
• Added safety prompt when removing web links from under Shared links.
• Minor cosmetic fixes in the control panel.
• Fixed the Multiple values metadata field type to keep values into separate records so that one can search for individual values. It does not alter existing data, it applies only when saving metadata after this update.
• The Date/time metadata field type is now renamed to Date.
• Added Date and time metadata field type.
• FileRun now logs all emails sent, regardless of type, and displays them, as before under the Email → Logs control panel section.
• Updating translations now clears the users' browser cache right away for the file handlers and metadata.
• Fixed updating display color on color picker field, when loading a color preset, when customizing the color themes (from the control panel section Interface → Branding → Theme).
• Multiple custom themes can be created via apps (code which is outside FileRun own application code). Themes can have separate custom values saved in the database.
• The action of an admin removing a user's shared link from the FileRun control panel is now logged to the user activity log.
• Fixed respecting independent admin limit on creating new user accounts, when inviting guest users.
• FileRun now always automatically creates user home folders if they don't exist.
• Prevented assignment of relative paths for the user home folders.
• Fixed possibility for an independent admin user with limited space quota to assign more space than the total through assigning a role with a quota which multiplied by the number of users accounts for a total higher than the admin's limit.
• Fixed ability of non-independent admin users to filter activity logs by user.

Other admin-related🔗

• reset_superuser_pass.php now takes the optional argument for specifying the new password php reset_superuser_pass.php --password "pa$$word"
• Added control panel section FileRun → PHP info for quicker access to the PHP configuration information page.
• Users names (first and last) can no longer contain any filesystem-relevant characters (/*?<>|:).
• MySQL/MariaDB connections are now opened as persistent. This will improve performance in most common setups.
• The option to include HTML into FileRun's web UI via customizables/include.html has been removed. Use the control panel Third party services > Tracker codes option instead.
• The control panel section Reinstall can now be used to check the database structure and fix inconsistencies.
• When the FileRun installation URL changes (the protocol, the port number, or the path), it is now automatically detected and refreshed.
• The config option $config['app']['weblinks']['logging']['downloads']['disable'] is no longer available.
• Whenever e-mail messages are to be sent in realtime, the SMTP connection timeout is now shortened from 5 minutes to 10 seconds. If your SMTP server fails to connect in under 10 seconds, the operation will fail. This is to force you to provide a somewhat decent user experience by fixing your SMTP server connection.

Zipping🔗

• Zipping files no longer uses any compression. It is purely a file copy action into a Zip package. This was done to avoid high server CPU loads, as Zip archives are used in FileRun primarily as a way of transferring folder structures, rather than archiving data.
• Empty folders now keep their modification date when added to Zip archives.
• Much better error handling and error logging when zipping files. When zipping a folder fails because of a particular file, the file is pointed out with the relevant details, both for the user and in the activity logs.
• Better feedback message when adding files to an existing zip archive.
• File-based and user-based activity log records are now added for all successful operations made while zipping files, even if the overall process fails to complete in its entirety.
• Added two new actions, File added to archive and Folder added to archive which are logged both to the user activity log and the file-based logs.

