Can't add or delete groups or delete users

ℹ️ Support
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 18.0.2): 18.0.8 and 19.0.2
Operating system and version (eg, Ubuntu 20.04): Debian 9
Apache or nginx version (eg, Apache 2.4.25): Nginx (latest)
PHP version (eg, 7.1): 7.3

The issue you are facing:
JavaScript errors prevent from adding or deleteing a group and from deleteing a user

Is this the first time you’ve seen this error? (Y/N):
I have not tried this for years

Steps to replicate it:

  1. Try to add a group, or
  2. Try to delete a group, or
  3. Try to delete a user

The output of your Nextcloud log in Admin > Logging:
Log is emtpy - this is a javascript error so nothing is sent to server

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
Irrelevant

The output of your Apache/nginx/system log in /var/log/____:
Irrelevant

What I see in the browser console (I tried it in Firefox and Chromium, both latest):

main.js?v=eb9ca341-1:1 TypeError: Cannot read property ‘replace’ of undefined
at Object._build (main.js?v=eb9ca341-1:1)
at Object.init (main.js?v=eb9ca341-1:1)
at e.fn.init.o.a.fn.octemplate (main.js?v=eb9ca341-1:1)
at Object. (main.js?v=eb9ca341-1:1)
at Object. (main.js?v=eb9ca341-1:1)
at c (main.js?v=eb9ca341-1:1)
at Object.fireWith [as resolveWith] (main.js?v=eb9ca341-1:1)
at Object.Deferred.m.each.r. [as resolve] (main.js?v=eb9ca341-1:1)
at Object.success (main.js?v=eb9ca341-1:1)
at c (main.js?v=eb9ca341-1:1) “data:” undefined

2

Hi @timreeves !

Have you managed to hunt down the issue?
I think I have the same problem:
For me, it seems nothing works that would require OC.dialogs, like delete account in Mail app.
I am on 21.0…

3

I’m on 20.0.9 now - on Debian 9 the MariaDB version is too low to upgrade to NC 21.
I’ve tried it again with these results:

  • Add a new group: OK
  • Add a new user: OK
  • Delete the user: Nope
  • Delete the group: Nope

Deleting user:
TypeError: t is undefined
_build https://example.com/core/js/dist/main.js?v=7e50771c-1:1
init https://example.com/core/js/dist/main.js?v=7e50771c-1:1
octemplate https://example.com/core/js/dist/main.js?v=7e50771c-1:1
message https://example.com/core/js/dist/main.js?v=7e50771c-1:1
then https://example.com/core/js/dist/main.js?v=7e50771c-1:1
l https://example.com/core/js/dist/main.js?v=7e50771c-1:1
add https://example.com/core/js/dist/main.js?v=7e50771c-1:1
then https://example.com/core/js/dist/main.js?v=7e50771c-1:1
each https://example.com/core/js/dist/main.js?v=7e50771c-1:1
then https://example.com/core/js/dist/main.js?v=7e50771c-1:1
Deferred https://example.com/core/js/dist/main.js?v=7e50771c-1:1
then https://example.com/core/js/dist/main.js?v=7e50771c-1:1
message https://example.com/core/js/dist/main.js?v=7e50771c-1:1
confirmDestructive https://example.com/core/js/dist/main.js?v=7e50771c-1:1
deleteUser https://example.com/apps/settings/js/vue-settings-users-f21df1de93ddcf45e13b.js?v=ab4545fa96a43d874f85:1
click https://example.com/apps/settings/js/vue-vendors-settings-apps-settings-users-feb6e6add9aee6bcda40.js?v=9020fab043b7e9b5c47a:1
zt https://example.com/apps/settings/js/vue-settings-apps-users-management.js?v=7e50771c-1:1
n https://example.com/apps/settings/js/vue-settings-apps-users-management.js?v=7e50771c-1:1
_wrapper https://example.com/apps/settings/js/vue-settings-apps-users-management.js?v=7e50771c-1:1
data: undefined main.js:1:1399287

