files_accesscontrol
files_accesscontrol copied to clipboard
nextcloud
OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions - Incompatible with "Terms of service"?
Steps to reproduce
- install terms of service
- create public share
- access the share as a "guest"
Expected behaviour
The function of the app is not affected, but generates an error
Actual behaviour
Do not generate error
Server configuration detail
Operating system: Linux 4.19.0-13-amd64 nextcloud/server#1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
Webserver: nginx/1.18.0 (fpm-fcgi)
Database: MariaDB/mysql 10.5.8
PHP version:
7.4.13 Modules loaded: Core, date, libxml, openssl, pcre, zlib, bz2, calendar, ctype, hash, filter, ftp, gettext, gmp, SPL, iconv, Reflection, session, standard, SimpleXML, sockets, mbstring, tokenizer, xml, cgi-fcgi, mysqlnd, bcmath, curl, dba, dom, enchant, fileinfo, gd, imagick, imap, intl, json, ldap, exif, mysqli, odbc, PDO, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, redis, soap, sodium, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, xmlreader, xmlrpc, xmlwriter, xsl, zip, ionCube Loader, Zend OPcache
Nextcloud version: 20.0.4 - 20.0.4.0
Updated from an older Nextcloud/ownCloud or fresh install: Update from 20.0.3
Where did you install Nextcloud from: download.nextcloud.com
Signing status
Array ( )
List of activated apps
Enabled:
- accessibility: 1.6.0
- activity: 2.13.4
- admin_audit: 1.10.0
- bruteforcesettings: 2.0.1
- calendar: 2.1.2
- cloud_federation_api: 1.3.0
- comments: 1.10.0
- contacts: 3.4.2
- contactsinteraction: 1.1.0
- cookbook: 0.7.7
- dashboard: 7.0.0
- dav: 1.16.2
- federatedfilesharing: 1.10.2
- federation: 1.10.1
- files: 1.15.0
- files_pdfviewer: 2.0.1
- files_readmemd: 1.2.0
- files_rightclick: 0.17.0
- files_sharing: 1.12.1
- files_trashbin: 1.10.1
- files_versions: 1.13.0
- files_videoplayer: 1.9.0
- groupfolders: 8.2.0
- integration_github: 0.0.14
- issuetemplate: 0.7.0
- logreader: 2.5.0
- lookup_server_connector: 1.8.0
- mail: 1.7.2
- nextcloud_announcements: 1.9.0
- notifications: 2.8.0
- oauth2: 1.8.0
- ocdownloader: 1.7.9
- password_policy: 1.10.1
- photos: 1.2.1
- privacy: 1.4.0
- provisioning_api: 1.10.0
- recommendations: 0.8.0
- serverinfo: 1.10.0
- settings: 1.2.0
- sharebymail: 1.10.0
- side_menu: 1.21.0
- support: 1.3.0
- survey_client: 1.8.0
- systemtags: 1.10.0
- terms_of_service: 1.6.1
- text: 3.1.0
- theming: 1.11.0
- theming_customcss: 1.7.0
- twofactor_backupcodes: 1.9.0
- twofactor_totp: 5.0.0
- twofactor_u2f: 6.0.0
- updatenotification: 1.10.0
- user_status: 1.0.1
- viewer: 1.4.0
- weather_status: 1.0.0
- workflowengine: 2.2.0
Disabled:
- encryption
- files_external
- firstrunwizard
- occweb
- user_ldap
Configuration (config/config.php)
{
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.domain.tld"
],
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.local": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"log_type": "file",
"logtimezone": "Europe\/Berlin",
"logfile": "\/var\/www\/vhosts\/domain.tld\/logs\/cloud.domain.tld\/nextcloud.log",
"loglevel": 2,
"syslog_tag": "Nextcloud",
"simpleSignUpLink.shown": false,
"maintenance": false,
"share_folder": "\/Mit mir geteilt",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "20.0.4.0",
"overwrite.cli.url": "https:\/\/cloud.domain.tld",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "ssl",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"app_install_overwrite": [
"files_readmemd",
"occweb",
"ocdownloader",
"cookbook"
],
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"theme": "",
"updater.release.channel": "stable"
}
Are you using external storage, if yes which one: no
Are you using encryption:
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Operating system: Windows 10, IpadOS 14, iOS 14
Logs
Web server error log
No errors listed
Nextcloud log
{"reqId":"JTx5zfGlole328dmzp2E","level":4,"time":"2020-12-21T11:23:23+01:00","remoteAddr":"91.221.58.28","user":"--","app":"webdav","method":"PROPFIND","url":"/public.php/webdav/","message":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\Forbidden","Message":"No read permissions","Code":0,"Trace":[{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Tree.php","line":204,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":905,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":987,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":1678,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":363,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":474,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":251,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/3rdparty/sabre/dav/lib/DAV/Server.php","line":319,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/apps/dav/appinfo/v1/publicwebdav.php","line":113,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/vhosts/domain.tld/cloud.domain.tld/public.php","line":81,"args":["/var/www/vhosts/domain.tld/cloud.domain.tld/apps/dav/appinfo/v1/publicwebdav.php"],"function":"require_once"}],"File":"/var/www/vhosts/domain.tld/cloud.domain.tld/apps/dav/lib/Connector/Sabre/Directory.php","Line":262,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36","version":"20.0.4.0","id":"5fe0783163102"}
Browser log
Same behaviour here. Nextcloud 20.0.8 instance. With the app terms of services activated and external storage of type local, it throws an exception when you try to open the folder and simply can't use or access it.
