10 files changed, 250 insertions, 157 deletions
diff --git a/lib/private/AppFramework/Bootstrap/RegistrationContext.php b/lib/private/AppFramework/Bootstrap/RegistrationContext.php
index c3b829825c2..95ad129c466 100644
--- a/lib/private/AppFramework/Bootstrap/RegistrationContext.php
+++ b/lib/private/AppFramework/Bootstrap/RegistrationContext.php
@@ -157,7 +157,7 @@ class RegistrationContext {
 
 	/** @var ServiceRegistration<\OCP\Files\Conversion\IConversionProvider>[] */
 	private array $fileConversionProviders = [];
-	
+
 	/** @var ServiceRegistration<IMailProvider>[] */
 	private $mailProviders = [];
 
diff --git a/lib/private/Files/Mount/ObjectHomeMountProvider.php b/lib/private/Files/Mount/ObjectHomeMountProvider.php
index 99c52108fa8..4b088f2c808 100644
--- a/lib/private/Files/Mount/ObjectHomeMountProvider.php
+++ b/lib/private/Files/Mount/ObjectHomeMountProvider.php
@@ -7,117 +7,39 @@
  */
 namespace OC\Files\Mount;
 
+use OC\Files\ObjectStore\HomeObjectStoreStorage;
+use OC\Files\ObjectStore\PrimaryObjectStoreConfig;
 use OCP\Files\Config\IHomeMountProvider;
+use OCP\Files\Mount\IMountPoint;
 use OCP\Files\Storage\IStorageFactory;
-use OCP\IConfig;
 use OCP\IUser;
-use Psr\Log\LoggerInterface;
 
 /**
  * Mount provider for object store home storages
  */
 class ObjectHomeMountProvider implements IHomeMountProvider {
-	/**
-	 * @var IConfig
-	 */
-	private $config;
-
-	/**
-	 * ObjectStoreHomeMountProvider constructor.
-	 *
-	 * @param IConfig $config
-	 */
-	public function __construct(IConfig $config) {
-		$this->config = $config;
+	public function __construct(
+		private PrimaryObjectStoreConfig $objectStoreConfig,
+	) {
 	}
 
 	/**
-	 * Get the cache mount for a user
+	 * Get the home mount for a user
 	 *
 	 * @param IUser $user
 	 * @param IStorageFactory $loader
-	 * @return \OCP\Files\Mount\IMountPoint
+	 * @return ?IMountPoint
 	 */
-	public function getHomeMountForUser(IUser $user, IStorageFactory $loader) {
-		$config = $this->getMultiBucketObjectStoreConfig($user);
-		if ($config === null) {
-			$config = $this->getSingleBucketObjectStoreConfig($user);
-		}
-
-		if ($config === null) {
+	public function getHomeMountForUser(IUser $user, IStorageFactory $loader): ?IMountPoint {
+		$objectStoreConfig = $this->objectStoreConfig->getObjectStoreConfigForUser($user);
+		if ($objectStoreConfig === null) {
 			return null;
 		}
+		$arguments = array_merge($objectStoreConfig['arguments'], [
+			'objectstore' => $this->objectStoreConfig->buildObjectStore($objectStoreConfig),
+			'user' => $user,
+		]);
 