Deleting group:
TypeError: t is undefined
_build https://example.com/core/js/dist/main.js?v=7e50771c-1:1
init https://example.com/core/js/dist/main.js?v=7e50771c-1:1
octemplate https://example.com/core/js/dist/main.js?v=7e50771c-1:1
message https://example.com/core/js/dist/main.js?v=7e50771c-1:1
then https://example.com/core/js/dist/main.js?v=7e50771c-1:1
l https://example.com/core/js/dist/main.js?v=7e50771c-1:1
fireWith https://example.com/core/js/dist/main.js?v=7e50771c-1:1
o[0] https://example.com/core/js/dist/main.js?v=7e50771c-1:1
_getMessageTemplate https://example.com/core/js/dist/main.js?v=7e50771c-1:1
l https://example.com/core/js/dist/main.js?v=7e50771c-1:1
fireWith https://example.com/core/js/dist/main.js?v=7e50771c-1:1
M https://example.com/core/js/dist/main.js?v=7e50771c-1:1
t https://example.com/core/js/dist/main.js?v=7e50771c-1:1
data: undefined

Hm that’s disappointing - at least I can add a new group now, but deleting… Now I’m stuck with test group and user )-:

Is there anything we can do to up the urgency on this one?

Tim

4

Kinda late, but I’ll just leave some relevant info here.

Turns out, the nginx reverse proxy/webserver config for nextcloud was the culprit.
If anyone happens to have a mostly working nextcloud installation, but has problems with various parts needing a dialog (this fails to show anything: OC.dialogs.confirmDestructive('Test message', 'Test Title') check your location blocks in your nextcloud config.
For me, possible the location block containing index was wrong, as it contained ocs-provider instead oc[ms]-provider .

5

Thanks for that hint, @Samonitari . I’ve tried it but it doesn’t work for me.

But I do have a sinking feeling that it may be to do with my nginx config - although it’s not my first nginc config, and I have checked it against several offers on the net. I can’t see a problem, nor do I see anyhting blocked, not in the browser debugger or the nginx access log. But maybe someone else can see a problem (I manage the server with Plesk, but use a custom nginx vhost template so that I handle .php and not Plesk):

set $domain HIDDEN;

# Normally we limit DoS possibility via file upload, but for NextCloud we need huge uploads
# Requires "nginxClientMaxBodySize =" in Plesk's panel.ini (and 16g settings in php.ini)
client_max_body_size 16g;

# After each modification: systemctl restart nginx.service / nxrestart
# Nginx Domain Error log: /var/www/vhosts/system/{domain}/logs/error_log
# FPM-Plesk 7.4 Log (Server + alle Domains): /var/log/plesk-php74-fpm/error.log
# Beide werden vom Plesk Log-Rotator gepflegt
# http://wiki.nginx.org/Pitfalls
# http://www.php.net/manual/de/regexp.introduction.php

# The following directives are included at the end of each Server-Block, i.e. in "server { ... }" context.

# Force SSL (if you use http, then comment out)
if ($server_port = 80) { rewrite ^ https://$server_name$request_uri? permanent; }

# Adds the specified charset to the “Content-Type” response header field.
# Context: 	http, server, location, if in location
charset utf-8;

# Add security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first
add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options SAMEORIGIN;

# set max upload size
# Nginx says client_max_body_size already set - I only see it in plesk.conf.d/webmail.conf
fastcgi_buffers 64 4K;

# NOTE this must come BEFORE the ".php" location.
# NOTE it is needed, otherwise the basic URL request is understood as an attempt to list the directory => 403 forbidden
location = / {
  index index.php;
  # Rule to handle Microsoft DAV clients
  if ( $http_user_agent ~ ^DavClnt ) {
    return 302 /remote.php/webdav/$is_args$args;
  }
}

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location = /robots.txt { allow all; log_not_found off; }

# Then comes regex processing, *** which terminates on the first match ***, and the
# corresponding location configuration is used. If no match with a regular expression
# is found, then the configuration of the prefix location remembered earlier is used.
# SO the order in which regex locations appear is IMPORTANT!

