With Corteza 2021.9, we continue to improve accessibility by introducing internationalization for the user interface as well as user-defined configurations. In addition, we’ve improved the overall design and user experience, improved the authentication and access control facilities, expanded on the existing feature set, and introduced a few new additions.


With internationalization, we add support for the translation of user interfaces, as well as locale specific date-time and number formatting. Corteza allows you to modify the built-in translations entirely as well as define translations for additional languages you might need or any custom web application modifications you might have performed. You can also translate most of the user-provided configurations (such as namespaces and module fields), allowing you to configure your Low Code applications to be accessible.

To enable translations for custom configuration, you will need to set the LOCALE_RESOURCE_TRANSLATIONS_ENABLED=true .env variable.


Building on the 2021.3 release, we continue to improve the user interface design as well as the overall experience when interacting with Corteza web applications. Most notably, we’ve reworked page navigation, improved consistency between different web applications, and added a more granular record list filter.

Access control

The access control facility received an upgrade, providing more fine-grained control over the access to your data, such as specific records or modules of particular namespaces. Contextual roles allow you to determine role membership and thus access to resources based on the state the system is in (such as what record we are editing).

With contextual roles, you can cover cases where a user is only allowed to access or manage data created or owned by them.

Authentication and security

The authentication flow is now more flexible by introducing support for SAML and split credential flow. Further improvements to the authentication token generator and handler help increase the stability and security of the system.

Integration gateway

Responding to the needs of defining custom API endpoints, we’ve expanded the sink route facility and introduced the Integration gateway. The improved facility simplifies the process of defining and managing custom API endpoints and defining processing for HTTP requests either via the built-in functions, workflows, or custom code.

The legacy sink route facility is still present and works as it did before, but we aim to replace the sink routes.


The reporter provides a dedicated facility to define and view reports based on the data your Corteza Low Code defines.

Table 1. Important upgrade notes:

Access control

Corteza 2021.9 reworks the internals of our RBAC facility. From the access evaluation flow, to how rules are encoded.

When upgrading to 2021.9:
  • Corteza will automatically scan all existing RBAC rules, remove any obsolete rules like messaging, sanitize existing (federation module renaming) and properly change change resource IDs.

  • Corteza will automatically upgrade, add, remove, and rename roles as needed based on the reworked system:

    • authenticated, anonymous, super admin roles are added,

    • everyone role is removed

    • all RBAC rules owned by the now deprecated everyone role are migrated to the role authenticated

    • static role IDs (1 for everyone and 2 for admin) are replaced by sequential IDs. All memberships and RBAC rules are transferred to the updated role IDs.

  • Corteza will automatically add the following system users:

    • Corteza Provisioner (provision@corteza.local, corteza-provisioner); member of super admin account, used for all provisioning actions.

    • Corteza Service Account (service@corteza.local, corteza-service); member of super admin account, used for all service activities, CLI interface.

    • Corteza Federation (federation@corteza.local, corteza-federation); member of super admin account, used for all federation activities.


Released on: 2021-11-26

Contributors: Katrin Yordanova (GH), Vivek Patel (GH), Jože Fortun (GH), Denis Arh (GH), Tomaž Jerman (GH).

  • Added .env options to control OAuth2 access and refresh token lifetime (14450dc4).

  • Added support for base password constraints (420b5ee1, 984a5e99).

  • Added translations for webapp-workflow (15d12b3, 77de17e).

  • Added custom processing button (6ec4157, 1b67f4b).

  • Added multi select to workflow options prompts (661781d).

  • Added warning when workflow triggers paths change (07705d21).

  • Added expandable expressions editor to workflows (680149e).

  • Fixed improper report filter type casting for ID-like values (597484914).

  • Fixed default record module field value validation setup (aced989ae).

  • Boolean value (record field) sanitization(edbbf2f0).

  • Uint64 JSON serialization in Corredor payloads (3241ff4e).

  • Fixed invalid data point labeling for radial charts (4cbeb210).

  • Fixed report table pagination (71dc2d2).

  • Fixed workflow help shortcut opening when inputting ? (8fd0f15).

  • Admin role membership management (2df2f48).

  • Update Bluemonday & net packages (73c0b312).


Released on: 2021-11-10

Contributors: Denis Arh (GH), Jože Fortun (GH), Tomaž Jerman (GH) Matija Rešek (GH

  • All user’s access tokens are now removed after password change (01577191).

  • Fixed improper page block ref validation for yaml encode (5afc715f).

  • Fixed unstable RBAC check that was caused by more complex setup of roles and RBAC rules (a385fe1c).

  • Fixed multi value required field errors (a5e4fb21).

  • Fixed display elements configurator sometimes not loading correct information when switching between elements (b8121e5).


  • If you wish to enable functions for workflow - action log interaction, the ACTIONLOG_ENABLE_WORKFLOW_FUNCTIONS .env variable must be set.

Released on: 2021-11-04

Contributors: Denis Arh (GH), Jože Fortun (GH), Tomaž Jerman (GH), Katrin Yordanova (GH)

  • Added a user interface to configure SMTP setting; such configuration does not require server restart (0b69d1a2, 20a85d8).

