[Bug]: Members of circle cannot access shared folders. Removed user can still access/modify files

[gonzalo]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Using Nextcloud 25.0.6.1 almost fresh installation. Create a Circle and add users to it as members, create a folder and share with circle members. Then access with regular member of a circle…and share is not shown in user space.

Then promote user to “Moderator” and check again, share is now shown. Then the most worrying part comes: demote the user again to “Member” and the share is still shown! But things can even go worse!! I REMOVE user from circle and share is still available, user can read, add or remove files and folders.

I consider this is an extremely severe security issue as user can alter contents.

This behaviour has been reported in the past to the github repository but never answered.

(FYI I’ve found that despite the “delete user” from circle request returns a 200 code and removes it from the UI, the user is not truly removed. Refresh page shows it again with same level, no errors shown in nextcloud log)

Our only “strange” app that we use is SSO & SAML authentication.

Steps to reproduce

1. Create User (UserA) to manage the circle
2. Create circle CircleA (UserA)
3. Add another user (UserB) as "member" to the circleA
4. Create a folder ShareA and share it with CircleA
5. Access to nextcloud with UserB, folder ShareA is not shown
6. Promote UserB to Moderator folder ShareA is now shown in UserB filesystem
7. Demote UserB to Member folder ShareA is still shown in UserB filesystem
8. Remove UserB from CircleA, code 200 received, user is removed from UI circle list, but files are still available. If you refresh circle page the user is shown again. User has not been removed from circle (I tried with an admin and a circle owner, same result)

Expected behavior

1. Member users of a circle should access the shared resources without having to be moderators.
2. Admin/Owners/Moderator should be able to remove a user from circle
3. If UI confirms a user is removed it should be effectively removed, not dependaing on refresh page

Installation method

Community Web installer on a VPS or web space

Nextcloud Server version

25

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [ ] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [X] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "default_language": "es",
        "default_locale": "es_ES",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "tempdirectory": "\/***REMOVED SENSITIVE VALUE***\/temp",
        "version": "25.0.6.1",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "dbtype": "mysql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "dbindex": 0
        },
        "default_phone_region": "ES",
        "maintenance": false,
        "theme": "",
        "loglevel": 3,
        "log_type": "file",
        "logfile": "\/***REMOVED SENSITIVE VALUE***\/nextcloud_logs\/nextcloud.log",
        "log_type_audit": "file",
        "logfile_audit": "\/***REMOVED SENSITIVE VALUE***\/nextcloud_logs\/audit.log",
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "updater.release.channel": "stable",
        "lost_password_link": "disabled",
        "defaultapp": "files",
        "allow_user_to_change_display_name": false,
        "hide_login_form": false,
        "skeletondirectory": "\/aplica\/nextcloud\/www\/assets\/skeleton",
        "templatedirectory": "\/aplica\/nextcloud\/www\/assets\/templates",
        "activity_expire_days": 90,
        "config_is_read_only": true
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.2.0
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_accesscontrol: 1.15.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - photos: 2.0.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.4
  - richdocuments: 7.1.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_saml: 5.1.2
  - user_status: 1.5.0
  - viewer: 1.9.0
  - workflowengine: 2.7.0
Disabled:
  - bruteforcesettings
  - encryption
  - files_external
  - firstrunwizard: 2.14.0
  - password_policy: 1.15.0
  - survey_client: 1.13.0
  - suspicious_login
  - twofactor_totp
  - user_ldap
  - weather_status: 1.5.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

(no significant information on logs as last errors refer to older times)

Error	activity	OCP\RichObjectStrings\InvalidObjectExeption: Parameter is undefined		2023-05-09T13:05:06+0200
Error	activity	OCP\RichObjectStrings\InvalidObjectExeption: Parameter is undefined		2023-05-09T13:04:55+0200
Error	activity	OCP\RichObjectStrings\InvalidObjectExeption: Parameter is undefined		2023-05-09T13:04:21+0200
Error	activity	OCP\RichObjectStrings\InvalidObjectExeption: Parameter is undefined		2023-05-09T13:04:10+0200
Error	activity	OCP\RichObjectStrings\InvalidObjectExeption: Parameter is undefined		2023-05-09T12:35:52+0200
Error	activity	OCP\RichObjectStrings\InvalidObjectExeption: Parameter is undefined		2023-05-09T11:56:38+0200

Additional info

--