-		return new HomeMountPoint($user, '\OC\Files\ObjectStore\HomeObjectStoreStorage', '/' . $user->getUID(), $config['arguments'], $loader, null, null, self::class);
-	}
-
-	/**
-	 * @param IUser $user
-	 * @return array|null
-	 */
-	private function getSingleBucketObjectStoreConfig(IUser $user) {
-		$config = $this->config->getSystemValue('objectstore');
-		if (!is_array($config)) {
-			return null;
-		}
-
-		// sanity checks
-		if (empty($config['class'])) {
-			\OC::$server->get(LoggerInterface::class)->error('No class given for objectstore', ['app' => 'files']);
-		}
-		if (!isset($config['arguments'])) {
-			$config['arguments'] = [];
-		}
-		// instantiate object store implementation
-		$config['arguments']['objectstore'] = new $config['class']($config['arguments']);
-
-		$config['arguments']['user'] = $user;
-
-		return $config;
-	}
-
-	/**
-	 * @param IUser $user
-	 * @return array|null
-	 */
-	private function getMultiBucketObjectStoreConfig(IUser $user) {
-		$config = $this->config->getSystemValue('objectstore_multibucket');
-		if (!is_array($config)) {
-			return null;
-		}
-
-		// sanity checks
-		if (empty($config['class'])) {
-			\OC::$server->get(LoggerInterface::class)->error('No class given for objectstore', ['app' => 'files']);
-		}
-		if (!isset($config['arguments'])) {
-			$config['arguments'] = [];
-		}
-
-		$bucket = $this->config->getUserValue($user->getUID(), 'homeobjectstore', 'bucket', null);
-
-		if ($bucket === null) {
-			/*
-			 * Use any provided bucket argument as prefix
-			 * and add the mapping from username => bucket
-			 */
-			if (!isset($config['arguments']['bucket'])) {
-				$config['arguments']['bucket'] = '';
-			}
-			$mapper = new \OC\Files\ObjectStore\Mapper($user, $this->config);
-			$numBuckets = $config['arguments']['num_buckets'] ?? 64;
-			$config['arguments']['bucket'] .= $mapper->getBucket($numBuckets);
-
-			$this->config->setUserValue($user->getUID(), 'homeobjectstore', 'bucket', $config['arguments']['bucket']);
-		} else {
-			$config['arguments']['bucket'] = $bucket;
-		}
-
-		// instantiate object store implementation
-		$config['arguments']['objectstore'] = new $config['class']($config['arguments']);
-
-		$config['arguments']['user'] = $user;
-
-		return $config;
+		return new HomeMountPoint($user, HomeObjectStoreStorage::class, '/' . $user->getUID(), $arguments, $loader, null, null, self::class);
 	}
 }
diff --git a/lib/private/Files/Mount/RootMountProvider.php b/lib/private/Files/Mount/RootMountProvider.php
index 86f8188978f..5e0c924ad38 100644
--- a/lib/private/Files/Mount/RootMountProvider.php
+++ b/lib/private/Files/Mount/RootMountProvider.php
@@ -10,79 +10,41 @@ namespace OC\Files\Mount;
 
 use OC;
 use OC\Files\ObjectStore\ObjectStoreStorage;
+use OC\Files\ObjectStore\PrimaryObjectStoreConfig;
 use OC\Files\Storage\LocalRootStorage;
-use OC_App;
 use OCP\Files\Config\IRootMountProvider;
 use OCP\Files\Storage\IStorageFactory;
 use OCP\IConfig;
-use Psr\Log\LoggerInterface;
 
 class RootMountProvider implements IRootMountProvider {
+	private PrimaryObjectStoreConfig $objectStoreConfig;
 	private IConfig $config;
-	private LoggerInterface $logger;
 
-	public function __construct(IConfig $config, LoggerInterface $logger) {
+	public function __construct(PrimaryObjectStoreConfig $objectStoreConfig, IConfig $config) {
+		$this->objectStoreConfig = $objectStoreConfig;
 		$this->config = $config;
-		$this->logger = $logger;
 	}
 
 	public function getRootMounts(IStorageFactory $loader): array {
-		$objectStore = $this->config->getSystemValue('objectstore', null);
-		$objectStoreMultiBucket = $this->config->getSystemValue('objectstore_multibucket', null);
+		$objectStoreConfig = $this->objectStoreConfig->getObjectStoreConfigForRoot();
 
-		if ($objectStoreMultiBucket) {
-			return [$this->getMultiBucketStoreRootMount($loader, $objectStoreMultiBucket)];
-		} elseif ($objectStore) {
-			return [$this->getObjectStoreRootMount($loader, $objectStore)];
+		if ($objectStoreConfig) {
+			return [$this->getObjectStoreRootMount($loader, $objectStoreConfig)];
 		} else {
 			return [$this->getLocalRootMount($loader)];
 		}
 	}
 
-	private function validateObjectStoreConfig(array &$config) {
-		if (empty($config['class'])) {
-			$this->logger->error('No class given for objectstore', ['app' => 'files']);
-		}
-		if (!isset($config['arguments'])) {
-			$config['arguments'] = [];
-		}
-
-		// instantiate object store implementation
-		$name = $config['class'];
-		if (str_starts_with($name, 'OCA\\') && substr_count($name, '\\') >= 2) {
-			$segments = explode('\\', $name);
-			OC_App::loadApp(strtolower($segments[1]));
-		}
-	}
-
 	private function getLocalRootMount(IStorageFactory $loader): MountPoint {
 		$configDataDirectory = $this->config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data');
 		return new MountPoint(LocalRootStorage::class, '/', ['datadir' => $configDataDirectory], $loader, null, null, self::class);
 	}
 