# (?: ... )  non-capturing, siehe https://de.wikipedia.org/wiki/Regul%C3%A4rer_Ausdruck

# Nextcloud nutzt PATH-INFO to .js and .php, e.g. /index.php/core/js/oc.js,
# /index.php/core/ajax/share.php, /index.php/apps/files/ajax/list.php, /index.php/avatar/TimReeves/128

location ^~ /.well-known {
  location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; }
  location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; }

  location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
  location /.well-known/pki-validation { try_files $uri $uri/ =404; }

  # Let Nextcloud's API for `/.well-known` URIs handle all other requests by passing them to the front-end controller.
  return 301 /index.php$request_uri;
}

location /remote { return 301 /remote.php$request_uri; }

# These catch the worst flagrant attempts to call disallowed locations from the web. Log this!
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 403; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 403; }

# wp-login.php 404 for special nginx jail
location ~ /wp-login\.php { return 404; }

# xmlrpc is a favourite WordPress attack vector, not included in nginx-nextcloud-security.conf
location ~ xmlrpc\.php { error_log /dev/null crit; return 403; }

# Include own general security directives, modified to allow mirall
include "/var/www/vhosts/HIDDEN/nginx-nextcloud-security.conf";

# This is careful: It matches all the EXPECTED ".php" calls and passes them to PHP-FPM
# There is NO pendant in the Apache .htaccess

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|core/templates/40[34]|apc|info|ocp)\.php(?:$|/) {
  # See http://wiki.nginx.org/HttpFastcgiModule#fastcgi_split_path_info
  # Directive populates $fastcgi_script_name + $fastcgi_path_info
  # BUT there's a problem: http://trac.nginx.org/nginx/ticket/321
  fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
  set $path_info $fastcgi_path_info;
  # Requested PHP Scripts MUST exist exactly as named
  try_files $fastcgi_script_name =404;
  # try_files has emptied $fastcgi_path_info
  fastcgi_param PATH_INFO $path_info;
  # You can add any application-special headers to $_SERVER here
  fastcgi_param PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
  fastcgi_pass "unix:///var/www/vhosts/system/$domain/php-fpm.sock";
  # Following include sets SCRIPT_FILENAME to $document_root$fastcgi_script_name
  # Meaning that $fastcgi_script_name MUST be correct now!
  include /etc/nginx/fastcgi.conf;
  # Avoid sending the security headers twice
  fastcgi_param modHeadersAvailable true;
  # This and the above are both Nextcloud-specific
  fastcgi_param front_controller_active true;
  # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_intercept_errors
  fastcgi_intercept_errors on;
  # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_request_buffering
  fastcgi_request_buffering off;
  fastcgi_read_timeout 120;
}

# Beginning "updater" or "oc[ms]-provider" and ending with nothing more, or continuing with "/" (and potentially more behind it)
# In fact, clicking on "Open updater" requests "/updater/", which matches this location, which is why we need the "index" -
# the index addition goes into a new parsing round and then matches the location above, for ".php" files.
# The HTML source file returned actually contains:
# <link rel="stylesheet" href="/updater//pub/css/main.css?v=..." />
# <script src="/updater//pub/js/vendor/jquery.min.js?v=..."></script>
# <script src="/updater//pub/js/main.js?v=..."></script>
# which do NOT match the ".php" location above, thus are handled here
# ~ = regex case-sensitive

# For some unfathomable reason, this block MUST come after the .php location, otherwise the updater can't be called (returns a 405 Method not allowed)
location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
  index index.php;
  try_files $uri $uri/ =403;
}

# Adding the cache control header for js and css files (expires 2h)
# Make sure it is BELOW the PHP block
# ~* = regex case-insensitive
location ~* \.(?:css|js)$ {
  try_files $uri /index.php$uri$is_args$args;
  # Allow it to be fresh in browser cache for 2 x 60 x 60 = 2 hrs
  add_header Cache-Control "public, max-age=7200";
  # Add headers to serve security related headers (It is intended to duplicate the ones above). Nginx allows several add_header directives.
  # These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.
  add_header Strict-Transport-Security "max-age=15768000; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
}

