Allowing users to rename files without delete permission

HighLouie · January 19, 2021, 4:04pm

Hi everyone!
Our office recently moved away from Egnyte to self-hosted Nextcloud. We were able to set up everything pretty easily and everyone is loving it.

One major difference that we noticed is that Egnyte had the ability to distinguish “rename” and “delete” permissions. I can’t seem to find anything similar for Nextcloud.
It is possible to allow users to rename files and folders, while not being able to delete them?

I also noticed the problem with Windows WebDav connection that I think is related to “rename - delete” issue I’ve mentioned above. When creating a folder from windows explorer within WebDav mapped drive and I name it anything other than “new folder”, I get an error “Can’t read from source file or disk”. My theory is that windows creates a folder called “new folder” and then asks for it’s name after the fact. Since the logged user doesn’t have permission to rename, they get an error “Can’t read from source file or disk”. I don’t have much experience with NC but this seemed most logical. I tested the same procedure with the account that had delete permissions and had no issue.

I’m open to suggestions.
Wish all of you health and happiness!
David.

EDIT: Updated the category.
EDIT2: More details:
Server details

We’re using NC 20.0.4 on Ubuntu 20.04 Virtual Machine.
PHP version - 7.4.3 with Zend Engine 3.4.0
Database - MySQL 10.3.25 -MariaDB-0ubuntu0.20.04.1

Usage

NC is on our local server but we’ve opened access from the internet. It’s accessible through cloud.xxxx.xx.
We’re an architectural company. The main usage is just the storage of files & documents, but we’re also planning to take advantage of OPENOFFICE live collaboration for office documents. This is why we opened access from internet, so the clients can be added as guests and be included in design and production process more intimately.

NeptuneUK · January 19, 2021, 7:24pm

Hi @HighLouie,

Full disclosure - I use Linux. So I hope someone who is fully familiar with Windows can help you out.
However to get you started on the road to getting the best responses you might find it very helpful to include as much information about your setup, especially OS and NC versions etc.
Also provide as much info about your use case as is possible too.

But reading your post I’m a little confused, you have a self-hosted NC instance.
Is this internally hosted on you LAN or externally hosted, either on a publically visible NC instance or via a VPN?
Is the webdav mapped drive, mapped to a NC endpoint? Is it mapped to a users account?
To me it sounds more like a webdav permissions issue under windows, than a NC permissions issue per-se.

HighLouie · January 20, 2021, 5:22am

Thank you so much for the reply. Yes, I apologize for the lack of details. I’ll edit the main post so everyone can see.

NeptuneUK · January 20, 2021, 10:25am

Hi @HighLouie,

You may also find the following next cloud app useful when looking for support:

https://apps.nextcloud.com/apps/issuetemplate

PLEASE REMEMBER to ensure you remove any sensitive data (usernames / passwords etc) before posting to public forums.

Hope your issue gets resolved!

HighLouie · January 20, 2021, 2:23pm

Steps to reproduce

• Map Nextcloud in Windows Explorer using an account that doesn’t have “delete” permission.
• Create new folder and give it a custom name

Expected behaviour

• The folder is created using a custom name
• The user shouldn’t be able to delete the folder

Actual behaviour

• The user gets an error saying: Can’t read from the source file or disk.
• The user gets the same error while trying to rename existing folder.

Server configuration detail

Operating system: Linux 5.4.0-60-generic #67-Ubuntu SMP Tue Jan 5 18:31:36 UTC 2021 x86_64

Webserver: Apache/2.4.41 (Ubuntu) (apache2handler)

Database: mysql 10.3.25

PHP version:

7.4.3
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 20.0.4 - 20.0.4.0

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: Server package archive

Signing status

Array
(
)

List of activated apps

Enabled:
 - accessibility: 1.6.0
 - admin_audit: 1.10.0
 - breezedark: 20.0.2
 - bruteforcesettings: 2.0.1
 - calendar: 2.1.3
 - cloud_federation_api: 1.3.0
 - comments: 1.10.0
 - contacts: 3.4.3
 - contactsinteraction: 1.1.0
 - customproperties: 1.0.1
 - dav: 1.16.2
 - documentserver_community: 0.1.8
 - external: 3.7.1
 - federatedfilesharing: 1.10.2
 - federation: 1.10.1
 - files: 1.15.0
 - files_pdfviewer: 2.0.1
 - files_rightclick: 0.17.0
 - files_sharing: 1.12.1
 - files_trashbin: 1.10.1
 - files_versions: 1.13.0
 - files_videoplayer: 1.9.0
 - firstrunwizard: 2.9.0
 - groupfolders: 8.2.0
 - issuetemplate: 0.7.0
 - logreader: 2.5.0
 - lookup_server_connector: 1.8.0
 - nextcloud_announcements: 1.9.0
 - notifications: 2.8.0
 - oauth2: 1.8.0
 - onlyoffice: 6.2.0
 - password_policy: 1.10.1
 - photos: 1.2.1
 - privacy: 1.4.0
 - provisioning_api: 1.10.0
 - recommendations: 0.8.0
 - serverinfo: 1.10.0
 - settings: 1.2.0
 - sharebymail: 1.10.0
 - support: 1.3.0
 - survey_client: 1.8.0
 - systemtags: 1.10.0
 - text: 3.1.0
 - theming: 1.11.0
 - twofactor_backupcodes: 1.9.0
 - twofactor_totp: 5.0.0
 - updatenotification: 1.10.0
 - user_status: 1.0.1
 - viewer: 1.4.0
 - weather_status: 1.0.0
 - workflowengine: 2.2.0
Disabled:
 - activity
 - dashboard
 - deck
 - encryption
 - files_external
 - registration
 - richdocuments
 - richdocumentscode
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***",
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "20.0.4.0",
    "overwrite.cli.url": "https:\/\/cloud.teamtwo.ge",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "allow_local_remote_servers": true,
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 6379
    }
}

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption:

Are you using an external user-backend, if yes which one: Webdav

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Operating system:

Logs

I can provide logs separately.