-	private function getObjectStoreRootMount(IStorageFactory $loader, array $config): MountPoint {
-		$this->validateObjectStoreConfig($config);
-
-		$config['arguments']['objectstore'] = new $config['class']($config['arguments']);
-		// mount with plain / root object store implementation
-		$config['class'] = ObjectStoreStorage::class;
-
-		return new MountPoint($config['class'], '/', $config['arguments'], $loader, null, null, self::class);
-	}
-
-	private function getMultiBucketStoreRootMount(IStorageFactory $loader, array $config): MountPoint {
-		$this->validateObjectStoreConfig($config);
-
-		if (!isset($config['arguments']['bucket'])) {
-			$config['arguments']['bucket'] = '';
-		}
-		// put the root FS always in first bucket for multibucket configuration
-		$config['arguments']['bucket'] .= '0';
-
-		$config['arguments']['objectstore'] = new $config['class']($config['arguments']);
-		// mount with plain / root object store implementation
-		$config['class'] = ObjectStoreStorage::class;
+	private function getObjectStoreRootMount(IStorageFactory $loader, array $objectStoreConfig): MountPoint {
+		$arguments = array_merge($objectStoreConfig['arguments'], [
+			'objectstore' => $this->objectStoreConfig->buildObjectStore($objectStoreConfig),
+		]);
 
-		return new MountPoint($config['class'], '/', $config['arguments'], $loader, null, null, self::class);
+		return new MountPoint(ObjectStoreStorage::class, '/', $arguments, $loader, null, null, self::class);
 	}
 }
diff --git a/lib/private/Files/ObjectStore/ObjectStoreStorage.php b/lib/private/Files/ObjectStore/ObjectStoreStorage.php
index ebe87399ab4..36b1a7a1c95 100644
--- a/lib/private/Files/ObjectStore/ObjectStoreStorage.php
+++ b/lib/private/Files/ObjectStore/ObjectStoreStorage.php
@@ -67,7 +67,7 @@ class ObjectStoreStorage extends \OC\Files\Storage\Common implements IChunkedFil
 		$this->logger = \OCP\Server::get(LoggerInterface::class);
 	}
 
-	public function mkdir(string $path, bool $force = false): bool {
+	public function mkdir(string $path, bool $force = false, array $metadata = []): bool {
 		$path = $this->normalizePath($path);
 		if (!$force && $this->file_exists($path)) {
 			$this->logger->warning("Tried to create an object store folder that already exists: $path");
@@ -77,7 +77,7 @@ class ObjectStoreStorage extends \OC\Files\Storage\Common implements IChunkedFil
 		$mTime = time();
 		$data = [
 			'mimetype' => 'httpd/unix-directory',
-			'size' => 0,
+			'size' => $metadata['size'] ?? 0,
 			'mtime' => $mTime,
 			'storage_mtime' => $mTime,
 			'permissions' => \OCP\Constants::PERMISSION_ALL,
@@ -709,7 +709,7 @@ class ObjectStoreStorage extends \OC\Files\Storage\Common implements IChunkedFil
 			if ($cache->inCache($to)) {
 				$cache->remove($to);
 			}
-			$this->mkdir($to);
+			$this->mkdir($to, false, ['size' => $sourceEntry->getSize()]);
 