The user interface🔗

• Added colorful icons for common file types to make it easier to locate files by their type.
• The Large view mode is now called Previews and instead of showing large thumbnails, it loads full previews of the files.
• Added option for quickly searching the current folder by a specific metadata document type. The files closer to the search start folder are shown first.
• Improved pagination for folders that contain many files. The sorting by file name, modified date or size is now done on the whole folder rather than for the currently listed page.
• Fixed browser history navigation issues.
• Fixed the ability of dragging files/folders from the grid to the folder tree for users without upload permissions.
• The "Shared by me" section now lists all shared files, folders or collections, shared either with internal users or with links. For listing only the items shared with links, the section "Shared links" can still be used, but is now found under the section "Shared by me".
• The permissions of shared files/folders are better reflected in the web user interface, showing/hiding more accurately function which can or cannot be applied on files/folder which are shared (either via web links, internal shares).
• Fixed the ability of moving files/ folders by using the Organize → Move contextual menu options for users which have the permission to make changes but don't have the permission to upload.
• Better feedback from actions. Complete information on what changes were made is now provided to the user. If an action was requested affecting several files/folders, and it failed for some items but succeeded for others, this information will be provided to the user.
• Better error handling when the UI makes server requests.
• Users who do not have permission to make changes (Checkbox User can make changes to files and folders is not ticked) can no longer see the trash folder.
• The option to get a folder size is now no longer taking into account old FileRun trash, cached thumbnails, old file versions, etc. But instead it returns the total size of data that the user would actually get when downloading the folder.
• Allowed the browser default right-click menu to show on text selection and inside text form fields, to be able to copy text from the UI using the mouse.
• Allowed right-clicking on links in the UI.
• Made full-screen windows obvious that they are on top of the UI, so that returning users don't close the whole browser window/tab.
• The group avatar color now follows the theme.
• The file extension label is no longer hidden from the right-side of the filename when the files do not have a thumbnail. It was creating confusion regarding the file's name.
• Made it clearer in the list layout when filenames have extensions.
• Fixed menus not hiding when clicking on a file/folder in the list.
• Fixed various elements and text selection when dragging tags on Safari.
• Fixed menus not hiding when clicking on a file/folder.
• Fix: The file/folder context menu option Change color now shows the currently set color.
• Better handling when previewing an archive with empty folders and no files.
• Files/folders shared with links are now indicated through the same icon as when they are shared with internal users.
• When using the panel for moving or copying files/folders, one can browse to folders through existing collections.
• Fixed the z-index of masks, being too high and covering dropdown menus. (Example: grid settings dropdown when the grid failed to load for whatever reason)
• Removed the focus outline visible when previewing a file by direct access.
• Added ability of searching users by first and last name when using the user/group selector prompt.
• The Lock/Unlock options have been moved from under the Information menu to Organize.
• Added shimmer animation to loading thumbnails.
• The control panel option to configure the display ratio for thumbnails has been removed. Thumbnails are now always square.
• The config option $config['app']['ui']['grid_short_date'] has been removed. The grid always shows the short and friendly dates. You can hover the short dates to see full dates in the tooltip, formatted automatically using the user's browser locale. Users can also choose to show the new grid columns Modified (ISO 8601) and Created (ISO 8601).
• Removed the Date Format: Files translation string. The long dates are automatically formatted using the user's browser locale.
• Made the CSS sizes use rem units, so that font-sizing can be easily adjusted across the entire application by changing a single value.
• Favicon images location has changed from images/favicons to apps/Core/!public/images/favicons. If you have made customizations to the favicons, you would need to make them again.
• The Details panel now shows the date a file/folder was deleted, when it is selected under Trash.
• Editing text files or images no longer requires a refresh for the changes to be reflected in the thumbnails in the file list.
• The file/folder move dialog no longer closes if the move action fails.
• Files/folders can be deleted by dragging to the Trash.

The Details panel🔗

• General cosmetic improvements to the Details panel.
• The list of tags displayed for items on the Details panel is now sorted alphanumerically.
• The Details panel now shows the option to add files/folders to a collection also for those that are not already in a collection.
• ⚠️Potentially breaking change: the Details panel no longer shows options for rating, metadata, and tags for the My files folder.
• README files are no longer displayed on the Details panel. It slowed the loading, caused unnecessary file downloads, while providing little value.

The Activity tab🔗

The format is now different, similar to Google Drive:

• It is now always available for accessible files, including for all shared files/folders.
• Log entries are shown only from users in the user's Can interact with permission list.
• For shared files/folders the activity log is limited to actions logged after the file/folder was shared.
• The number of new activities shown in a balloon on the tab is now counted since the user's last web interface load. (Before it's been counted since either the last login or the last time the user browsed its home folder.)
• The file log entry File deleted now shows the original location.

Other🔗

• The metadata panel now lists all values for multivalue options, which includes also values that are not in the list of predefined ones, but they are set anyway.
• Fixed the date metadata field (for example the Date taken for images) not showing the value and/or not showing the time part.
• Made the Recent section work when MySQL has ONLY_FULL_GROUP_BY in the sql mode.