# Some apps may provide files via index.php
location ~* \.(png|jpg|jpeg|gif|ico|bmp|img|webp|ttf|otf|eot|svg|svgz|woff|woff2)$ {
  try_files $uri /index.php$uri$is_args$args;
  expires 30d;
}

location ~ ^/core/doc/[^\/]+/$ {
  rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
}

location = /fpmstatus { fastcgi_pass "unix:///var/www/vhosts/system/$domain/php-fpm.sock"; include /etc/nginx/fastcgi.conf; }
location = /fpmping { fastcgi_pass "unix:///var/www/vhosts/system/$domain/php-fpm.sock"; include /etc/nginx/fastcgi.conf; }

# Nothing should arrive here EXCEPT the things needing redirecting to be handled by index.php
location ~ ^/.+ {
  rewrite ^ /index.php$uri;
}

# Finally, configure brotli compression
# Plesk turns it on and supplies a short mime types list, nothing more
# brotli_comp_level 6;  Is module default
brotli_types application/atom+xml application/javascript application/json application/rss+xml
             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
             image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

Would be great if anyone could suggest where the problem may be here.

Cheers!

6

Oh and a question:

You mention the code: OC.dialogs.confirmDestructive('Test message', 'Test Title')

I’d like to try that but don’t know how…

7

Hi @timreeves !

Open nextcloud in your browser, and in the dev console (press F12 in most browsers and select the “Console” tab).
You can type that there (autocompletion should work, and the test strings obviously doesn’t matter)

8

Sorry, but I don’t really have the time to reason about the differences in some location blocks :slight_smile:
TBH, I did not reason about mine, when I “fixed it”. I just overwrote it from a working example (ecloud’s self-hosting setup), so…

Could you try to also overwrite your relevant blocks? The ones corresponding to the last two in mine seems suspicious

  # location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {                                                                                                                                                                                                                                                 
  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy)\.php(?:$|/) {                                                                                                                                                                                                                     
    fastcgi_split_path_info ^(.+\.php)(/.*)$;                                                                                                                                                                                                                                                                                                                            
    try_files $fastcgi_script_name =404;                                                                                                                                                                                                                                                                                                                                 
    include fastcgi_params;                                                                                                                                                                                                                                                                                                                                              
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;                                                                                                                                                                                                                                                                                                    
    fastcgi_param PATH_INFO $fastcgi_path_info;                                                                                                                                                                                                                                                                                                                          
    # fastcgi_param HTTPS on;                                                                                                                                                                                                                                                                                                                                            
    #Avoid sending the security headers twice                                                                                                                                                                                                                                                                                                                            
    fastcgi_param modHeadersAvailable true;                                                                                                                                                                                                                                                                                                                              
    fastcgi_param front_controller_active true;                                                                                                                                                                                                                                                                                                                          
    fastcgi_pass php-handler;                                                                                                                                                                                                                                                                                                                                            
    fastcgi_intercept_errors on;                                                                                                                                                                                                                                                                                                                                         
    fastcgi_request_buffering off;                                                                                                                                                                                                                                                                                                                                       
  }                                                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                                                                         
  location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {                                                                                                                                                                                                                                                                                                                      
      try_files $uri/ =404;                                                                                                                                                                                                                                                                                                                                              
      index index.php;                                                                                                                                                                                                                                                                                                                                                   
  }                                                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                                                                         
  # location ~ (\.(?:css|js|woff2?|svg|gif|png|jpg|ico)$|^/core/img/background.png$) {                                                                                                                                                                                                                                                                                   
  location ~ \.(?:css|js|woff2?|svgz?|gif|map)$ {                                                                                                                                                                                                                                                                                                                        
    try_files $uri /index.php$request_uri;                                                                                                                                                                                                                                                                                                                               
    add_header Cache-Control "public, max-age=15778463";                                                                                                                                                                                                                                                                                                                 
    add_header Referrer-Policy "no-referer" always;                                                                                                                                                                                                                                                                                                                      
    add_header X-Content-Type-Options "nosniff" always;                                                                                                                                                                                                                                                                                                                  
    add_header X-Download-Options "nosniff" always;                                                                                                                                                                                                                                                                                                                      
    add_header X-Frame-Options "SAMEORIGIN" always;                                                                                                                                                                                                                                                                                                                      
    add_header X-Permitted-Cross-Domain-Policies "none" always;                                                                                                                                                                                                                                                                                                          
    add_header X-Robots-Tag "none" always;                                                                                                                                                                                                                                                                                                                               
    add_header X-XSS-Protection "1; mode=block" always;                                                                                                                                                                                                                                                                                                                  
    access_log off;                                                                                                                                                                                                                                                                                                                                                      
  }                                                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                                                                         
  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {                                                                                                                                                                                                                                                                                                           
      try_files $uri /index.php$request_uri;                                                                                                                                                                                                                                                                                                                             
      # Optional: Don't log access to other assets                                                                                                                                                                                                                                                                                                                       
      access_log off;                                                                                                                                                                                                                                                                                                                                                    
  }                                                                                                                                                                                                                                                                                                                                                                      
}
9

