Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Update to Nextcloud 29 has changed ACL permissions #3403

Open
ohashi-haruka opened this issue Nov 8, 2024 · 2 comments
Open

[Bug]: Update to Nextcloud 29 has changed ACL permissions #3403

ohashi-haruka opened this issue Nov 8, 2024 · 2 comments
Labels
0. Needs triage Issues that need to be triaged bug

Comments

@ohashi-haruka
Copy link

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. Create groupfolders with subfolders, and set specific ACL permissions on each subfolder.
  2. Update from Nextcloud 28.0.6 to 29.0.5.
  3. Execute a PROPFIND request with curl and check the nc:acl-permissions:
curl -sS -X PROPFIND -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
  <d:prop>
    <oc:fileid/>
    <nc:inherited-acl-list/>
    <nc:acl-list/>
  </d:prop>
</d:propfind>'

Expected behaviour

  • Post-update, there should be no changes to nc:acl-permissions.
  • Users should retain the same permissions and be able to perform all file operations as before the update.
  • The nc:acl-mask values should remain unchanged unless intentionally modified.

Actual behaviour

After updating from Nextcloud 28.0.6 to 29.0.5, the permissions for certain subfolders in some groupfolders with Advanced Permissions setting enabled has changed unexpectedly.
This change results in:

  • The "+New" button being grayed out for affected users.
  • Those users being unable to perform file operations (e.g., upload, create, edit, or delete files) within these folders.

Although there were no changes in the oc_group_folders_acl table in the database, when checking the nc:acl-permissions values through a PROPFIND request with curl, the values had changed to 0.

To resolve this issue, I ran occ groupfolders:scan, occ files:scan, and occ files:cleanup, but the issue persisted.

When I attempted to restore the permissions using a PROPPATCH request with curl, which allowed file uploads, but the PROPFIND results remained unchanged.

curl -sS -X PROPPATCH  -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propertyupdate xmlns:d="DAV:" xmlns:nc="http://nextcloud.org/ns">
  <d:set>
    <d:prop>
      <nc:acl-list>
          <nc:acl>
            <nc:acl-mapping-type>group</nc:acl-mapping-type>
            <nc:acl-mapping-id>admin</nc:acl-mapping-id>
            <nc:acl-mapping-display-name>admin</nc:acl-mapping-display-name>
            <nc:acl-mask>0</nc:acl-mask>
            <nc:acl-permissions>31</nc:acl-permissions>
          </nc:acl>
      </nc:acl-list>
    </d:prop>
  </d:set>
</d:propertyupdate>'

After running occ groupfolders:permissions, file uploads became possible. Regarding the PROPFIND results, nc:acl-permissions returned to expected values, however nc:acl-mask was unintentionally changed to 31 for all entries.

This issue didn't occur when updating to Nextcloud 28.0.11.

Server configuration

Operating system: Amazon Linux release 2 (Karoo)

Web server: Apache

Database: MariaDB

PHP version: PHP 8.2

Nextcloud version: (see Nextcloud admin page) 29.0.5

Group folders version: 17.0.5

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded to a MAJOR version (ex. 28 to 29)

Where did you install Nextcloud from:

Are you using external storage, if yes which one:

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP

Configuration report:

Configuration report
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "JP",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwritewebroot": "\/nextcloud",
        "dbtype": "mysql",
        "version": "29.0.5.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "log_type": "file",
        "logfile": "nextcloud.log",
        "loglevel": 1,
        "logtimezone": "Asia\/Tokyo",
        "logdateformat": "F d, Y H:i:s",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "theme": "",
        "auth.bruteforce.protection.enabled": false,
        "integrity.check.disabled": true,
        "mail_smtpauthtype": "",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "groupfolders"
        ],
        "trashbin_retention_obligation": "auto, 14",
        "mail_smtpport": "4"
    }
}

List of activated Apps:

List of activated Apps
Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.1
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - groupfolders: 17.0.5
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - bruteforcesettings: 2.9.0 (installed 1.0.3)
  - circles: 29.0.0-dev (installed 24.0.1)
  - dashboard: 7.9.0 (installed 7.1.0)
  - encryption: 2.17.0
  - federation: 1.19.0 (installed 1.14.0)
  - files_downloadlimit: 2.0.0 (installed 2.0.0)
  - password_policy: 1.19.0 (installed 1.2.2)
  - recommendations: 2.1.0 (installed 1.3.0)
  - sharebymail: 1.19.0 (installed 1.2.0)
  - support: 1.12.0 (installed 1.4.0)
  - survey_client: 1.17.0 (installed 1.1.0)
  - suspicious_login: 7.0.0
  - twofactor_totp: 11.0.0-dev
  - user_status: 1.9.0 (installed 1.1.1)
  - weather_status: 1.9.0 (installed 1.1.0)

Client configuration

Browser:

Operating system:

Logs

Web server error log

Web server error log
Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log
Insert your Nextcloud log here

Browser log

Browser log
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...
@ohashi-haruka ohashi-haruka added 0. Needs triage Issues that need to be triaged bug labels Nov 8, 2024
@sparunakian
Copy link

I encountered the same change of behavior. It seems to come from this commit: afeef5c

@knuff22
Copy link

knuff22 commented Nov 27, 2024

Based on the steps to reproduce described by the issue author, I now understand the specific conditions.

In Nextcloud version 29.0.9, specifying "Inherit permission" in advanced permission rules causes permissions not to be applied.
The issue can be reproduced with the following steps:

  1. Enable advanced permissions setting to a groupfolder.
  2. In the group folder or its subfolder, configure an Advanced Permission rule by assigning it to a user or group.
  3. Specify "Inherit permission" for each permission. The issue did not occur when 'Allow' or 'Deny' was specified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Issues that need to be triaged bug
Projects
None yet
Development

No branches or pull requests

3 participants