nextcloud
[Bug]: Update to Nextcloud 29 has changed ACL permissions
How to use GitHub
- Please use the ๐ reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Steps to reproduce
- Create groupfolders with subfolders, and set specific ACL permissions on each subfolder.
- Update from Nextcloud 28.0.6 to 29.0.5.
- Execute a
PROPFINDrequest with curl and check thenc:acl-permissions:
curl -sS -X PROPFIND -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
<d:prop>
<oc:fileid/>
<nc:inherited-acl-list/>
<nc:acl-list/>
</d:prop>
</d:propfind>'
Expected behaviour
- Post-update, there should be no changes to
nc:acl-permissions. - Users should retain the same permissions and be able to perform all file operations as before the update.
- The
nc:acl-maskvalues should remain unchanged unless intentionally modified.
Actual behaviour
After updating from Nextcloud 28.0.6 to 29.0.5, the permissions for certain subfolders in some groupfolders with Advanced Permissions setting enabled has changed unexpectedly. This change results in:
- The "+New" button being grayed out for affected users.
- Those users being unable to perform file operations (e.g., upload, create, edit, or delete files) within these folders.
Although there were no changes in the oc_group_folders_acl table in the database, when checking the nc:acl-permissions values through a PROPFIND request with curl, the values had changed to 0.
To resolve this issue, I ran occ groupfolders:scan, occ files:scan, and occ files:cleanup, but the issue persisted.
When I attempted to restore the permissions using a PROPPATCH request with curl, which allowed file uploads, but the PROPFIND results remained unchanged.
curl -sS -X PROPPATCH -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propertyupdate xmlns:d="DAV:" xmlns:nc="http://nextcloud.org/ns">
<d:set>
<d:prop>
<nc:acl-list>
<nc:acl>
<nc:acl-mapping-type>group</nc:acl-mapping-type>
<nc:acl-mapping-id>admin</nc:acl-mapping-id>
<nc:acl-mapping-display-name>admin</nc:acl-mapping-display-name>
<nc:acl-mask>0</nc:acl-mask>
<nc:acl-permissions>31</nc:acl-permissions>
</nc:acl>
</nc:acl-list>
</d:prop>
</d:set>
</d:propertyupdate>'
After running occ groupfolders:permissions, file uploads became possible. Regarding the PROPFIND results, nc:acl-permissions returned to expected values, however nc:acl-mask was unintentionally changed to 31 for all entries.
This issue didn't occur when updating to Nextcloud 28.0.11.
Server configuration
Operating system: Amazon Linux release 2 (Karoo)
Web server: Apache
Database: MariaDB
PHP version: PHP 8.2
Nextcloud version: (see Nextcloud admin page) 29.0.5
Group folders version: 17.0.5
Updated from an older Nextcloud/ownCloud or fresh install: Upgraded to a MAJOR version (ex. 28 to 29)
Where did you install Nextcloud from:
Are you using external storage, if yes which one:
Are you using encryption:
Are you using an external user-backend, if yes which one: LDAP
Configuration report:
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"default_phone_region": "JP",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
"overwriteprotocol": "https",
"overwritehost": "***REMOVED SENSITIVE VALUE***",
"overwritewebroot": "\/nextcloud",
"dbtype": "mysql",
"version": "29.0.5.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"log_type": "file",
"logfile": "nextcloud.log",
"loglevel": 1,
"logtimezone": "Asia\/Tokyo",
"logdateformat": "F d, Y H:i:s",
"memcache.local": "\\OC\\Memcache\\APCu",
"theme": "",
"auth.bruteforce.protection.enabled": false,
"integrity.check.disabled": true,
"mail_smtpauthtype": "",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"updater.release.channel": "stable",
"app_install_overwrite": [
"groupfolders"
],
"trashbin_retention_obligation": "auto, 14",
"mail_smtpport": "4"
}
}
List of activated Apps:
List of activated Apps
Enabled:
- activity: 2.21.1
- admin_audit: 1.19.0
- cloud_federation_api: 1.12.0
- comments: 1.19.0
- contactsinteraction: 1.10.0
- dav: 1.30.1
- federatedfilesharing: 1.19.0
- files: 2.1.1
- files_external: 1.21.0
- files_pdfviewer: 2.10.0
- files_reminders: 1.2.0
- files_sharing: 1.21.0
- files_trashbin: 1.19.0
- files_versions: 1.22.0
- firstrunwizard: 2.18.0
- groupfolders: 17.0.5
- logreader: 2.14.0
- lookup_server_connector: 1.17.0
- nextcloud_announcements: 1.18.0
- notifications: 2.17.0
- oauth2: 1.17.0
- photos: 2.5.0
- privacy: 1.13.0
- provisioning_api: 1.19.0
- related_resources: 1.4.0
- serverinfo: 1.19.0
- settings: 1.12.0
- systemtags: 1.19.0
- text: 3.10.1
- theming: 2.4.0
- twofactor_backupcodes: 1.18.0
- updatenotification: 1.19.1
- user_ldap: 1.20.0
- viewer: 2.3.0
- workflowengine: 2.11.0
Disabled:
- bruteforcesettings: 2.9.0 (installed 1.0.3)
- circles: 29.0.0-dev (installed 24.0.1)
- dashboard: 7.9.0 (installed 7.1.0)
- encryption: 2.17.0
- federation: 1.19.0 (installed 1.14.0)
- files_downloadlimit: 2.0.0 (installed 2.0.0)
- password_policy: 1.19.0 (installed 1.2.2)
- recommendations: 2.1.0 (installed 1.3.0)
- sharebymail: 1.19.0 (installed 1.2.0)
- support: 1.12.0 (installed 1.4.0)
- survey_client: 1.17.0 (installed 1.1.0)
- suspicious_login: 7.0.0
- twofactor_totp: 11.0.0-dev
- user_status: 1.9.0 (installed 1.1.1)
- weather_status: 1.9.0 (installed 1.1.0)
I encountered the same change of behavior. It seems to come from this commit: https://github.com/nextcloud/groupfolders/commit/afeef5c99e746ebce9aaf7176e9c60feee4dda6c
Based on the steps to reproduce described by the issue author, I now understand the specific conditions.
In Nextcloud version 29.0.9, specifying "Inherit permission" in advanced permission rules causes permissions not to be applied. The issue can be reproduced with the following steps:
- Enable advanced permissions setting to a groupfolder.
- In the group folder or its subfolder, configure an Advanced Permission rule by assigning it to a user or group.
- Specify "Inherit permission" for each permission. The issue did not occur when 'Allow' or 'Deny' was specified.
Can you confirm this is not fixed in v18.0.6 or v17.0.6? https://github.com/nextcloud/groupfolders/pull/3404
@solracsf
Can you confirm this is not fixed in v18.0.6 or v17.0.6? https://github.com/nextcloud/groupfolders/pull/3404
We updated the Group Folders to version 17.0.8, but the issue was not fixed.
@solracsf Hi! Are there any updates on this issue? We cannot update our Nextcloud because of this.
I encountered the same change of behavior. It seems to come from this commit: afeef5c
This solve our problem, removing "& mask" from the line.
- $this->permissions = $permissions;
+ $this->permissions = $permissions & $mask;
Will there be a solution or we have to reapply all permisions on all folders?
I encountered the same change of behavior. It seems to come from this commit: afeef5c
This solve our problem, removing "& mask" from the line.
- $this->permissions = $permissions; + $this->permissions = $permissions & $mask;Will there be a solution or we have to reapply all permisions on all folders?
Any progress on this issue?