Release v6.29.1 (2026-02-11)

Published 2026-02-11 12:52:37Z

• fylr_checksums.txt

• fylr_v6.29.1_darwin_amd64.tar.gz

• fylr_v6.29.1_darwin_arm64.tar.gz

• fylr_v6.29.1_linux_amd64.tar.gz

• fylr_v6.29.1_windows_amd64.zip

Server

New

• TLS support: The new fylr.services.webapp.tls.letsEncrypt.CA allows to set an alternative ACME issuer to Let's Encrypt. [e0197de61]

Improved

• /api/xmlmapping: The mapper was changed to keep information of nested tables together. Before we would render mat1, mat2, remark1, remark2, now we render mat1, remark1; mat2, remark2. The grouping is hard-coded to use ; on the top level and [ ... ] for deeper levels. This also checks the field names. Before any string was accepted, now this is matched against supported mapping fields. Also, this fixes mapping field names for nested inside linked objects. Before this was wrongly rendered without the _nested: prefix for the nested table main. With theses patches the API requires fixed text fields text_fixed and deep_link_url to come before or after the data fields. Also, render deep_link_url with link to frontend as fallback. If the deep link url is not set, render a link to the frontend detail page for the rendered object. The deep link is set to the actual file if the mapping is used to fill a metadata filemapping. Also, add replacement for obj %_uuid% in text_fixed. [709dec348] [0a8b3deb9] [bed769db4] [560f396d7]

• fylr backup/restore: Migrate login & password base config from easydb 5. Also keep pool ids the same between source and target. Correctly migrate groups assigned by sso from easydb 5 to fylr. In *fylr+ the type of this connection is called saml. [72e2d5795] [ec16c2986] [c4bf31f22]

• /inspect/files: Improved filter for local / remote versions. [bd42b1438]

• Reverse Proxy: The reverse proxy configurable in fylr.yml now supports host-less targets. [33f2b7814]

• /eas: To avoid erroneous copies from the alleged /eas endpoint, fylr now responds with 400 Bad Request to the easydb 5 file endpoint. [e447b17a2]

• /inspect/objects: Add a specifc filter prefix sid: to filter by system object id only. This is used to show all versions of a n object. In /inspect/objects/OT/ID a link to show All Versions of the object was added. [d822bf717]

• /api/objects: If an object has no best mask configured, return a permission error (403 Forbidden) instead of 400 Bad Request. With the 403 the frontend will not show the error in the object share dialog, but assume that no access has been configured, which is arguably the case. [741a1dabf]

• Hotfolder: Create directory without errors. The hotfolder creates directories and it could happen (via shared directories) that it tried to create a directory which was created by another process already. [f3698fa72]

• /api/export: Merge existing *:secret in transport options. If an updated export contains transports with secrets (key ends in :secret) in its options, merge these secrets from existing transports if they are not send in the update. [41b6a7284]

• POST /api/db: For plugins, skip linked objects READ permision check. When reading back data from plugins, the read back is using the _all_fields mask, regardless if the user running the request is allowed to do so or not. Before this patch, the permission for the linked objects inside the payload (READ) were checked which made the _all_fields feature unusable in some configurations. This patch relaxes the permission check when reading back from plugins. Plugins are now allowed to link to object without permiss ion checks. [34f1c1f8f]

• /api/export[CSV/XLSX]: Fixed export of pool columns. This patch uses the users frontend language to export the pool column and all configured frontend languages if all_languages are given in the export. Also _pool_id column is sorted properly as system column before all user columns. Also, filter language selection for textual information in daterange fields. [413fe3e62] [3ce25120e]

• IIIF Presentation: No longer use sequences to display pages of PDF and other office files. Also, skip empty required statements. [5d4d08195]

Fixed

• DELETE /api/collection: Fixed for collection users with pin code. If collection users are deleted alongside with a collection and they had used their pin before, deleting would fail with a db error. This patch removes the pin codes of users before they are archived or deleted. Un-archived users will be forced to re-enter their pin codes. [afc81fcb1]

• /inspect/files/FILE-ID: Fixed a bug which prevented the page from rendering if the file was only linked in historic versions a nd not in the current version. [d822bf717]