NeptuneUK · January 20, 2021, 7:36pm

@HighLouie

Thinking of the ‘user’ in question what windows user / group permissions do they currently have on their smb hosted directory?

HighLouie · January 21, 2021, 6:40am

Thinking of the ‘user’ in question what windows user / group permissions do they currently have on their smb hosted directory?

Just to make it clear, this problem is not specific to a single user. The users have administrator accounts on their Windows PC with full permissions. However, the account they use to connect to cloud has following permissions (I’ll list all permissions that we have on cloud):

NC Default share permissions: Create Change ✘ Delete Reshare.
The user is part of the group called “Users”.
This group has access to several folders, using Groupfolders, with following permissions Write Share ✘ Delete. (It’s worth noting that this alone didn’t work and users were still able to delete files & folders. See below (#4) for what I did to solve this)
Additionally, these folders also have advanced permission rules that specifically forbids this user group the delete permission on these folders.
The folder that they have mapped in windows is the home folder of this user.

What do you think about my theory? “Rename” permission being associated with “Delete”? Is there a way to separate these two permissions?

Thank you

NeptuneUK · January 21, 2021, 11:38am

@HighLouie

So correct me if I misunderstand something.
NC is running on a VM with Ubuntu as the OS.
All file storage is also on the VM.
You are using the group folders app to create and manage shared folders.

Under Linux a ‘rename’ is basically done using the mv command:
mv originalname newname

which is like a cp originalname newname (copy) with the source being removed after confirmation of the copy to the destinations… BUT… I don’t know how NC Groupfolders handles this, I’m pretty sure it isn’t using standard linux permissions.

However the below Github for Groupfolders issue seems to strongly resemble yours:

And there is this regarding permissions and delete / rename which supports my above comments:

So it might be best to add yourself to issue (1181), as the wheel that squeaks the loudest gets the oil!

We don’t use the Groupfolders app, but if I have time I’ll spin up a fresh NC instance, install Groupfolders and see what I get, but that won’t happen until after the weekend I expect.

Do you see any errors in the NC logs? (Ensure you enable debugging to get verbose output) as that might shed some light.
settings->administration->logging->level

If a standard user creates a folder, and is then given delete permissions to that folder via the groupfolders app, can they then rename it?

If a standard user creates a folder, can they ‘move’ a folder?

NeptuneUK · January 21, 2021, 3:00pm

Hi @HighLouie

I’ve spun up a NC 20 snap NC 20 / Ubuntu 18.04 on AWS and added and configured the ‘Group Folders’ app.

Permissions I set for user groups were:
Admin - Write, Share and Delete
User - Write, Share

I gave Admin group advanced permissions too.

I then mounted users via webdav.

Admin can create, rename and delete folders as expected.
User can create and rename.
User cannot delete as expected.

I also set permissions under the advanced permissions rule and all permissions were honoured as expected.

Can your users login and create / rename files via the web portal in a shared folder?

HighLouie · January 21, 2021, 3:46pm

Thanks again for all your efforts. Very much appreciated!

I didn’t expect this, but no. I’ve created “new folder”, gave the user delete permission from groupfolder settings and I still couldn’t delete, rename or move the folder. I can copy though…

No

Yes, all of them related to users trying to rename and failing. I have one question on this - When the user is denied a permission, not by an error, but as intended, does NC count it as “Fatal” error?

There are ton of “Fatal” issues related to users trying to rename the file and failing:

There are two critical PHP errors that are repeating:

No

I can also send the logs file.

NeptuneUK · January 22, 2021, 8:58am

@HighLouie,

The php errors relate to the issuetemplate app, you can disable that app now (its the one that does all the work of collecting your system config for reporting issues).

NC doesn’t seem to have a problem following the flow to rename a folder, but it fails so I’m thinking server permissions configuration or storage permissions configuration…?

1.) So, thinking about your data folder in nextcloud is this local (internal disk/disk array) or external (NFS / disk array) to your NC setup.
2.) If applicable how is your data directory mounted to the file system.
3.) What permissions do you have on your data directory and the shared folder?
4.) What process did you use to install nextcloud (tutorial / NC docs / NC script / snap etc?)

HighLouie · January 23, 2021, 9:19am

I’ve disabled Issue Template app. Here’s the info that you requested:

Okay so we have two hard disks on this VM:

One is for boot & system
Another is for “var” directory.
2.1 On the second disk we have two partitions
2.2 Both of these partitions contribute to the same virtual group. (Initially we had a single partition, but then decided to add another to test if we could expand it by adding another partition and adding it to the same virtual group.)
2.3 This virtual group is mounted in /var/ using “fstab”.
Here’s the picture for more clarity:

image550×579 15.2 KB

[data folder] WinSCP shows as 0770in octal

[__groupfolders] WinSCP shows as 0755in octal
Covered names are user folders.

We followed this tutorial:

NeptuneUK · January 23, 2021, 10:35am

@HighLouie

Nothing leaps out at me as being wildly incorrect.
LinuxBabe normally has some pretty solid tutorials.

I’d recommend you spin up an AWS Lightsail instance and follow the tutorial again, and install the groupfolders app (keep it all simple to start, just follow the base tutorial). Then see if the issue is replicated. You then have an environment in which to troubleshoot without impacting your users.

I’d do it, but I’ve got a project of my own on this weekend.

The info you’ve supplied thus far is pretty comprehensive, so gives you a much better chance of getting a positive outcome from the forum, well done.