how to configure permissions for a group with read only status

The Basics

• Nextcloud Server version : 30.0.4.1
• Operating system and version : Debian 12.8
• Web server and version : nginx/1.27.3
• Reverse proxy and version : no
• PHP version : PHP 8.3.14
• Is this the first time you’ve seen this error? (Yes / No):
  Never tried before
• When did this problem seem to first start?
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • manually with Nextcloud Installationsanleitung Hub 9 - Carsten Rieger IT-Services
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • No

Summary of the issue you are facing:

[a configured group with read only/no donwload permission, does not show content of files]

Steps to replicate it (hint: details matter!):

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

Web Browser

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

Configuration

Nextcloud

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            " IP",
            "FQDN"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.4.1",
        "overwrite.cli.url": "https:\/\/amcddx.amecko.info",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "overwritehost": "amcddx.amecko.info",
        "activity_expire_days": 14,
        "allow_local_remote_servers": true,
        "auth.bruteforce.protection.enabled": true,
        "forbidden_filenames": [
            ".htaccess",
            "Thumbs.db",
            "thumbs.db"
        ],
        "cron_log": true,
        "default_phone_region": "DE",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\AVI"
        ],
        "filesystem_check_changes": 0,
        "filelocking.enabled": "true",
        "htaccess.RewriteBase": "\/",
        "integrity.check.disabled": false,
        "knowledgebaseenabled": false,
        "log_rotate_size": "104857600",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "logtimezone": "Europe\/Berlin",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "overwriteprotocol": "https",
        "preview_max_x": 1024,
        "preview_max_y": 768,
        "preview_max_scale_factor": 1,
        "profile.enabled": false,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 0.5,
            "dbindex": 1
        },
        "quota_include_external_storage": false,
        "share_folder": "\/Freigaben",
        "skeletondirectory": "",
        "trashbin_retention_obligation": "auto, 7",
        "maintenance_window_start": 1,
        "maintenance": false,
        "forbidden_filename_basenames": [
            "con",
            "prn",
            "aux",
            "nul",
            "com0",
            "com1",
            "com2",
            "com3",
            "com4",
            "com5",
            "com6",
            "com7",
            "com8",
            "com9",
            "com\u00b9",
            "com\u00b2",
            "com\u00b3",
            "lpt0",
            "lpt1",
            "lpt2",
            "lpt3",
            "lpt4",
            "lpt5",
            "lpt6",
            "lpt7",
            "lpt8",
            "lpt9",
            "lpt\u00b9",
            "lpt\u00b2",
            "lpt\u00b3"
        ],
        "forbidden_filename_characters": [
            "<",
            ">",
            ":",
            "\"",
            "|",
            "?",
            "*",
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            " ",
            ".",
            ".filepart",
            ".part"
        ]
    }
}

Apps

The output of occ app:list (if possible).

Enabled:
  - activity: 3.0.0
  - app_api: 4.0.3
  - bruteforcesettings: 3.0.0
  - calendar: 5.0.8
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contacts: 6.1.2
  - contactsinteraction: 1.11.0
  - dashboard: 7.10.0
  - dav: 1.31.1
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0
  - files: 2.2.0
  - files_antivirus: 5.6.1
  - files_downloadlimit: 3.0.0
  - files_external: 1.22.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - groupfolders: 18.0.8
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - nextcloud_announcements: 2.0.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - photos: 3.0.2
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - richdocuments: 8.5.3
  - richdocumentscode: 24.4.1002
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - support: 2.0.0
  - systemtags: 1.20.0
  - text: 4.1.0
  - theming: 2.5.0
  - twofactor_backupcodes: 1.19.0
  - updatenotification: 1.20.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0
Disabled:
  - admin_audit: 1.20.0
  - encryption: 2.18.0
  - firstrunwizard: 3.0.0 (installed 3.0.0)
  - survey_client: 2.0.0 (installed 2.0.0)
  - suspicious_login: 8.0.0
  - twofactor_nextcloud_notification: 4.0.0
  - twofactor_totp: 12.0.0-dev
  - user_ldap: 1.21.0

Hi all,

We would like to configure a true read only access (without downloads) for certain ressources. Therefore I created a group and set the permissions accordingly while sharing the folder:

read only group cfg470×541 7.29 KB

But when a user of the read-only group tries to read a file, it is not displayed. The following message pops up:

read only group cfg no show file with download deactivated763×121 2.33 KB

By the way if you click in this scree on the active '…'menu, you can download the file anyway, although the permission to dowload has been removed for this group - this seems to be bug.
In essence, read only does work if donwload is enabled, but this is not the desired configuration.