The Media section🔗

• The items Photos, Videos and Music have been now grouped under the new section Media.
• There is a new section named Documents which shows files of the metadata type Documents.
• The Music section has been renamed to Audio.
• Videos are no longer included under the Photos.
• Each section now includes the option to browse those types of files by tags and see the latest uploads.

⚠️ Breaking changes🔗

This also includes a list of features and options that are no longer available.

• The Facebook authentication is no longer available.
• The option of sending files via e-mail is no longer available. You can send notifications with custom messages when sharing files/folders with users. For any other purposes users can send e-mail messages from their own e-mail providers.
• The File Encryption, Bing Maps, Google Maps, File Picker for TinyMCE and OpenDocument Viewer plugins are no longer available.
• PDF Viewer, which was used only for mobile devices, is no longer included. PDF files now open with your mobile device default PDF viewer instead.
• Removed the options for shortening URLs. Users can still retrieve the existing short URLs from under the share's Advanced settings.
• The signup process no longer accepts requests from external forms. The config option $config['app']['signup']['redirect_url_failure'] no longer does anything.
• Making copies of folders is no longer an option. Only files can now be made copies of. In the rare eventuality one needs to make a duplicate of a folder, one can download and reupload the folder.
• Removed the options to share a web link via Gmail or X/Twitter.
• The config option FR::$cfg['zip']['max_folder_size'] has been removed.
• Web linked folders can no longer be opened as RSS or audio playlists.
• Web links that offer both the permission to upload and download at the same time are no longer possible. If both permissions were enabled before the update, the link will only allow uploading after this update.
• User activity logging related:
  • The old records will be destroyed by the update. Please make a backup of the database if you wish to still have them in some form.
  • The activity logging config option $config['app']['logging']['skip_provide_download'] is now $config['app']['logging']['skip_receive_download'].
  • The user activity File download (via Web link) is no longer available and has been replaced by File downloaded by another user.
  • The user activity File received (via Web link) is no longer available and has been replaced by File received (via upload).

The API🔗

The API is unfortunately no longer compatible because of the many fundamental changes such as user id referencing, changed file/folder paths, changed the way file sharing permissions are set, changed the way the file uploads are being done.

For more information, please see the API migration guide.

Other changes and remarks🔗

• 32-bit servers or clients are no longer supported. The zip archives which FileRun creates are now always in Zip64 format.
• ⚠️ The PHP extension opcache is no longer just a recommendation, but a requirement. FileRun will continue to work without it, but we won't support those cases.
• MySQL connection timeouts (server has gone away errors) are no longer automatically handled. If you are getting such errors, you will need to configure your MySQL server better, not to timeout prematurely. Take into account tasks that can take a long time, such as uploads and downloads.
• ⚠️ FileRun no longer officially supports cases where the database server is not running on the same machine. While it will always work, it significantly affects performance, and we will not optimize for it. The database is not a microservice but an integral part of FileRun.
• Existing e-mail notification logs will be removed by this update.
• The command line scripts no longer require the server hostname as an argument.
• Added support for connecting to the database server via a Unix socket or a Windows named pipe.
• ⚠️ If you have customized the source code of any file plugin, your customization will be lost.
• This is the last FileRun version that supports PHP 8.1.

Updating🔗

Please note that there are tasks that need to be done both before and after applying this update.

1. Things you need to do before updating🔗

• Make a full backup of your installation. This will allow you to restore the installation to the previously working state in case something goes wrong. Ignore this at your own risk.
• Make sure you are using MySQL 8.4 or higher, or MariaDB 10.11 or higher. FileRun will no longer work with versions older than that. See below for a tip on how to update the database server.
• Archive the user activity logs if you wish to keep a copy of the old entries. This update will completely remove them.
• Install this update outside working hours: File uploads that have been started before installing this update will not be able to resume after the update, and they will restart from the beginning.
• Run the queued e-mail notifications. E-mail notifications will not be sent for user activity performed before installing this update, so make sure you run the notifications before installing the update, if any are queued. You can do so by clicking the button Manually run notifications now under the E-mail control panel section, or by running the command line script for sending notifications (see this documentation page).
• Write down the FileRun license key. You can find it under the FileRun control panel section or get it from your FileRun client account.
• If you encounter database errors during the update, try to restart/reboot your MySQL/MariaDB server/container and then try the update again. The reason why this works is that this update converts the database engine used in some of FileRun tables.