BAck again, and still does not work. I’m now on Debian 10 and NC 22.2.3, problem remains unchanged.

I’ve looked again carefully at network traffic and nginx config and don’t see any requests failing or being blocked.

I tried to delete a group in Firefox:

TypeError: t is undefined
    _build https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:1272
    init https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:1272
    octemplate https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:1272
    message https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:71
    u https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    c https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    setTimeout handler*Deferred/then/a/< https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    l https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fireWith https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fire https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    l https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fireWith https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    u https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    c https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    setTimeout handler*Deferred/then/a/< https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    l https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fireWith https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fire https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    l https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fireWith https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    n[0] https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    l https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fireWith https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    n[0] https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    _getMessageTemplate https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:71
    l https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    fireWith https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    k https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    t https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    send https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    ajax https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    ajax https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:986
    t https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:25
    _getMessageTemplate https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:71
    message https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:71
    confirm https://owncloud.reeves.one/core/js/dist/main.js?v=90c0ec9d-1:71
    removeGroup https://owncloud.reeves.one/apps/settings/js/vue-settings-users.js?v=7665dea3ee6bc079b7fb:24
    click https://owncloud.reeves.one/apps/settings/js/vue-settings-users.js?v=7665dea3ee6bc079b7fb:24
    Gt https://owncloud.reeves.one/apps/settings/js/vue-settings-apps-users-management.js?v=90c0ec9d-1:7
    n https://owncloud.reeves.one/apps/settings/js/vue-settings-apps-users-management.js?v=90c0ec9d-1:7
    execFirstAction https://owncloud.reeves.one/apps/settings/js/vue-vendors-settings-apps-settings-users.js?v=a09a9b1e3184b95c73de:404
    Gt https://owncloud.reeves.one/apps/settings/js/vue-settings-apps-users-management.js?v=90c0ec9d-1:7
 data: undefined

And then tried the same action on a virgin MS Edge (which I never use or even configure, it runs in VirtualBox for testing only):

main.js?v=90c0ec9d-1:1272 
        
       TypeError: Cannot read properties of undefined (reading 'replace')
    at Object._build (main.js?v=90c0ec9d-1:1272)
    at Object.init (main.js?v=90c0ec9d-1:1272)
    at e.fn.init.o.a.fn.octemplate (main.js?v=90c0ec9d-1:1272)
    at main.js?v=90c0ec9d-1:71
    at u (main.js?v=90c0ec9d-1:25)
    at c (main.js?v=90c0ec9d-1:25) 'data:' undefined
_build @ main.js?v=90c0ec9d-1:1272

Does anyone have an idea? This is driving me crazy!

10

I can confirm having the same bug with my NC 22.2.0 & 23.0.0

The difference is I can create a group.
But I can’t delete a group or an user.

System behind is
Debian 11.2
Nginx 1.18.0-6.1

I tried with php 7.4 and php 8.0

As it’s a Javascript error, I don’t see the errorcoming from Nginx or Php.

