403 for PUT requests /ocs/v2.php/cloud/users/

đź’» Development
1

Nextcloud version 25.0.1.1)
Operating system and version _, Ubuntu 20.04)
Apache 2.4.55
PHP version : 8.0.27

I got the 403 response code when calling PUT /ocs/v2.php/cloud/users/{username} with params:
{
“key” : “quota”,
“value” : “12 GB”
}

Steps to replicate it:
It is hard to replicate. That is external request that comes via internet but not from the browser but .NET application. When the call ir repeated with the same arguments seconds later everything is fine. There is no error nor any type of log when that call takes place. I can see the 403 response only in apache access file. The problems occurred when I updated nextcloud 23 to 25

The output of Apache access.log file:

52.59... - User1 [09/Feb/2023:10:49:29 +0000] "PUT /ocs/v2.php/cloud/users/User2 HTTP/1.1" 403 9282 "-" "-"
PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'version' => '25.0.1.1',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'installed' => true,
  'enable_previews' => false,
  'debug' => false,
  'integrity.check.disabled' => true,
  'htaccess.RewriteBase' => '/',
  'theme' => 'Siemens',
  'social_login_auto_redirect' => true,
  'overwriteprotocol' => 'https',
  'skeletondirectory' => '/opt/skeleton',
  'loglevel' => 0,
  'logtimezone' => 'Europe/Berlin',
  'log_rotate_size' => 518715200,
  'updater.release.channel' => 'stable',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'allowedOrigins' =>
  array (
...
  ),
  'trusted_domains' =>
  array (
...
  ),
  'mail_template_class' => '\\OCA\\MyEmailTemplate\\EmailTemplate',
  'dbtableprefix' => 'oc_',
  'dbtype' => 'pgsql',
);

Headers I cought for both requests

Host: 'my host name'
Authorization: Basic ... 
OCS-APIRequest: true 
ccept: application/json 
Request-Id: |f4b72b8f-44ed25bdcff15c3e.3.9a13a6fd_1. 
Cookie: ...; 
oc_sessionPassphrase=...;
 __Host-nc_sameSiteCookielax=true; 
__Host-nc_sameSiteCookiestrict=true 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 27 
GEOIP_ADDR: ... 
GEOIP_CONTINENT_CODE: EU 
GEOIP_COUNTRY_CODE: DE 
GEOIP_COUNTRY_NAME: Germany

Except Request-Id and Content-Length all of headers are the same for both calls (the successful one and the forbidden one)

There is no error in nextcloud.log.
I could not recreate it via Postman nor curl scripts.
Please let me know if I should provide you more details.

2

Okay, sorry ich I am dumb, but what do you expect from the community to do here?

In what sense does this affect you negatively? Is there a lag or are users completely forbidden to access (reloading works well)?