NC 29.0.2 webdav: error: forbidden: Download denied because permission is disabled

Hi there,

I recently upgraded our NextCloud to Version 29.0.2 (coming from NC 27).
Now I am facing thousends of error messages in the log-file.
It seems there is a webdav issue with a lot of files regarding disabled download permission:

Access to this shared resource has been denied because its download permission is disabled.","userAgent":"Mozilla/5.0 (Windows) mirall/3.13.0stable-Win64 (build 20240423) (Nextcloud, windows-10.0.19045 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.2.2","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\Forbidden","Message":"Access to this shared resource has been denied because its download permission is disabled.","Code":0,"Trace":[{"file":"/www/htdocs/.../.../web/cloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"checkViewOnly","class":"OCA\\DAV\\DAV\\ViewOnlyPlugin","type":"->","args":[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]},{"file":"/www/htdocs/.../.../web/cloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->","args":["method:GET",[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]]},{"file":"/www/htdocs/.../.../web/cloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]},{"file":"/www/htdocs/.../.../web/cloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/www/htdocs/.../.../web/cloud/apps/dav/lib/Server.php","line":374,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/www/htdocs/.../.../web/cloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->","args":[]},{"file":"/www/htdocs/.../.../web/cloud/remote.php","line":172,"args":["/www/htdocs/.../.../web/cloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/www/htdocs/.../.../web/cloud/apps/dav/lib/DAV/ViewOnlyPlugin.php","Line":112,"message":"Access to this shared resource has been denied because its download permission is disabled.","exception":[],"CustomMessage":"Access to this shared resource has been denied because its download permission is disabled."

I already did a file-scan and repair using occ.
We are running PHP 8.2.20

Is there a way to get rid of this error messages?
Tanks in advance - this is my first posting here, I hope I didn`t miss anything.

Peter

It’s the “Allow Download” permission (or lack thereof, rather) that is generating that log entry.

However it’s from back in v25. Not sure why you’d be seeing anything new in v29 versus v27 for this.

Okay, thanks. I will try to set the permission. There are about 3700 relating log entries in less than 24 hours. Our Server is hosted in a shared environment. So there is a strict PHP-FPM limit. Since the update to NC29 we are facing issues accessing the NC because webdav/sabre PHP Scripts are running to long and get discared. I hope maybe there could be a correlation and getting rid of the error logs will fasten up these long running PHP scripts…

These are the long runners according to our hoster:

script_filename = /www/htdocs/.../.../web/nextcloud/remote.php
[0x00007be770c155e0] stream_copy_to_stream() /www/htdocs/.../.../web/nextcloud/3rdparty/sabre/http/lib/Sapi.php:110
[0x00007be770c15460] sendResponse() /www/htdocs/.../.../web/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php:490
[0x00007be770c153a0] invokeMethod() /www/htdocs/.../.../web/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php:253
[0x00007be770c152a0] start() /www/htdocs/.../.../web/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php:321
[0x00007be770c15250] exec() /www/htdocs/.../.../web/nextcloud/apps/dav/lib/Server.php:374
[0x00007be770c151d0] exec() /www/htdocs/.../.../web/nextcloud/apps/dav/appinfo/v2/remote.php:35

We noticed that we are not able to set this permission. The option is visible but we can not check the checkbox.

I suspect that maybe permissions in the filesystem of the debian server are missing.
During the Update to Version 29.0.2 the auto-updater failed and I hat to do the upgrade manually. I uploaded the Version 29.0.2 and copied our data directory.

So maybe some permissions got left behind .

Do you maybe have some advice how to set the permissions in the linux filesystem correctly for the nextcloud to work properly?

I suspect that maybe permissions in the filesystem of the debian server are missing.

This error isn’t at the OS level permissions. It’s specifically at the Nextcloud layer of things.

We noticed that we are not able to set this permission. The option is visible but we can not check the checkbox.

Is “we” the file owner or a downstream sharee attempting to reshare? The issue could be upstream permissions from the owner to the sharee.

Thanks jtr so far.

What I found out is that if I create a new share I can enable the download permission. Only for all the existing shares it is not possible to add this permission.

By “we” I meant me and my colleague who trying to add the enable download permission to his shared folders and who was unable to do so. We tried it with his NextCloud user account because it was the one which created the shares to which he can not set the enable download permission.

For enabling the enable download permission to our shares it seems we have to remove it and set it new. Because then the enable download permission is automatically set.

Can you share the output of occ info:file xxxx for one of these files or folders?

The xxxx can either be:

  • the numeric file id (taken from the browser URL when you have the share details open in the UI for one of these files).
  • the path relative to the datadirectory (e.g. username/files/SomeSharedFolder)

You can change any names/etc when posting the output if you wish for privacy purposes.

Also, if it’s an option, ideally you could bump this server up to the latest maintenance release (v29.0.3) just to rule out any already fixed bugs. The closest even remotely relevant bug fixes I can think of in v29.0.3 is: [stable27] 44032 fix show new shares without refresh by Fenn-CS · Pull Request #44464 · nextcloud/server · GitHub (ignore the reference to stable27 - it was ported to 29 as well).

This is the Output of one affected PDF file:
(Currently, person-1 is not able to add the enable download permission
for group-1 or the other persons although he is the owner.)

fileid: 156629
mimetype: application/pdf
modified: June 20, 2024, 5:19:13 PM UTC
not encrypted
size: 27 KB
etag: 111cd834a73e5ebb4ab806bfeb3f93d7

The following users have access to the file

person-1:
/person-1/files/store/file.pdf: full permissions
home storage
person-2:
/peson-2/files/store/file.pdf: full permissions
shared by person-1 (via group group-1) owned by person-1
person-3:
/person-3/files/store/file.pdf: full permissions
shared by person-1 (via group group-1) owned by person-1
person-4:
/person-4/files/store/file.pdf: full permissions
shared by person-1 (via group group-1) owned by person-1
person-5:
/person-5/files/store/file.pdf: full permissions
shared by person-1 owned by person-1
person-6:
/person-6/files/store/file.pdf: full permissions
shared by person-1 (via group group-1), person-1 owned by person-1
person-7:
/person-7/files/store/file.pdf: full permissions
shared by person-1 (via group group-1) owned by person-1
person-8:
/person-8/files/store/file.pdf: full permissions
shared by person-1 (via group group-1) owned by person-1