As mentionned earlier in the post, I have the same error when executing OC.dialogs.confirmDestructive(‘Test message’, ‘Test Title’)

In Vivaldi browser the console error is:

TypeError: Cannot read properties of undefined (reading 'replace')
    at Object._build (main.js?v=8635b236:1245)
    at Object.init (main.js?v=8635b236:1245)
    at e.fn.init.o.a.fn.octemplate (main.js?v=8635b236:1245)
    at main.js?v=8635b236:71
    at u (main.js?v=8635b236:25)
    at c (main.js?v=8635b236:25) 'data:' undefined

And in Firefox (v91.4.0esr (64 bits)), the console error is

TypeError: t is undefined
    _build https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:1245
    init https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:1245
    octemplate https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:1245
    message https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:71
    u https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    c https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    setTimeout handler*a/< https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    l https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    add https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    then https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    Deferred https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:959
    then https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:25
    message https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:71
    confirmDestructive https://cloud.mydomain.tld/core/js/dist/main.js?v=8635b236:71
    deleteUser https://cloud.mydomain.tld/apps/settings/js/vue-settings-users.js?v=3b720f31d4574f0fc950:24
    click https://cloud.mydomain.tld/apps/settings/js/vue-vendors-settings-users.js?v=a125cb892b7443c82bbd:2759
    Gt https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    n https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    _wrapper https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    _r https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    se https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    Or https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    g https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    h https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    uo https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    _update https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    r https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    get https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    dn https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    mount https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    $mount https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    init https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    h https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    uo https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    _update https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    r https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    get https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    dn https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    mount https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    $mount https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    init https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    l https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
    h https://cloud.mydomain.tld/apps/settings/js/vue-settings-apps-users-management.js?v=8635b236:7
 data: undefined

Not much more to offer, sorry

11

I think I found the culprit.
Indeed, it came from the Nginx vhost configuration.

My vhost came from the official doc:
https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx

After some tests, I found that this block was the problem:

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }

With that block, I can use Nc, but can’t delete group or user.

If I change it to

    location / {
        try_files $uri /index.php$uri;
    }

Now, I can delete groups and users, but all the app pages (/apps/files, /apps/photos, /apps/…) are now receiving an Error 403.

If I add this block to my vhost:

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php index.html;
    }

I can now delete groups and users, all the apps pages are working, but I can’t logout from Nc:

Unauthorized access 
CSRF check failed

Tbh, I just played with the oc[ms]-provider block as it was referenced earlier in this post, but I have no clue why adding this block fixes one problem and bring a new one.

Anyone got an idea on this?

My Vhost:

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    index index.php index.html index.php$request_uri;

    access_log /var/log/nginx/access.log ndd_inclus;
    error_log /var/log/nginx/error.log;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 $scheme://$host/remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }
    location ^~ /.well-known {
        fastcgi_param SERVER_PORT 443;

        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location = /.well-known/webfinger   { return 301 $scheme://$host/index.php/.well-known/webfinger; }
        location = /.well-known/nodeinfo    { return 301 $scheme://$host/index.php/.well-known/nodeinfo; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

        # The following rule is only needed for the Social app.
        # Uncomment it if you're planning to use this app.
        rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    location = /data/htaccesstest.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

    location ~ \.php(?:$|/) {
        # Added here a second time if not NC was complaining to not have it.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        # Next line needed to be commented out if not NC didn't receive headers.
        # fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-fpm7.4;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php index.html;
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri /index.php$uri;
    }
12

I found the error.

In my tests, I changed the $request_uri by $uri in the last block.

The right block is:

    location / {
        try_files $uri /index.php$request_uri;
    }

Now Nc is working, I can also add / delete groups and users, and I can logout.

13

Thanks for that! Now my installation finally works too. This is the latter part of the code block which works within a Plesk environment:

# Nextcloud uses PATH-INFO to .js and .php, e.g. /index.php/core/js/oc.js,
# /index.php/core/ajax/share.php, /index.php/apps/files/ajax/list.php, /index.php/avatar/TimReeves/128

location ^~ /.well-known {
  location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; }
  location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; }

  location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
  location /.well-known/pki-validation { try_files $uri $uri/ =404; }

  # Let Nextcloud's API for `/.well-known` URIs handle all other requests by passing them to the front-end controller.
  return 301 /index.php$request_uri;
}

# Rule borrowed from `.htaccess`
location /remote { return 301 /remote.php$request_uri; }

# These catch the worst flagrant attempts to call disallowed locations from the web. Log this!
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 403; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 403; }

# wp-login.php 404 for special nginx jail
location ~ /wp-login\.php { return 404; }

# xmlrpc is a favourite WordPress attack vector, not included in nginx-nextcloud-security.conf
location ~ xmlrpc\.php { error_log /dev/null crit; return 403; }