• POST /api/db[groupmode]: Fix for plugin callbacks where the plugin returns unchanged data. f a plugin returns all data from group mode modified plugins without actual changing any data, fylr would discard that data but not set the _all_fields mask back to the received mask, causing the permission check to save objects to fail for non-root users. [66ed1f51c]

• /api/search: Don't assume READ permissions for collection owners. The previous code would assume that all collection owners have READ permission to all objects in the collection. That is not the case. READ permissions can be shared via ACL by a collection but simply owning a collection does not generate READ permissions. This was correctly covered by other places in fylr where permissions are checked, but the search had it wrong. This brings a partial re-index of all collectios. Collection owners which can no longer access objects which they previously could, can now no longer find (and access) these objects using the search. Higher permissions than READ were not affected by this bug. [d318ef456]

• Frontend Languages: Fixed support for tvl-TV frontend langugage. [4ae9866e0] [fff08ce7c]

• DELETE /api/pool: Fixed deleting pools owned by non-root users. [d59c545b1] [0fe12fb72]

• Indexer: Fixed for new object saves during running re-index. The indexer would not index the correct objects if a re-index filled the queue with lots of jobs and while that queue was still being worked on, a object got re-saved. Now the indexer would index the newer version of the object followed by the older version (queued by the re-index). [6cf8ede87]

• /api/epxort: Fixed single file exports for certain batch sizes. If the number of exported objects exceeded the batch size and "one file per object" was selected, duplicate filename would be generated. This would lead to a database FK violation and an errorneous export. [df8524746]

• /api/collection: Ignore unsupported collection.create_object.update_policy. If for nested fields and unsupported update_policy is sent, accept it and rewrite it to the only supported on create_version. This helps with migrations from ez5 where the policy create_version_preferred is found in some collections. [054aee56a]

Frontend

Improved

• Cross Server: The label that displays the target server in cross server mode now allows copying the full cross server URL when clicking on it.

• Languages: Support for tvl-tv has been added to the frontend.

• Admin Message: The processing of admin messages has been improved to prevent code injection in messages.

• Metadata Mapping Manager: The logic for moving field tags within the form has been improved. It is now possible to move and remove them from the XML form simply by dragging them. Additionally, validation has been added for the new limitations introduced in the backend. The validation now indicates which field has the error and highlights it in red for easier identification.

• Export Transports: Support has been added for properties marked as :secret. This allows adding properties where the server will not send the information back, which is useful for passwords and API keys that should not be displayed again to the user.

• Tooltips: The way tooltips are displayed in some menus has been improved to prevent them from covering menu options.

• Pane Header: A small improvement has been added to allow collapsing the quick access menu by clicking on the panel title.

Fixed

• Search Lists: Fixed a bug that caused all hierarchy levels to appear expanded when the user had a partial pool selection in the pool selector.

• Linked Objects: Fixed the logic that checks whether a reference to a linked object is no longer valid. This issue caused errors when opening the detail/editor in certain scenarios.

• Save And New: Fixed the editor reload after using the new "Save and New" button on a record that had previously been copied from another one.

• CSV Importer: Fixed the mapping of localized strings inside nested fields. The bug caused multiple localized string values to be merged into a single field at the first nested level.

• MaskMemoryManager: Fixed the initialization of the mask memory system. In certain situations, the manager was not initialized, causing errors when loading the detail view or the editor sidebar.

Plugins

custom-mask-splitter-detail-linked

This plugin was renamed internally due to technical reasons. If the plugin was installed in fylr under the name custom-mask-splitter-detail-linked, disable and delete this plugin in the plugin manager. Make sure to install and enable the new version with the name easydb-custom-mask-splitter-detail-linked-plugin using the same release url.

Mapbox Token Configuration Changes

The following plugins:

• gn250

• geonames

• dante

• gnd

• georef

As of version 6.29.1, the Mapbox token is now configured per plugin in the base configuration.

• For backward compatibility, specifying the Mapbox token in the data model / form is still supported for now.

• Going forward, the token should (and eventually must) be set in the base configuration.

• A future release will remove the fallback to the data model / form.

• An updated data model will then be deployed to the object store to ensure all maps are displayed correctly.