 			foreach ($sourceCache->getFolderContentsById($sourceEntry->getId()) as $child) {
 				$this->copyInner($sourceCache, $child, $to . '/' . $child->getName());
diff --git a/lib/private/Files/ObjectStore/PrimaryObjectStoreConfig.php b/lib/private/Files/ObjectStore/PrimaryObjectStoreConfig.php
new file mode 100644
index 00000000000..fdfe989addc
--- /dev/null
+++ b/lib/private/Files/ObjectStore/PrimaryObjectStoreConfig.php
@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+namespace OC\Files\ObjectStore;
+
+use OCP\App\IAppManager;
+use OCP\Files\ObjectStore\IObjectStore;
+use OCP\IConfig;
+use OCP\IUser;
+
+/**
+ * @psalm-type ObjectStoreConfig array{class: class-string<IObjectStore>, arguments: array{multibucket: bool, ...}}
+ */
+class PrimaryObjectStoreConfig {
+	public function __construct(
+		private readonly IConfig $config,
+		private readonly IAppManager $appManager,
+	) {
+	}
+
+	/**
+	 * @param ObjectStoreConfig $config
+	 */
+	public function buildObjectStore(array $config): IObjectStore {
+		return new $config['class']($config['arguments']);
+	}
+
+	/**
+	 * @return ?ObjectStoreConfig
+	 */
+	public function getObjectStoreConfigForRoot(): ?array {
+		$config = $this->getObjectStoreConfig();
+
+		if ($config && $config['arguments']['multibucket']) {
+			if (!isset($config['arguments']['bucket'])) {
+				$config['arguments']['bucket'] = '';
+			}
+
+			// put the root FS always in first bucket for multibucket configuration
+			$config['arguments']['bucket'] .= '0';
+		}
+		return $config;
+	}
+
+	/**
+	 * @return ?ObjectStoreConfig
+	 */
+	public function getObjectStoreConfigForUser(IUser $user): ?array {
+		$config = $this->getObjectStoreConfig();
+
+		if ($config && $config['arguments']['multibucket']) {
+			$config['arguments']['bucket'] = $this->getBucketForUser($user, $config);
+		}
+		return $config;
+	}
+
+	/**
+	 * @return ?ObjectStoreConfig
+	 */
+	private function getObjectStoreConfig(): ?array {
+		$objectStore = $this->config->getSystemValue('objectstore', null);
+		$objectStoreMultiBucket = $this->config->getSystemValue('objectstore_multibucket', null);
+
+		// new-style multibucket config uses the same 'objectstore' key but sets `'multibucket' => true`, transparently upgrade older style config
+		if ($objectStoreMultiBucket) {
+			$objectStoreMultiBucket['arguments']['multibucket'] = true;
+			return $this->validateObjectStoreConfig($objectStoreMultiBucket);
+		} elseif ($objectStore) {
+			return $this->validateObjectStoreConfig($objectStore);
+		} else {
+			return null;
+		}
+	}
+
+	/**
+	 * @return ObjectStoreConfig
+	 */
+	private function validateObjectStoreConfig(array $config) {
+		if (!isset($config['class'])) {
+			throw new \Exception('No class configured for object store');
+		}
+		if (!isset($config['arguments'])) {
+			$config['arguments'] = [];
+		}
+		$class = $config['class'];
+		$arguments = $config['arguments'];
+		if (!is_array($arguments)) {
+			throw new \Exception('Configured object store arguments are not an array');
+		}
+		if (!isset($arguments['multibucket'])) {
+			$arguments['multibucket'] = false;
+		}
+		if (!is_bool($arguments['multibucket'])) {
+			throw new \Exception('arguments.multibucket must be a boolean in object store configuration');
+		}
+
+		if (!is_string($class)) {
+			throw new \Exception('Configured class for object store is not a string');
+		}
+
+		if (str_starts_with($class, 'OCA\\') && substr_count($class, '\\') >= 2) {
+			[$appId] = explode('\\', $class);
+			$this->appManager->loadApp(strtolower($appId));
+		}
+
+		if (!is_a($class, IObjectStore::class, true)) {
+			throw new \Exception('Configured class for object store is not an object store');
+		}
+		return [
+			'class' => $class,
+			'arguments' => $arguments,
+		];
+	}
+
+	private function getBucketForUser(IUser $user, array $config): string {
+		$bucket = $this->config->getUserValue($user->getUID(), 'homeobjectstore', 'bucket', null);
+
+		if ($bucket === null) {
+			/*
+			 * Use any provided bucket argument as prefix
+			 * and add the mapping from username => bucket
+			 */
+			if (!isset($config['arguments']['bucket'])) {
+				$config['arguments']['bucket'] = '';
+			}
+			$mapper = new Mapper($user, $this->config);
+			$numBuckets = isset($config['arguments']['num_buckets']) ? $config['arguments']['num_buckets'] : 64;
+			$bucket = $config['arguments']['bucket'] . $mapper->getBucket($numBuckets);
+
+			$this->config->setUserValue($user->getUID(), 'homeobjectstore', 'bucket', $bucket);
+		}
+
+		return $bucket;
+	}
+}
diff --git a/lib/private/Files/View.php b/lib/private/Files/View.php
index 6832b4e1551..63eecf5e1d6 100644
--- a/lib/private/Files/View.php
+++ b/lib/private/Files/View.php
@@ -938,7 +938,7 @@ class View {
 
 			try {
 				$exists = $this->file_exists($target);
-				if ($this->shouldEmitHooks()) {
+				if ($this->shouldEmitHooks($target)) {
 					\OC_Hook::emit(
 						Filesystem::CLASSNAME,
 						Filesystem::signal_copy,
@@ -978,7 +978,7 @@ class View {
 					$this->changeLock($target, ILockingProvider::LOCK_SHARED);
 					$lockTypePath2 = ILockingProvider::LOCK_SHARED;
 