For users of the official FileRun Docker image:🔗

1. Update the database server:

Update MariaDB

• Replace the server with version 10.11 or higher. We recommend you to use the latest version.
• When using Docker, you can start the container with MARIADB_AUTO_UPGRADE=1
• Or upgrade the databases by running mysql_upgrade.

Update MySQL

• Replace the server with version 8.4 or higher. We recommend you to use the latest version.
• Then upgrade the databases by running mysql_upgrade.

2. Install the FileRun update from the FileRun control panel.
3. Replace the Docker image with filerun/filerun:8.4
4. Restart the container.

If you are running NGINX🔗

Make sure that your configuration location ~ \.php$ is updated to the regex version location ~ ^(.+\.php)(.*)$ which allows URLs like /index.php/sub/path. This regex captures both the PHP file and the PATH_INFO portion.

• Make sure your location block contains the following two lines:

   1fastcgi_split_path_info ^(.+\.php)(.*)$;
   2fastcgi_param PATH_INFO $fastcgi_path_info;
  

Without this, the new FileRun version will not function at all.

2. Things you need to do after updating🔗

• Make sure PHP is version 8.2, 8.3 or 8.4 (recommended).
• Make sure the PHP extension ionCube loader is version 14.4 or higher (15.0 recommended). Guide here.
• If you are using a third-party OAuth2-based authentication, you will need to update the SSO redirect URL to https://FILERUN/index.php/app/Core/auth/!public/sso. You will find your precise URL under the Authentication control panel section.
• Configure your HTTP server to block access to .php files inside the /apps folder. FileRun applies a .htaccess file for Apache and a web.config file for ISS. For NGINX, see the file /apps/security.nginx on suggested configuration that you will need to set in your NGINX configuration.
  • Test to make sure .php files are not accessible via the web server.
• Configure your HTTP server to block access to the folder /system. FileRun applies a .htaccess file for Apache and a web.config file for ISS. For NGINX, see the file /apps/security.nginx on suggested configuration that you will need to set in your NGINX configuration.
  • Test to make sure the folder is not accessible via the web server.
• If you are using the official FileRun Docker image, you will need to update the Path to LibreOffice binary to soffice. The setting can be found under the Thumbnails and preview control panel section. The manual change is required because the new docker image comes with a newer LibreOffice version.
• If you are not using the official FileRun Docker image, you need to manually configure these cron jobs:
  • cron/email_notifications.php (as often as you need), for sending e-mail notifications. (For avoiding slowing down or breaking the user experience, notifications can no longer be sent in real-time.) More details here.
  • cron/every5minutes.php every 5 minutes. It clears inactive sessions.
  • cron/everyMinute.php every minute. It imports metadata from new files and sets files types (for filtering and searching).
  • cron/daily.php (once a day). It deactivates expired and inactive user accounts, and also guest accounts that have no shares anymore. It archives old log entries. It keeps the FileRun's database clean.
• Review your theme customizations. Changes have been made to the theme, so unless you have made extensive customizations, it is recommended to press the Reset all to default button under Interface → Branding → Themes control panel section, and then reapply the color theme of your choice.
• If you are using the ONLYOFFICE plugin: You will need to enable WOPI in your ONLYOFFICE DocumentServer: see https://api.onlyoffice.com/docs/docs-api/more-information/faq/using-wopi/ and https://api.onlyoffice.com/docs/docs-api/using-wopi/overview/#enabling-wopi
• If you use the plugin Google Editor: The Authorized redirect URI for Google OAuth 2.0 Client IDs changed and needs to be updated. See this page.
• If you have any custom event script, know that the new FileRun version will run these only for events defined by $config['system']['custom_event_scripts'] = []; inside customizables/config.php.
• If the logo URL was set with a relative URL, you will need to adjust it to use an absolute URL. For the FileRun logo, just type FileRun (case-sensitive) in the URL fields.