The Basics
- Nextcloud Server version (e.g., 29.x.x):
31.0.2 (latest docker release)
- Operating system and version (e.g., Ubuntu 24.04):
Ubuntu 24.04
- Web server and version (e.g, Apache 2.4.25):
Apache/2.4.62
- Reverse proxy and version _(e.g. nginx 1.27.2)
nginx/1.27.4
- PHP version (e.g, 8.3):
8.3.20
- Is this the first time you’ve seen this error? (Yes / No):
Yes
- When did this problem seem to first start?
15.04.2025
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
Docker Compose
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing:
One of the users on my Nextcloud instance has read-only access to a Team Folder, even though they belong to the correct group with full permissions.
I’m using the Team Folders app to manage shared access. The folder in question has two group-based permission rules:
- Group “User”: No access to the folder
- Group “Images”: Full access to the folder
The reason behind this setup is that every user is part of the “User” group by default, but I don’t want all users to access the “Images” folder. To control access, I assign the “Images” group only to users who should have full access.
When I initially tested this setup with my own account, it worked as expected:
- Without the “Images” group: I couldn’t see the folder.
- With the “Images” group: I had full read/write access.
However, one user recently reported that they can see the folder but can only read, not write. I removed the “Images” group from their account, and they could no longer see the folder (which is expected). But when I re-added the group, they still only had read access.
I’ve tested the exact same scenario with several other user accounts, and they all have full access when assigned to the “Images” group. The issue seems to affect only this one user.
I already tried deleting the Account and recreating it, but without success.
Steps to replicate it (hint: details matter!):
Sadly, I don’t have a clue how to reproduce this since this seems to be only for that one particular User
Log entries
Nextcloud
Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.
No Error in the Timeframe
Web Browser
If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.
Not related to the Browser/Computer. We tried it on different Machines with different Browsers
Web server / Reverse Proxy
The output of your Apache/nginx/system log in /var/log/____:
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:01 +0200] "GET / HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:01 +0200] "GET /apps/files/ HTTP/2.0" 200 44972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:04 +0200] "REPORT /remote.php/dav/files/BROKEN_USER/ HTTP/2.0" 207 156 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:04 +0200] "GET /ocs/v2.php/apps/files/api/v1/folder-tree?path=%2F&depth=1 HTTP/2.0" 200 136 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:07 +0200] "PROPFIND /remote.php/dav/files/BROKEN_USER/ HTTP/2.0" 207 1058 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:08 +0200] "GET /apps/onlyoffice/ajax/template HTTP/2.0" 200 22 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:09 +0200] "PROPFIND /remote.php/dav/files/BROKEN_USER/ HTTP/2.0" 207 1058 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:10 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 81 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | PUBLIC_IP - - [16/Apr/2025:14:43:10 +0200] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 81 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "-"
nginx | 127.0.0.1 - - [16/Apr/2025:14:43:10 +0200] "GET / HTTP/1.1" 301 162 "-" "curl/7.88.1" "-"
The Username has been replaced by BROKEN_USER for privacy reasons
Configuration
Nextcloud
The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"upgrade.disable-web": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"my.domain.com"
],
"allowed_admin_ranges": [
"PUBLIC_IP\/32"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "31.0.2.1",
"overwrite.cli.url": "https:\/\/my.domain.com",
"overwritehost": "my.domain.com",
"overwriteprotocol": "https",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"maintenance_window_start": 1,
"skeletondirectory": "\/var\/www\/html\/data\/skeleton",
"loglevel": 3,
"forbidden_filename_basenames": [
"con",
"prn",
"aux",
"nul",
"com0",
"com1",
"com2",
"com3",
"com4",
"com5",
"com6",
"com7",
"com8",
"com9",
"com\u00b9",
"com\u00b2",
"com\u00b3",
"lpt0",
"lpt1",
"lpt2",
"lpt3",
"lpt4",
"lpt5",
"lpt6",
"lpt7",
"lpt8",
"lpt9",
"lpt\u00b9",
"lpt\u00b2",
"lpt\u00b3"
],
"forbidden_filename_characters": [
"<",
">",
":",
"\"",
"|",
"?",
"*",
"\\",
"\/"
],
"forbidden_filename_extensions": [
" ",
".",
".filepart",
".part"
],
"defaultapp": "files",
"app_install_overwrite": []
}
}
The allowed Admin IP has been replaced by PUBLIC_IP
The Domain Name has been replaced by my.domain.com
Apps
The output of occ app:list (if possible).
Enabled:
- activity: 4.0.0
- admin_audit: 1.21.0
- app_api: 5.0.2
- bruteforcesettings: 4.0.0
- circles: 31.0.0
- cloud_federation_api: 1.14.0
- dashboard: 7.11.0
- dav: 1.33.0
- federatedfilesharing: 1.21.0
- files: 2.3.1
- files_accesscontrol: 2.0.0
- files_automatedtagging: 2.0.0
- files_pdfviewer: 4.0.0
- files_retention: 2.0.0
- files_sharing: 1.23.1
- files_trashbin: 1.21.0
- files_versions: 1.24.0
- forms: 5.1.0
- groupfolders: 19.0.4
- integration_openai: 3.5.0
- logreader: 4.0.0
- lookup_server_connector: 1.19.0
- notifications: 4.0.0
- oauth2: 1.19.1
- onlyoffice: 9.8.0
- privacy: 3.0.0
- profile: 1.0.0
- provisioning_api: 1.21.0
- serverinfo: 3.0.0
- settings: 1.14.0
- sociallogin: 6.0.1
- suspicious_login: 9.0.1
- tables: 0.9.1
- text: 5.0.0
- theming: 2.6.1
- twofactor_backupcodes: 1.20.0
- updatenotification: 1.21.0
- viewer: 4.0.0
- whiteboard: 1.0.5
- workflowengine: 2.13.0
Disabled:
- comments: 1.21.0 (installed 1.20.1)
- contactsinteraction: 1.12.0 (installed 1.11.0)
- encryption: 2.19.0
- federation: 1.21.0 (installed 1.20.0)
- files_downloadlimit: 4.0.0 (installed 3.0.0)
- files_external: 1.23.0
- files_reminders: 1.4.0 (installed 1.3.0)
- firstrunwizard: 4.0.0 (installed 3.0.0)
- nextcloud_announcements: 3.0.0 (installed 2.0.0)
- password_policy: 3.0.0 (installed 2.0.0)
- photos: 4.0.0-dev.1 (installed 3.0.2)
- recommendations: 4.0.0 (installed 3.0.0)
- related_resources: 2.0.0 (installed 1.5.0)
- sharebymail: 1.21.0 (installed 1.20.0)
- support: 3.0.0 (installed 2.0.0)
- survey_client: 3.0.0 (installed 2.0.0)
- systemtags: 1.21.1 (installed 1.20.0)
- twofactor_nextcloud_notification: 5.0.0
- twofactor_totp: 13.0.0-dev.0
- user_ldap: 1.22.0
- user_status: 1.11.0 (installed 1.10.0)
- weather_status: 1.11.0 (installed 1.10.0)
- webhook_listeners: 1.2.0 (installed 1.1.0-dev)