Nextcloud app can write to folders without permission

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    30.0.2
  • Operating system and version (e.g., Ubuntu 24.04):
    Ubuntu Server 20.04.6
  • Web server and version (e.g, Apache 2.4.25):
    latest docker
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    nginx 1.18.0
  • PHP version (e.g, 8.3):
    latest docker
  • Is this the first time you’ve seen this error? (Yes / No):
    Yes
  • When did this problem seem to first start?
    –`
  • Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
    docker
  • Are you using Cloudflare, mod_security, or similar? (Yes / No)
    no

Summary of the issue you are facing:

Guest users are able to write via Nextcloud iPhone all in folders they do not have permission for and consequently can also not delete the files they uploaded.

Steps to replicate it (hint: details matter!):

  1. Share a folder by email → invite then as guest user.
  2. Guest user activates account and logs in. He sees the shared folder in his document root. In the root directory he is not able to create files by web gui, only in the folder share with him, where edit permission were given. So far as expected.
  3. Now he use his credentials for the nextcloud iPhone app, scans a document and tries to upload it to the root folder. He will get an error message (403 You do not have permission to complete the operation) and gets suggested to try again with a different file name. Confirming that “Files upload in progress…” is shown, but never finishes. Ending the app in iOS and restarting shows the file then after refreshing.
  4. The user cannot delete the files, as he doesn’t have permission for it.
    (Similar behaviour with directly upload files.)

This is a problem, as guest users can upload files uncontrolled to a “private” non-shared folder. There is a workaround by setting the quota to 0, but still the situation with upload is possible, but no deletion looks inconsistent, as I couldn’t find a setting if a guest users root should be write-only or similar.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

PASTE HERE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

Active guest setting are:
Hide other accounts from guests
Limit guest access to an app’s allowlist
allowlist is the standard setting plus deck, activity, viewer, files_sharing, files_versions

Installed Apps:

Enabled:

  • activity: 3.0.0
  • admin_audit: 1.20.0
  • app_api: 4.0.0
  • bruteforcesettings: 3.0.0
  • calendar: 5.0.1
  • circles: 30.0.0
  • cloud_federation_api: 1.13.0
  • comments: 1.20.1
  • contacts: 6.1.1
  • contactsinteraction: 1.11.0
  • dav: 1.31.1
  • deck: 1.14.2
  • external: 5.5.2
  • federatedfilesharing: 1.20.0
  • federation: 1.20.0
  • files: 2.2.0
  • files_downloadactivity: 1.17.0
  • files_downloadlimit: 3.0.0
  • files_external: 1.22.0
  • files_pdfviewer: 3.0.0
  • files_reminders: 1.3.0
  • files_sharing: 1.22.0
  • files_trashbin: 1.20.1
  • files_versions: 1.23.0
  • guests: 4.0.1
  • impersonate: 1.17.0
  • logreader: 3.0.0
  • lookup_server_connector: 1.18.0
  • mail: 4.0.2
  • nextcloud_announcements: 2.0.0
  • notifications: 3.0.0
  • oauth2: 1.18.1
  • onlyoffice: 9.5.0
  • password_policy: 2.0.0
  • photos: 3.0.2
  • privacy: 2.0.0
  • provisioning_api: 1.20.0
  • recommendations: 3.0.0
  • related_resources: 1.5.0
  • serverinfo: 2.0.0
  • settings: 1.13.0
  • sharebymail: 1.20.0
  • spreed: 20.0.2
  • support: 2.0.0
  • survey_client: 2.0.0
  • suspicious_login: 8.0.0
  • systemtags: 1.20.0
  • text: 4.1.0
  • theming: 2.5.0
  • theming_customcss: 1.17.0
  • twofactor_backupcodes: 1.19.0
  • twofactor_nextcloud_notification: 4.0.0
  • twofactor_totp: 12.0.0-dev
  • updatenotification: 1.20.0
  • user_status: 1.10.0
  • viewer: 3.0.0
  • weather_status: 1.10.0
  • webhook_listeners: 1.1.0-dev
  • workflowengine: 2.12.0
    Disabled:
  • appointments: 2.1.10 (installed 1.14.6)
  • dashboard: 7.10.0 (installed 7.10.0)
  • encryption: 2.18.0 (installed 2.18.0)
  • files_rightclick: 0.15.1 (installed 1.6.0)
  • firstrunwizard: 3.0.0 (installed 3.0.0)
  • unsplash: 3.0.1 (installed 2.1.1)
  • user_ldap: 1.21.0

There is a workaround by setting the quota to 0,

This is already the default for guest users.

What as the quota set to prior to the change?

Is the file uploaded correctly (I mean is it complete; and prior to your adjusting of the quota)?

What appears in your Nextcloud log during the upload and/or deletion attempt?