I'm using an admin account so I guess it has nothing to do with guest or not. Nobody can open the folder.
[webdav] Fatal: OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions at <<closure>>
0. /data/nextcloud/apps/dav/lib/Connector/Sabre/TagsPlugin.php line 226
OCA\DAV\Connector\Sabre\Directory->getChildren()
1. /data/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
OCA\DAV\Connector\Sabre\TagsPlugin->handleGetProperties(Sabre\DAV\PropFind {}, OCA\DAV\Connector\Sabre\Directory {})
2. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1063
Sabre\DAV\Server->emit("propFind", [Sabre\DAV\PropF ... }])
3. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 989
Sabre\DAV\Server->getPropertiesByNode(Sabre\DAV\PropFind {}, OCA\DAV\Connector\Sabre\Directory {})
4. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1678
Sabre\DAV\Server->getPropertiesIteratorForPath("files/user/Synology", ["{DAV:}getlastm ... "], 1)
5. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1661
Sabre\DAV\Server->writeMultiStatus(Sabre\Xml\Writer ... ]}, Generator {}, false)
6. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 363
Sabre\DAV\Server->generateMultiStatus(Generator {}, false)
7. /data/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
Sabre\DAV\CorePlugin->httpPropFind(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
8. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 474
Sabre\DAV\Server->emit("method:PROPFIND", [Sabre\HTTP\Requ ... }])
9. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 251
Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
10. /data/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 319
Sabre\DAV\Server->start()
11. /data/nextcloud/apps/dav/lib/Server.php line 332
Sabre\DAV\Server->exec()
12. /data/nextcloud/apps/dav/appinfo/v2/remote.php line 35
OCA\DAV\Server->exec()
13. /data/nextcloud/remote.php line 167
require_once("/data/nextcloud ... p")
PROPFIND /remote.php/dav/files/user/Synology
from <IP> by user at 2021-04-19T01:11:17+02:00
I have similar troubles without using the "Terms of service" app.
The context is
- a Nextcloud (21.0.1) instance installed through
docker - users and groups taken from
LDAP - a groupfolder named
MY-GROUPfor a group calledMY-GROUP - 3 groups :
MY-GROUP,FOLDER-1,FOLDER-2 - two folders inside the groupfolder called
MY-GROUP:- one called
FOLDER-1with collaborartive collaborative tagfolder-1 - another called
FOLDER-2with collaborative tagfolder-2
- one called
- two file acces control workflow rules which looks like
- if file has collaborative tag
folder-1and user is not member of groupFOLDER-1deny access to the file - if file has collaborative tag
folder-2and user is not member of groupFOLDER-2deny access to the file
- if file has collaborative tag
- a calendar created by the
adminuser shared (read and write) with the groupMY-GROUP
The idea is to block access to some folders to people not in some groups.
Here is an example of a log I get very often for each user with access denied to the the two folders protected via access control:
Fatal webdav OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions at apps/dav/lib/Connector/Sabre/Directory.php line 263 2021-04-26T15:43:59+00:00
0. 3rdparty/sabre/dav/lib/DAV/Tree.php line 200
OCA\DAV\Connector\Sabre\Directory->getChildren(
)
1. 3rdparty/sabre/dav/lib/DAV/Server.php line 900
Sabre\DAV\Tree->getChildren("files\/USERNAME-HERE\/MY-GROUP\/FOLDER-1")
2. 3rdparty/sabre/dav/lib/DAV/Server.php line 982
Sabre\DAV\Server->generatePathNodes(Sabre\DAV\PropFind {}, [Sabre\DAV\PropFind {},OCA\DAV\Connector\Sabre\Directory {}])
3. 3rdparty/sabre/dav/lib/DAV/Server.php line 1661
Sabre\DAV\Server->getPropertiesIteratorForPath(
"files\/USERNAME-HERE\/MY-GROUP\/FOLDER-1",
["{DAV:}resourcetype","{DAV:}getlastmodified","{DAV:}getcontentlength","{DAV ... "],
1
)
4. 3rdparty/sabre/dav/lib/DAV/Server.php line 1646
Sabre\DAV\Server->writeMultiStatus(
Sabre\Xml\Writer {elementMap:[],contextUri:"\/remote.php\/dav\/",namespaceMap:{DAV::"d", ... ]},
Generator {},
false
)
5. 3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 346
Sabre\DAV\Server->generateMultiStatus(Generator {}, false)
6. 3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
Sabre\DAV\CorePlugin->httpPropFind(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
7. 3rdparty/sabre/dav/lib/DAV/Server.php line 472
Sabre\DAV\Server->emit("method:PROPFIND", [Sabre\HTTP\Request {},Sabre\HTTP\Response {}])
8. 3rdparty/sabre/dav/lib/DAV/Server.php line 253
Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