  • Added support for workflow - action log interaction (search, create) (1014f53a).

  • Added support for server plugins (614d2b30).

  • Added workflow import note (9d98170).

  • Compose module fields no longer accept reserved system names — recordID, ownedBy, createdBy, createdAt, updatedBy, updatedAt, deletedBy, and deletedAt (20757e58, 20a85d8).

  • Resource translations no longer fallback to base language in case of a missing translations (4cd54a58).

  • Compose webapp now sends Content-Language and `Accept-Language HTTP headers (f8427346).

  • Server source is now built with -trimpath and without -mod=readonly flags (0b02535c).

  • Namespace export no longer preserves logo/icon references (dab413ece).

  • Initial documentation site redesign (14550adf).

  • Fixed boot-level workflow initialization logic which crashed the server if an enabled workflow defined an invalid trigger configuration (415982c8).

  • Fixed workflow saving when the configuration sidebar was opened (6d8796e).

  • Fixed improper Low Code Checkbox labels representation for false values (0330e31, aef1a14).

  • Fixed accent & HTML escaping in translated strings (556ffc5e).

  • Fixed resource translation issues for current language, accents, and escaped HTML (05178c2b).

  • Hide pages if the parent page is marked as not visible (957a9de2).

  • Fixed broken permission setting from Low Code admin panel on module for fields & records (8ae2a48d).

  • Fixed RenderOptions expr value assignment via selectors (445f0ed5).

  • Fixed RBAC rule migration crash on duplicate rules (e8bc6141).

  • Docker container healthcheck (9d7cf23c).

  • Fixed compose false value label (6da6989).

  • Fixed sidebar shadow (4a02d90).

  • Fixed reporter table column reordering (6b25473).

  • Fixed Low Code error when the automation scripts are not loaded (bb94645).

  • Disabled the load button in chart editor (6912fcd).

  • Fixed improper prefilter handling in the chart editor (aeceb35).

  • Fixed improper Low Code page exporting with un configured or partially configured page blocks (032566d9).


Released on: 2021-10-18

Contributors: Peter Grlica (GH), Denis Arh (GH), Katrin Yordanova (GH), Jože Fortun (GH), Vivek Patel (GH), Matija Rešek (GH), Mario Burazer (GH)

  • Added handle/slug error text in Compose (c7f543ec).

  • Extend record export with filter in Compose (1f5d2abf).

  • Added tooltip for Integration Gateway endpoint in Admin (d897ba3d).

  • Added server sorting fields to integration gateway to support UI (c388f8).

  • Added Bytes ([]byte) expression type (614237).

  • Improved colour scheme picker in Compose (211227ba).

  • Open Admin template previews in new tab (88f05df2).

  • Refactored message bus to conform to rbac, service and package layer architecture (54b716).

  • Improved Integration Gateway filter handling (c6e3d0e9).

  • Fixed Compose calendar buttons styles.

  • Fixed back-button on record viewer.

  • Fixed Admin compose settings not reflected in Compose (bf9e7064).

  • Fixed for unsupported MIME types error message not showing in Compose (8561dca6).

  • Fixed query handling when exporting records in Compose (78e6d296).

  • Fixed server workflow step duplicate issue (e2e751).

  • Fixed unique constraint matching on resources on server (59ffe7).

  • Fixed: Missing Corteza server image root ssl certificates that caused issues with outbound HTTP and SMTP requests (8b008545).

  • Fixed invalid z-index for record list filter components (6171af5b).


Released on: 2021-10-11

Contributors: Tomaž Jerman (GH), Peter Grlica (GH), Mia Arh (GH), Denis Arh (GH), sgg-adraynrion (GH), Katrin Yordanova (GH), Jože Fortun (GH), Vivek Patel (GH), Matija Rešek (GH), Mario Burazer (GH), Bill Ewanick (GH)

  • Added support for internationalization of Corteza web applications (#237, 31132570, e4eb28b8, c3ff0ae1), as well as for some user-provided resources (Low Code modules, namespaces, and pages) (46a7d94d). Locale specific number and date-time formatting are also included (da9a450f).

  • Added a system-managed facility for defining and handling custom API endpoints (#232, 652cc074. The facility allows you to trivially define new API endpoints for webhooks or custom integrations needed by your business processes. The facility defines a tight integration with Workflows for request processing (#245).

  • Added a specialized facility for creating, managing, and running reports(02b3e833). The reporting facility defines a dedicated user interface (corteza-webapp-reporter).

  • Extended Low Code feature set:

    • added role based filtering to user module fields (da181c30),

    • added advanced record list filtering using field-specific filters (5e7e8ce5),

    • added a comment page block (1032399f), and general UI/UX tweaks for easier navigation,

    • added configurable module field descriptions and hints,

    • Added an additional namespaceID parameter when searching over namespaces (21a3c5e6).

  • Added a fake data generator which can be used to create placeholder records and users (#216). The data generator is invoked through the CLI @todo CLI ref.

  • Added support for entire Low Code namespace duplication, import, and export directly from the Low Code interface (000664ef, 533b534f).

