v3.11.0

Added

• Support for controlling content overwrite behavior via @Capabilities.UpdateRestrictions.NonUpdateableProperties. By default, content is listed as non-updateable, preventing overwrites with a 409 error. Setting the annotation to an empty array ([]) on a specific attachment composition allows content to be overwritten.

Fixed

• When cds.env.fiori.bypass_draft was enabled attachments were wrongfully deleted

v3.10.0

Added

• Emit the following security events on the attachments service: - AttachmentDownloadRejected, AttachmentSizeExceeded AttachmentUploadRejected.
• If @cap-js/audit-logging is installed automatically trigger audit logs for the security events.
• Duplicate file names to a single attachment entity are automatically assigned a distinguishing suffix.
• Local testing using a Postgres database now possible.
• Native server-side copy() method on AttachmentsService for copying attachments between entities without transferring binary data through the application. Supports all storage backends (DB, AWS S3, Azure Blob Storage, GCP Cloud Storage) with backend-native copy operations.

Fixed

• Fixed bug where deeply nested attachments were not properly handled.
• Fixed bug to allow navigation of self-referencing entities.
• Fix that POST requests for attachments did not have a response when the plugin is used with an object store.

v3.9.0

Fixed

• Fixed security vulnerability where @Core.AcceptableMediaTypes validation could be bypassed during content upload by manipulating the Content-Type header. The mimeType is now validated against the value stored in the database (derived from filename extension) rather than the request header.
• Relaxed requirement for Content-Length header; stream length validation is now used as an additional check to leverage support for chunked uploads.
• Fixed bug where self-referencing entities caused overflow error due to infinite looping.
• Fixed bug in which discarded drafts would save files to database.
• Now allows for downloading files while in draft mode.

v3.8.0

Added

• Support for all generic MIME types (see mime.js).
• DB handler for programmatic attachment insertion via INSERT.into():

  const firstID = cds.utils.uuid()
  const secondID = cds.utils.uuid()
  await INSERT.into("sap.capire.incidents.NonDraftTest").entries(
    {
      ID: firstID,
      title: "Test Incident 1",
      description: "This is a test incident 1",
      urgency_code: "L",
      urgency_descr: "Low",
    },
    {
      ID: secondID,
      title: "Urgent Test Incident 2",
      description: "This is a test incident 2",
      urgency_code: "L",
      urgency_descr: "Low",
    },
  )

Fixed

• Resolved an issue in draft mode where discarding an active draft incorrectly deleted attachments from the object store. Removed dependency on req.diff().

v3.7.0

Added

• Implemented automatic re-scanning of files whose last malware scan occurred more than 3 days ago, in alignment with the BTP Malware Scanning FAQ.
• Enhanced error messages for file size violations to include the filename, e.g., The size of "myfile.jpeg" exceeds the maximum allowed limit of 5MB.

Fixed

• Addressed an issue where files were deleted twice from the underlying object store, which previously resulted in error messages and looping through the outbox.

v3.6.1

Fixed

• Resolved an issue where URLs for nested entities were not generated.
• Fixed an internal server error in CDS 8 caused by the absence of cds.infer?.target.

v3.6.0

Added

• Introduced support for @Validation.MaxItems and @Validation.MinItems annotations, enabling you to define the minimum and maximum number of attachments that can be uploaded.

  Example: Limit to a Maximum of 2 Attachments

  entity Incidents {
      @Validation.MaxItems: 2
      attachments: Composition of many Attachments;
  }

  Example: Require at Least 2 Attachments

  entity Incidents {
      @Validation.MinItems: 2
      attachments: Composition of many Attachments;
  }

• Enhanced the note field to support multi-line input, improving readability for longer text entries.

Fixed

• Prevented unauthorized users from accessing attachments.
• Improved deletion logic for non-draft entities to ensure all associated attachments are reliably removed, preventing orphaned files and maintaining data consistency.
• Handling the use of nested POST requests in non-draft mode.
• Prevent overriding attachments using /content handler.

v3.3.1

Fixed

• Support for multiple run profiles

v3.5.0

Fixed

• Enforced the use of the Content-Length header to prevent server errors.
• Designated the content property in the Attachments table as a NonSortableProperty to prevent database errors when sorting LargeBinary fields.

v3.4.0

Added

• Introduced support for the @Core.AcceptableMediaTypes annotation, allowing specification of permitted MIME types for attachment uploads:

  annotate my.Books.attachments with {
      content @Core.AcceptableMediaTypes: ['image/jpeg'];
  }

• Added support for the @Validation.Maximum annotation to define the maximum allowed file size for attachments:

  annotate my.Books.attachments with {
      content @Validation.Maximum: '2MB';
  }

Fixed

• Removed the previous hard limit of 400 MB for file uploads. Files exceeding this size may still fail during malware scanning and will be marked with a Failed status.
• Resolved issues with generic handler registration, enabling services to intercept the attachments plugin using middleware.