Advanced permission rules not inherited correctly

Hey guys,

I hope you can give me some advice as I’ve been trying for the last two days without any success…

I don’t know if it’s a bug or a wrong configuration but I seem to be unable to setup a file-server like folder structure with (correctly displayed) advanced permissions.

I’ve got several group folders, and one of those with name “Guidelines” contains multiple subdirectories (“Development”, “QA”, “Accounting”). Each of those directories should be readable by all users that are (indirect) members of group “all”, but write permission is only given to the respective subgroup (e.g. “Developer”, “Accountant”, …) (*1)

What I did:

  • In the group folder settings:
    – Gave “write + share + delete” rights on “Guidelines” to the group “all”,
    – Added group “developer” to the group folder without permission to write, share or delete
  • Opened the details for the “Guidelines” folder in the “Files” app
    – Added an advanced permission rule for “all” denying everything but “read”
    – Added an advanced permission rule for “developer” with inheritance enabled for all rights which results in the inherited right to “read” but nothing else
  • Opened the details of the “Guidelines” subfolder named “Development”
    – Added an advanced permission rule for “developer” without any customization of the rights, i.e. inheriting every setting from the parent folder

After this last step NC now shows that the group “developer” has all rights (read, write, create, delete, share) on the “development” subfolder, but if a member of group “developer” actually enters this folder via the Nextcloud Web GUI they only see “You don’t have permission to upload or create files here”.
As soon as I explicitly give the rights to create or write to the “developer” group, the user is allowed to modify the folder contents.

To conclude this post:

1a. If I add an advanced permission rule on a subfolder I expect this folder to inherit the correct rights from the parent folder. What am I doing wrong that in the child folder it says the group “Developers” is entitled to do everything (read, write, create…) if this is explicitly not the case in the parent folder?

1b. If it says that the “Developers” group has all rights I expect NC to allow all actions. Actually the group has no rights besides “read”. Could this be a configuration issue?

(*1) I don’t know if it is of any relevance… The groups “all” and “Developers” are imported from LDAP. “Developers” is a member of “all”, and in the AD/LDAP configuration the “nested groups” checkbox is checked.

Thanks in advance!