9. 3rdparty/sabre/dav/lib/DAV/Server.php line 321
Sabre\DAV\Server->start(
)
10. apps/dav/lib/Server.php line 332
Sabre\DAV\Server->exec(
)
11. apps/dav/appinfo/v2/remote.php line 35
OCA\DAV\Server->exec(
)
12. remote.php line 167
require_once("\/var\/www\/html\/apps\/dav\/appinfo\/v2\/remote.php")
Fatal webdav OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions at apps/dav/lib/Connector/Sabre/Directory.php line 263 2021-04-26T15:44:00+00:00
0. 3rdparty/sabre/dav/lib/DAV/Tree.php line 200
OCA\DAV\Connector\Sabre\Directory->getChildren(
)
1. 3rdparty/sabre/dav/lib/DAV/Server.php line 900
Sabre\DAV\Tree->getChildren("files\/USERNAME-HERE\/MY-GROUP\/FOLDER-2")
2. 3rdparty/sabre/dav/lib/DAV/Server.php line 982
Sabre\DAV\Server->generatePathNodes(Sabre\DAV\PropFind {}, [Sabre\DAV\PropFind {},OCA\DAV\Connector\Sabre\Directory {}])
3. 3rdparty/sabre/dav/lib/DAV/Server.php line 1661
Sabre\DAV\Server->getPropertiesIteratorForPath(
"files\/USERNAME-HERE\/MY-GROUP\/FOLDER-2",
["{DAV:}resourcetype","{DAV:}getlastmodified","{DAV:}getcontentlength","{DAV ... "],
1
)
4. 3rdparty/sabre/dav/lib/DAV/Server.php line 1646
Sabre\DAV\Server->writeMultiStatus(
Sabre\Xml\Writer {elementMap:[],contextUri:"\/remote.php\/dav\/",namespaceMap:{DAV::"d", ... ]},
Generator {},
false
)
5. 3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 346
Sabre\DAV\Server->generateMultiStatus(Generator {}, false)
6. 3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
Sabre\DAV\CorePlugin->httpPropFind(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
7. 3rdparty/sabre/dav/lib/DAV/Server.php line 472
Sabre\DAV\Server->emit("method:PROPFIND", [Sabre\HTTP\Request {},Sabre\HTTP\Response {}])
8. 3rdparty/sabre/dav/lib/DAV/Server.php line 253
Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
9. 3rdparty/sabre/dav/lib/DAV/Server.php line 321
Sabre\DAV\Server->start(
)
10. apps/dav/lib/Server.php line 332
Sabre\DAV\Server->exec(
)
11. apps/dav/appinfo/v2/remote.php line 35
OCA\DAV\Server->exec(
)
12. remote.php line 167
require_once("\/var\/www\/html\/apps\/dav\/appinfo\/v2\/remote.php")
I may understand it badly but I thought Sabre is used only for Cal/CardDAV, so I do not understand the link between my configuration (workflows) and the log (as soon as I removed the workflow rules the log seems to disappear).
I have NC 21.0.2 now with PHP 7.4 and yes, also file_accesscontrol is in use.
But with the last 20.0.9 i had in use before upgrading to 21.0.1 a few weeks ago this error has been disappeared. Now it's back.
Somewhere else i have read that the error message don't have impact on the general function of the cloud, but what is scary a little bit that the error is declared as "Fatal -> webdav" ...
So how to react on those messages in the log?
Me too. My NC (23.0.6 via Docker, data dir mapped to external SSD mount) suddenly stopped syncing after creating a new folder on my Macbook in the root nextcloud folder. Log gives these errors.
Rebooting the docker containers did not help.
I can access all the files via web interface, can also access the files on the mounted SSD.
Opening sync settings on the client shows all the root folders, but opening them reveils 'Error while loading the list of folders from the server'
UPDATE: updated to 24.0.3; no changes
UPDATE: I created a group for users root, www-data and my user and made that the group owner for the data dir and set permissions to also have group read and write. Did not change anything. Web still works, sync is broken
SOLVED: weird.. after a couple of hours and leaving it without changing anything, the sync now works without problems
We've been having the same issue with our OpenProject Integration for Nextcloud.
Our integration creates a system user which handles various things and needs the right permissions to do so. But with the TOS (Terms of Service) app installed, this user is denied any permisions, because it hasn't accepted the TOS! So the 'fix' here is to log in as that 'system' user and accept the TOS.
I could imagine that it's a similar issue for the files access control app. For instance the guest user hasn't accepted the TOS so they are denied any access at all even on a public share.
I could imagine that it's a similar issue for the files access control app. For instance the guest user hasn't accepted the TOS so they are denied any access at all even on a public share.
Guests are excluded from TOS by default: https://github.com/nextcloud/terms_of_service#-display-on-public-shares