  • Extended authentication feature set; allowing authentication sessions to be manually revoked (#254, #210, 1cb2e64d), improved the users CLI commands with additional options (bed63c4f, e4cd1f5b), and added the client_credentials and user impersonation (b245726c, 25e4d11f). The authentication clients user interface now provides a series of cURL examples for interacting with authentication clients (16ae4c22).

  • Added support for SAML authentication providers (#188, aedb2aef, 670b1609).

  • Added *.search RBAC access control operations for all resources 92d2de86, f630a3d9, 0a388382.

  • Added support for automation which is triggered before or after a user is suspended (13fc9d26).

  • Extended Workflow feature set:

    • added the invoker and runner credentials in the initial scope (806dbfaa),

    • improved trigger validation based on the workflow configuration (f40f7982),

    • added functions to interact with the RBAC facility (89ae50db),

    • improved the user interface to display configuration and debug errors (the triggers now also show errors),

    • added an indicator for when the workflow try-run is running.

  • Expended the feature set of the expression engine:

  • Improved system setup and configuration flow as well as overall stability (5a67ecf7, a94e39b3, a229d0ec):

    • Added option to limit the number of users (1b3a811c),

    • Added support for .env file configuration from arbitrary location via the --env-file command parameter ({SERVER_COMMIT_BASE6496027a[6496027a]}).

  • Prepared the store infrastructure for cockroachDB support (109e23fc).

  • The user interface of the Corteza web applications was changed to increase consistency, accessibility 58aa46ee, 89ad4311, and better user experience. More notable changes:

    • the navigation was moved under the left sidebar,

    • the top bar defines shortcuts to the more common operations related to the viewed page,

    • the module field picker was completely reworked (8364da10).

  • Changed the file field preview to show the last uploaded attachment when the single image option is selected (2d593af0).

  • Reworked the RBAC access control facility allowing greater flexibility with resource-specific rules, contextual roles (2f2c055e), and improved logging (922f4c31). Corteza now defines a series of system users and roles which are used for system tasks, such as provisioning and federation.

  • Low Code module, module field, and record RBAC rule configuration buttons are now located under a single drop-down.

  • Added the reporter webapp to the default list of webapps (e6950812).

  • Changed workflow deferred triggers to ignore and skip empty constraint values (8d9a3d54).

  • Upgraded zap logger to v1.19 (e48ffb2e).

  • Tweaked system logging:

    • replaced errors with warnings for runtime OAuth issues (0cb91793),

    • tweaked log stacktrace and added support for depth level control using the LOG_STACKTRACE_LEVEL .env variable (28e1774c).

  • Moved PROVISION_SETTINGS_ settings into a YAML provision file (2d78ae42).

  • Switch the base image to deb/ubuntu due to library incompatibilities (00ba60e5).

  • Removed PROVISION_SETTINGS_ in favour of a YAML provision file (2d78ae42).

  • Removed the query parameter from the record list filter endpoint (10e8b77d).

  • Removed Google maps from the provisioned application list (d6f24605).

  • Removed obsolete settings for the namespace sidebar and Corteza One (b459bd35).

  • Removed tabs and panels on Corteza One.

  • Fix broken links in README (7974ca65).

  • Fix inconsistent grant-validGrant auth client JSON prop name (40ddb9db).

  • Fixed attachment upload errors when an empty attachment or an ico file were uploaded (f5532acf).

  • Removed unneeded content from the served webapp content evaluation check (3638ecac).

  • Fixed failing mount when webapps are disabled (63dbe702).

  • Exclude deleted reminders from the reminder list API endpoint (9f74d5c0).

  • Prevented duplicate values on multi-value selection fields.

  • Fixed the task duplication bug on calendars (2e322054).

  • Fixed namespace searching be case insensitive (5ce9572d).

  • Fixed improper actionlog type casting which resulted in broken log messages when the front-end technology stack was unable to parse the values (5ac8790b, d1ccbc3e).

  • Fix invalid error message if the user is not allowed to search over namespaces (7cf6c18d).

  • Fixed missing notifications across web applications.

  • Fixed typos in envoy error messages (0a241fab).

  • Fixed notifications disappearing when changing the current page.

  • Fix ClaimsToIdentify to return identity with all authenticated roles (67d7882b).

  • Added missing access control properties to resource responses (774354d6).

  • Addedd missing access control checks for reminders (03344782).

  • Fixed improper admin webapp permission display if the user does not have sufficient permissions..

  • Fixed improper automation session state representation for prompted sessions (234d3795).

  • Fixed expression function parameter and return value casting for string functions.

  • Added missing federation structure sync response wrappers (8ee91eb7).

  • General stability of the system has been improved.

  • CLI commands now use the system user when executing commands (dca5757f).

  • Moved import/provisioning access control from Envoy to the invoking service (a2b964c5).

  • Defined a proper facility for testing Integration gateway handling logic (6ceadf40).

  • Allow store function codegen logic to define imports specific to them (b95e878c).

  • Build and integration pipelines moved to Github Actions.

  • Removed misleading federation etc/ (d4505482).

  • Removed the long deprecated storybook (76270476).

  • Implemented the C3 feature and applied it to web applications (a318b380, 4c5e2c24).