# This is careful: It matches all the EXPECTED ".php" calls and passes them to PHP-FPM
# There is NO pendant in the Apache .htaccess

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|core/templates/40[34]|apc|info|ocp)\.php(?:$|/) {
  # See http://wiki.nginx.org/HttpFastcgiModule#fastcgi_split_path_info
  # Directive populates $fastcgi_script_name + $fastcgi_path_info
  # BUT there's a problem: http://trac.nginx.org/nginx/ticket/321
  fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
  set $path_info $fastcgi_path_info;
  # Requested PHP Scripts MUST exist exactly as named
  try_files $fastcgi_script_name =404;
  # try_files has emptied $fastcgi_path_info
  fastcgi_param PATH_INFO $path_info;
  # You can add any application-special headers to $_SERVER here
  fastcgi_param PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
  fastcgi_pass "unix:///var/www/vhosts/system/$domain/php-fpm.sock";
  # Following include sets SCRIPT_FILENAME to $document_root$fastcgi_script_name
  # Meaning that $fastcgi_script_name MUST be correct now!
  include /etc/nginx/fastcgi.conf;
  # Avoid sending the security headers twice
  fastcgi_param modHeadersAvailable true;
  # This and the above are both Nextcloud-specific
  fastcgi_param front_controller_active true;
  # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_intercept_errors
  fastcgi_intercept_errors on;
  # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_request_buffering
  fastcgi_request_buffering off;
  fastcgi_read_timeout 120;
}

# Beginning "updater" or "oc[ms]-provider" and ending with nothing more, or continuing with "/" (and potentially more behind it)
# In fact, clicking on "Open updater" requests "/updater/", which matches this location, which is why we need the "index" -
# the index addition goes into a new parsing round and then matches the location above, for ".php" files.
# The HTML source file returned actually contains:
# <link rel="stylesheet" href="/updater//pub/css/main.css?v=..." />
# <script src="/updater//pub/js/vendor/jquery.min.js?v=..."></script>
# <script src="/updater//pub/js/main.js?v=..."></script>
# which do NOT match the ".php" location above, thus are handled here
# ~ = regex case-sensitive

# For some unfathomable reason, this block MUST come after the .php location, otherwise the updater can't be called (returns a 405 Method not allowed)
location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
  index index.php;
  try_files $uri $uri/ =403;
}

# Adding the cache control header for js and css files (expires 2h)
# Make sure it is BELOW the PHP block
# ~* = regex case-insensitive
location ~* \.(?:css|js)$ {
  try_files $uri /index.php$request_uri;
  # Allow it to be fresh in browser cache for 2 hrs
  expires 2h;
  add_header Cache-Control "public, max-age=7200";
  # Add headers to serve security related headers (It is intended to duplicate the ones above). Nginx allows several add_header directives.
  # These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.
  add_header Strict-Transport-Security "max-age=15768000; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
}

# Some apps may provide files via index.php
location ~* \.(png|jpg|jpeg|gif|ico|bmp|img|webp|wasm|tflite)$ {
  expires 30d;
  try_files $uri /index.php$request_uri;
}

location ~* \.(ttf|otf|eot|svg|svgz|woff|woff2)$ {
  expires 7d;
  try_files $uri /index.php$request_uri;
}

location ~ ^/core/doc/[^\/]+/$ {
  expires 30d;
  rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
}

location = /fpmstatus { fastcgi_pass "unix:///var/www/vhosts/system/$domain/php-fpm.sock"; include /etc/nginx/fastcgi.conf; }
location = /fpmping { fastcgi_pass "unix:///var/www/vhosts/system/$domain/php-fpm.sock"; include /etc/nginx/fastcgi.conf; }

# Nothing should arrive here EXCEPT the things needing redirecting to be handled by index.php
location / {
  try_files $uri $uri/ /index.php$request_uri;
}

# Finally, configure brotli compression
# Plesk turns it on and supplies a short mime types list, nothing more
# brotli_comp_level 6;  Is module default
brotli_types application/atom+xml application/javascript application/json application/rss+xml
             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
             image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

So it seems we can close this now, praise be!