-					if ($this->shouldEmitHooks() && $result !== false) {
+					if ($this->shouldEmitHooks($target) && $result !== false) {
 						\OC_Hook::emit(
 							Filesystem::CLASSNAME,
 							Filesystem::signal_post_copy,
diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index f32b0e5919a..60896ec429d 100644
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -341,6 +341,9 @@ class Installer {
 					// otherwise we just copy the outer directory
 					$this->copyRecursive($extractDir, $baseDir);
 					Files::rmdirr($extractDir);
+					if (function_exists('opcache_reset')) {
+						opcache_reset();
+					}
 					return;
 				}
 				// Signature does not match
diff --git a/lib/private/Server.php b/lib/private/Server.php
index ea8c1ce3797..bf07ee355ea 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -55,6 +55,7 @@ use OC\Files\Mount\RootMountProvider;
 use OC\Files\Node\HookConnector;
 use OC\Files\Node\LazyRoot;
 use OC\Files\Node\Root;
+use OC\Files\ObjectStore\PrimaryObjectStoreConfig;
 use OC\Files\SetupManager;
 use OC\Files\Storage\StorageFactory;
 use OC\Files\Template\TemplateManager;
@@ -819,10 +820,11 @@ class Server extends ServerContainer implements IServerContainer {
 
 			$config = $c->get(\OCP\IConfig::class);
 			$logger = $c->get(LoggerInterface::class);
+			$objectStoreConfig = $c->get(PrimaryObjectStoreConfig::class);
 			$manager->registerProvider(new CacheMountProvider($config));
 			$manager->registerHomeProvider(new LocalHomeMountProvider());
-			$manager->registerHomeProvider(new ObjectHomeMountProvider($config));
-			$manager->registerRootProvider(new RootMountProvider($config, $c->get(LoggerInterface::class)));
+			$manager->registerHomeProvider(new ObjectHomeMountProvider($objectStoreConfig));
+			$manager->registerRootProvider(new RootMountProvider($objectStoreConfig, $config));
 			$manager->registerRootProvider(new ObjectStorePreviewCacheMountProvider($logger, $config));
 
 			return $manager;
diff --git a/lib/private/Settings/DeclarativeManager.php b/lib/private/Settings/DeclarativeManager.php
index dea0c678f20..534b4b19984 100644
--- a/lib/private/Settings/DeclarativeManager.php
+++ b/lib/private/Settings/DeclarativeManager.php
@@ -15,6 +15,7 @@ use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IUser;
+use OCP\Security\ICrypto;
 use OCP\Server;
 use OCP\Settings\DeclarativeSettingsTypes;
 use OCP\Settings\Events\DeclarativeSettingsGetValueEvent;
@@ -49,6 +50,7 @@ class DeclarativeManager implements IDeclarativeManager {
 		private IConfig $config,
 		private IAppConfig $appConfig,
 		private LoggerInterface $logger,
+		private ICrypto $crypto,
 	) {
 	}
 
@@ -266,7 +268,7 @@ class DeclarativeManager implements IDeclarativeManager {
 				$this->eventDispatcher->dispatchTyped(new DeclarativeSettingsSetValueEvent($user, $app, $formId, $fieldId, $value));
 				break;
 			case DeclarativeSettingsTypes::STORAGE_TYPE_INTERNAL:
-				$this->saveInternalValue($user, $app, $fieldId, $value);
+				$this->saveInternalValue($user, $app, $formId, $fieldId, $value);
 				break;
 			default:
 				throw new Exception('Unknown storage type "' . $storageType . '"');
@@ -290,18 +292,52 @@ class DeclarativeManager implements IDeclarativeManager {
 	private function getInternalValue(IUser $user, string $app, string $formId, string $fieldId): mixed {
 		$sectionType = $this->getSectionType($app, $fieldId);
 		$defaultValue = $this->getDefaultValue($app, $formId, $fieldId);
+
+		$field = $this->getSchemaField($app, $formId, $fieldId);
+		$isSensitive = $field !== null && isset($field['sensitive']) && $field['sensitive'] === true;
+
 		switch ($sectionType) {
 			case DeclarativeSettingsTypes::SECTION_TYPE_ADMIN:
-				return $this->config->getAppValue($app, $fieldId, $defaultValue);
+				$value = $this->config->getAppValue($app, $fieldId, $defaultValue);
+				break;
 			case DeclarativeSettingsTypes::SECTION_TYPE_PERSONAL:
-				return $this->config->getUserValue($user->getUID(), $app, $fieldId, $defaultValue);
+				$value = $this->config->getUserValue($user->getUID(), $app, $fieldId, $defaultValue);
+				break;
 			default:
 				throw new Exception('Unknown section type "' . $sectionType . '"');
 		}
+		if ($isSensitive && $value !== '') {
+			try {
+				$value = $this->crypto->decrypt($value);
+			} catch (Exception $e) {
+				$this->logger->warning('Failed to decrypt sensitive value for field {field} in app {app}: {message}', [
+					'field' => $fieldId,
+					'app' => $app,
+					'message' => $e->getMessage(),
+				]);
+				$value = $defaultValue;
+			}
+		}
+		return $value;
 	}
 
