[GROUP FOLDERS] When setting up an account, a user was able to retrieve part of the data to which they did not have access (bug ?)

Hi everyone,

I take the liberty of writing this forum post to know if other people have had the case? For my part, it’s the first time it happens on a hundred users and several years of use of Nextcloud.


Via a setting of Groups Folders, I have partitioned the user access. I have a total of three Groups Folders: COMMUN, ADMINISTRATIF, MANAGEMENT

My user A has access to the “COMMUN” folder.
My user B has access to the “COMMUN” folder

My user A changes computers and his current computer is picked up by user B, so I disconnected user A’s account to set up user B’s account.

The indexing and synchronization is done well, except that I realize that an hour later the “ADMINISTRATIF” folder was copied into the “COMMUN” folder (even though they are two root folders and strictly separated) with mostly some files inside, not all. Really, really weird.
I thought it was a bad manipulation by another user, except that my client told me that it was not and that he was sure that it was not a bad manipulation. So I went through the logs and :

  • From the web interface and the activity tab, it is indeed my USER B who created this “ADMINISTRATIF” folder and who put some data in it (but not all …)
  • From the logs of my nextcloud’s web server, I have the trace that my user B has created the folder in question : the source public IP, the user-agent of the PC, the fingerprint of the NExtcloud client => everything matches
IP PUBLIC - USER B [09/May/2022:11:17:10 +0200] "MKCOL /remote.php/dav/files/USERB/COMMUN/ADMINISTRATIF HTTP/1.1" 201 0 "-" "Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.22000 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
  • From the logs of the Nextcloud client of the PC, I also have the trace but with several lines in errors, which is very strange:
11:17:10||COMMUN/ADMINISTRATIF|8|1|1647936187||0|00238748ocd9lczxhoj9|4|unknown error|201|0|0|52438748-2001-4d23-9dc2-615de3901253|
11:17:10||COMMUN/ADMINISTRATIF/1-Agréments et certifications|8|1|1647936227||4096|00238749ocd9lczxhoj9|4|unknown error|201|0|0|aac1bd21-48d2-4d13-b2d4-885f2c2d5e16|
11:17:11||COMMUN/ADMINISTRATIF/1-Agréments et certifications/1-Bilans DIRECCTE|8|1|1647936229||0|00238750ocd9lczxhoj9|4|unknown error|201|0|0|7cdfb8dd-5064-481e-ba94-795461f4a8c3|
11:17:11||COMMUN/ADMINISTRATIF/1-Agréments et certifications/3-OPQF|8|1|1647936373||0|00238751ocd9lczxhoj9|4|unknown error|201|0|0|89f8fa2d-4232-4ebd-98f0-fd8336855db9|
11:17:11||COMMUN/ADMINISTRATIF/1-Agréments et certifications/2-CSE_CHSCT|8|1|1647936369||0|00238752ocd9lczxhoj9|4|unknown error|201|0|0|9911aee6-e3c7-4dd0-a2b6-6663942a440b|

This is very strange because my user B was able to create and copy some data from the ADMINISTRATIF folder to COMMUN knowing that he has no access to the ADMINISTRATIF folder (only two users have it) and I can’t explain this behavior.

Technical stack :

  • Nextcloud 22.2.3
  • PHP8.0
  • Nextcloud client on USER B computer : Nextcloud 3.4.1

I will of course update the sync client on the user’s machine. Does anyone have an explanation about this problem (race condition?). It’s the first time I’m facing this kind of problem :slight_smile:

Thanks !