File access control - blocking a file blocks the whole folder

I shared a folder with group A, but would like to prevent access to some files inside, making them accessible only to users belonging both to group A and group B.

What I did is:

  • share the folder with group A

  • then create a collaborative tag “only_for_group_b_eyes”

  • assign that tag only to those file I want to be accessible only to group b

  • finally create a file access rule:

    file collaborative tag is "only_for_group_b_eyes"
    user group membership is not member of “group B”

But, by doing this, the user “john”, that belongs only to group A, and attempts to open the shared folder, is pushed back to home and cannot see any content of the folder, while I think he should see some files (those not tagged).

Furtermore, all files are still visible in the search results, but none can be opened.

Is there something I’m doing wrong here?

Hi,

I had a similar problem and it might be the same root cause. There is still a bug in NC 12 with File Access Control. You could try what helped me:

The problem is known and will be fixed in 12.0.1:

1 Like

Thanks for your support!
Unfortunately I’m running in a similar issue, now that I upgraded to 12.0.2
The conditions are pretty the same: I shared a folder with a group “A” an then, on SOME items inside, I want to further restrict access to members of a “more privileged” group “B”.

When a user belonging only to group “A” enters the folder, two issues arise:

  • he can see the file in the list
  • when he tries to open the file he gets an “internal error” alert

In the logs we see this Error: core

Error while running background job (OCP\Files\ForbiddenException): Access denied

OCA\Files_Versions\Command\Expire {
	fileName: "/my_shared_folder/my_restricted_file.txt",
    user: "admin"
}

/var/www/html/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php - line 47: OCA\FilesAccessControl\Operation->checkFileAccess(Object(OCA\FilesAccessControl\StorageWrapper), 'files_versions/...')
/var/www/html/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php - line 269: OCA\FilesAccessControl\StorageWrapper->checkFileAccess('files_versions/...')
/var/www/html/nextcloud/lib/private/Files/View.php - line 1136: OCA\FilesAccessControl\StorageWrapper->unlink('files_versions/...')
/var/www/html/nextcloud/lib/private/Files/View.php - line 701: OC\Files\View->basicOperation('unlink', '/my_shared_folder...', Array)
/var/www/html/nextcloud/apps/files_versions/lib/Storage.php - line 220: OC\Files\View->unlink('/my_shared_folder...')
/var/www/html/nextcloud/apps/files_versions/lib/Storage.php - line 779: OCA\Files_Versions\Storage deleteVersion(Object(OC\Files\View), '/my_shared_folder...')
/var/www/html/nextcloud/apps/files_versions/lib/Command/Expire.php - line 61: OCA\Files_Versions\Storage expire('/my_shared_folder...', 'admin')
/var/www/html/nextcloud/lib/private/Command/CommandJob.php - line 35: OCA\Files_Versions\Command\Expire->handle()
/var/www/html/nextcloud/lib/private/BackgroundJob/Job.php - line 59: OC\Command\CommandJob->run('O 33 "OCA\\Files...')
/var/www/html/nextcloud/lib/private/BackgroundJob/QueuedJob.php - line 43: OC\BackgroundJob\Job->execute(Object(OC\BackgroundJob\JobList), Object(OC\Log))
/var/www/html/nextcloud/cron.php - line 147: OC\BackgroundJob\QueuedJob->execute(Object(OC\BackgroundJob\JobList), Object(OC\Log))
{main}