-	private function saveInternalValue(IUser $user, string $app, string $fieldId, mixed $value): void {
+	private function saveInternalValue(IUser $user, string $app, string $formId, string $fieldId, mixed $value): void {
 		$sectionType = $this->getSectionType($app, $fieldId);
+
+		$field = $this->getSchemaField($app, $formId, $fieldId);
+		if ($field !== null && isset($field['sensitive']) && $field['sensitive'] === true && $value !== '' && $value !== 'dummySecret') {
+			try {
+				$value = $this->crypto->encrypt($value);
+			} catch (Exception $e) {
+				$this->logger->warning('Failed to decrypt sensitive value for field {field} in app {app}: {message}', [
+					'field' => $fieldId,
+					'app' => $app,
+					'message' => $e->getMessage()]
+				);
+				throw new Exception('Failed to encrypt sensitive value');
+			}
+		}
+
 		switch ($sectionType) {
 			case DeclarativeSettingsTypes::SECTION_TYPE_ADMIN:
 				$this->appConfig->setValueString($app, $fieldId, $value);
@@ -314,6 +350,27 @@ class DeclarativeManager implements IDeclarativeManager {
 		}
 	}
 
+	private function getSchemaField(string $app, string $formId, string $fieldId): ?array {
+		$form = $this->getForm($app, $formId);
+		if ($form !== null) {
+			foreach ($form->getSchema()['fields'] as $field) {
+				if ($field['id'] === $fieldId) {
+					return $field;
+				}
+			}
+		}
+		foreach ($this->appSchemas[$app] ?? [] as $schema) {
+			if ($schema['id'] === $formId) {
+				foreach ($schema['fields'] as $field) {
+					if ($field['id'] === $fieldId) {
+						return $field;
+					}
+				}
+			}
+		}
+		return null;
+	}
+
 	private function getDefaultValue(string $app, string $formId, string $fieldId): mixed {
 		foreach ($this->appSchemas[$app] as $schema) {
 			if ($schema['id'] === $formId) {
@@ -391,6 +448,12 @@ class DeclarativeManager implements IDeclarativeManager {
 				]);
 				return false;
 			}
+			if (isset($field['sensitive']) && $field['sensitive'] === true && !in_array($field['type'], [DeclarativeSettingsTypes::TEXT, DeclarativeSettingsTypes::PASSWORD])) {
+				$this->logger->warning('Declarative settings: sensitive field type is supported only for TEXT and PASSWORD types ({app}, {form_id}, {field_id})', [
+					'app' => $appId, 'form_id' => $formId, 'field_id' => $fieldId,
+				]);
+				return false;
+			}
 			if (!$this->validateField($appId, $formId, $field)) {
 				return false;
 			}
diff --git a/lib/private/User/Manager.php b/lib/private/User/Manager.php
index ca5d90f8c00..229f3138e6d 100644
--- a/lib/private/User/Manager.php
+++ b/lib/private/User/Manager.php
@@ -724,7 +724,8 @@ class Manager extends PublicEmitter implements IUserManager {
 
 		// User ID is too long
 		if (strlen($uid) > IUser::MAX_USERID_LENGTH) {
-			throw new \InvalidArgumentException($l->t('Login is too long'));
+			// TRANSLATORS User ID is too long
+			throw new \InvalidArgumentException($l->t('Username is too long'));
 		}
 
 		if (!$this->verifyUid($uid, $checkDataDirectory)) {