Version 4.4.3

Released: February 11, 2023

Status: Stable



The transformation views’ URLs were updated to always specify which content object’s transformations are being manipulated. This ensures the permission system work correctly on all situations such as when deep ACLs are used to grant access to transformation from a document type.

The transformation and decoration links were updated to take advantage of the new link dynamic attributes features.


Support for Python 3.7 and Python 3.8 was dropped for the version 4.4 release. Python 3.9 is now the minimum version supported. This change happened in version 4.4 but was not documented.


The transformation and decoration links were updated to take advantage of the new link dynamic attributes features. Redaction access control now works properly on complex access control scenarios.


The tag labels are now sanitized when generating the Select2 user interface widget template. This closes the XSS weakness reported in CVE-2022-47419: Mayan EDMS Tag XSS.

This is a limited scope weakness of the tagging system markup that can be used to display an arbitrary text when selecting a tag for attachment to or removal from a document.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Attempting to exploit this weakness requires a privileged account and is not possible to enable from a guest or an anonymous account. Visitors to a Mayan EDMS installation cannot exploit this weakness.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.


  • Move transformation and redactions links to either their own module. In the case of the documents app, the module is named

  • Improve transformation and redaction link testing.


Management commands

  • Remove deprecated management commands:

    • checkdependencies replaced by dependencies_check.

    • checkversion replaced by dependencies_check_version.

    • createautoadmin replaced by autoadmin_create.

    • generaterequirements replaced by dependencies_generate_requirements.

    • initialsetup replaced by common_initial_setup.

    • installdependencies replaced by dependencies_install.

    • mountindex replaced by mirroring_mount_index.

    • performupgrade replaced by common_perform_upgrade.

    • platformtemplate replaced by platform_template.

    • preparestatic replaced by appearance_prepare_static.

    • purgelocks replaced by lock_manager_purge_locks.

    • purgepermissions replaced by permissions_purge.

    • purgeperiodictasks replaced by task_manager_purge_periodic_tasks.

    • purgestatistics replaced by statistics_purge.

    • revertsettings replaced by settings_revert.

    • savesettings replaced by settings_save.

    • showsettings replaced by settings_show.

    • showversion replaced by dependencies_show_version.

Backward incompatible changes


The cabinet create permission is now required to create parent as well as child cabinets. This change replaces requiring the edit permission to create child cabinets via the HTTP views.


A new permission was added to change the type of a document. When support for changing the type of a document was added, it was considered a property and controlled via the document property edit permission.

Since changing the type of a documents now causes a cascade of other changes, it was isolated as an individual class of event along with its own permission.

The new document change type permission is required for the document being changed and for the document type to which the document will be changed into.


Download files are now associated to a specific users and not to a parent object. Delete, download, and view permissions were added to allow users to share a download file.


The OCR backend code is now executed under a new method called _execute to avoid subclasses not calling the super class.

The base backend class now prepares the image to be processed for OCR and passes the file object to the subclass.


The default secret key value is now only used if the secret key file is not found not just if the secret key file is present but unreadable.


The home_view setting was removed from the default Template context. Template instances need to include their own context using the new context argument.


  • The Cabinet API serializer field named parent, will be removed in version 5.0. Use the parent_id instead which is functionally identical.

  • The IndexTemplateNodeSerializer serializer fields parent and index will be removed in version 5.0. Use fields parent_id and index_id which are functionally identical.

  • The WorkflowInstanceSerializer field named workflow_template_url will be removed in version 5.0. Use the url attribute of the workflow_template instead.

Issues closed