Can somebody pls. clarify this case, or provide an appropriate solution.

Thx in advance

Hi @inxamc,

First of all, welcome to the forum!

You filled out the template, which is good, but I have to admit that I don’t fully understand the actual issue:

Can you perhaps explain a little more in detail what exactly you want to achieve, what you did and with what means, what your expectations were and where exactly your expectations differ from the result?

What I noticed, however, but is not related to your issue, are these entries in your config.php:

… you have

            "OC\\Preview\\Movie",

twice in the array and you have entered these three preview providers:

            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\AVI"

which actualy don’t exist.
Where did you get these fantasy preview providers from? I’d be interested to know because I’ve seen them before. Perhaps the source of this nonsense can be eliminated.

Much and good luck,
ernolf

Hi ernolf,

Your are right! - I didn’t enter the body before I clicked submit in the first run - now the text is included - pls. recheck…
Ref. config.php: as I mentioned I used the follwing guide for installation:

I just copied and pasted the proposed conf - so you might check the installation guide and ask the author Carsten Rieger.
If you do so, pls. let me know the outcome - I would like to clean up the config.php just in case it is usefull.
Rgs

Carsten Rieger is under the id @riegercloud also a member of this forum. Perhaps he wants to comment on this himself. He hasn’t been here for quite a while (more than a year), though.

Unfortunately, (not only) this guide is as wrong as it is bloated. Many of the steps in the instructions are unnecessary. It can serve as an example at best, but you shouldn’t just copy it 1:1 if you don’t know exactly what the individual steps do.

That’s what the official manual is for. You should stick to it.

As you can see from this example, a lot of nonsense and fantasy is being spread, often just to pretend that the author knows more than others.

But I can’t change it, I have got my knowledge from the code itself. Anyone who reads the code will find that the preview providers I mentioned above don’t exist.

Although no error message won’t be issued for this reason, it diminishes my trust in the competence of the author who creates this guide and earns his money from it.

→ Here more information about preview providers ←

Much and good luck,
ernolf

The way you understand “read only” is different to the reality but it is not a bug.
Some files need to be downloaded in order to be displayed, like text or PDF files.
If you want to share those files, they MUST be downloadable. Read only is only the “share” itself but not its content.
If you want to share a textfile in a read only way like you understand it, you should create a jpg or png image or screenshot from it. The created previews wil stay visible.
Everything else as previews (images/thumbs) are not visible when download is deactivated.

I hope this helps you to understand the functionality.

Much and good luck,
ernolf

Here are a couple of more thoughts:

If only the previews are visible, then these previews can of course be downloaded. Otherwise they wouldn’t be visible in the browser.
So “View Only” actually means that the file cannot be changed but NOT that it cannot be downloaded. On the other hand, there is the option of setting it with “Allow editing”. The custom permissions are very academic but not really of practical importance. They are about setting the bit mask exactly but they cannot make files visible that are not allowed to be downloaded.
Conversely: If the download of the file is blocked, then of course it cannot be seen either.
What you can see, however, is that a share exists and what the share is called and what preview images it has, but you are not allowed to download the content and therefore not allowed to view it either.

ernolf

Hi ernolf,
Thanks a lot for your answer! Very valuable information about preview providers - I’ll work it out asap and maybe come back on it later.
I choosed the installation guide from CR, because it fully supports a Debian/NGINX setup, while the offical guide seems to prefer a Ubuntu/Apache setup (no installation example for Debian) - but following your advice, I’ll doublecheck my setup against the offical guide (Latest release today! ).
Reading the code is somehow unreal for various reasons, although I wish I could do it…
Great support, thanks again with a metaphorical

Hi ernolf,
Again thanks for your profound answer! I was afraid you would tell me that it is, like it is. Don’t want to be annoying, but why is it possible to configure it as read only at all if the two permissions are tightly coupled?
The consequences from what I know now, is that I’ll have to hide losts of content via not sharing it, and just don’t allow to upload confidential material.
If you don’t mind, I still have some questions:
What is the relation between the underlying POSIX filesystem permissions (ext4 in my case) and the permission management in nextcloud?
Do they interact?
Is it feasible to use external storage to enforce a true read only scenario?
If so, do you know any best practice or have a pointer?
Thanks in advance!