Rights errors after upgrade to 30.0.5

The Basics

  • Nextcloud Server version 30.0.5:
  • Operating system and version Debian GNU/Linux 11 (bullseye):
  • Web server and version Apache/2.4.62:
  • PHP version PHP 8.2.27:
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • After an upgrade
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • /var/www/nextcloud/updater/updater.phar

Summary of the issue you are facing:

After upgrading to Nextcloud Hub 9 (v30.0.5), users are experiencing permission issues with groupfolders. Some users have lost their access rights to certain groupfolders that they previously had access to. The file system permissions on the server side appear to be correct (all folders are owned by www-data), but the access through the Nextcloud interface is affected.

The issue appeared immediately after the upgrade from the previous version. While the physical files are still present in the groupfolders directory and the database tables (oc_group_user and oc_share) show the correct sharing settings, users cannot access their assigned groupfolders through the web interface.

Steps to replicate it (hint: details matter!):

  1. Upgrade a nextcloud server (With Groupfolder and sub-folders with specifical rights for different groups that come from an LDAP server)

Configuration

Nextcloud

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.engit.fr"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/cloud.engit.fr",
        "dbtype": "mysql",
        "version": "30.0.5.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "integrity.check.disabled": false,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "maintenance": false,
        "theme": "",
        "log_type": "file",
        "logfile": "\/var\/www\/logs\/nextcloud.engitcloud.log",
        "loglevel": 0,
        "logtimezone": "Europe\/PARIS",
        "log_query": false,
        "default_phone_region": "FR",
        "remember_login_cookie_lifetime": 1296000,
        "session_lifetime": 86400,
        "session_keepalive": true,
        "auth.bruteforce.protection.enabled": true,
        "trashbin_retention_obligation": "auto",
        "versions_retention_obligation": "auto",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwriteprotocol": "https",
        "has_rebuilt_cache": true,
        "knowledgebaseenabled": true,
        "allow_user_to_change_display_name": false,
        "updatechecker": true,
        "updater.release.channel": "stable",
        "check_for_working_htaccess": true,
        "app_install_overwrite": [
            "ransomware_detection",
            "chronos",
            "recommendation_assistant",
            "mindmap_app",
            "deck",
            "groupfolders",
            "piwik",
            "impersonate",
            "hsts"
        ],
        "data-fingerprint": "c7e604e62a2e2102af561e549727174a",
        "mysql.utf8mb4": true,
        "opcache.interned_strings_buffer": "32",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance_window_start": "3"
    }
}

Apps

Enabled:
  - activity: 3.0.0
  - admin_audit: 1.20.0
  - app_api: 4.0.5
  - bruteforcesettings: 3.0.0
  - cadviewer: 10.10.7
  - calendar: 5.0.9
  - chronos: 0.0.1
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contacts: 6.1.3
  - contactsinteraction: 1.11.0
  - dashboard: 7.10.0
  - dav: 1.31.1
  - deck: 1.14.3
  - external: 5.5.2
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0
  - files: 2.2.0
  - files_downloadlimit: 3.0.0
  - files_external: 1.22.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - firstrunwizard: 3.0.0
  - groupfolders: 18.0.9
  - impersonate: 1.17.1
  - keeweb: 0.6.20
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - nextcloud_announcements: 2.0.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - onlyoffice: 9.5.0
  - password_policy: 2.0.0
  - photos: 3.0.2
  - piwik: 0.13.0
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - support: 2.0.0
  - survey_client: 2.0.0
  - suspicious_login: 8.0.0
  - systemtags: 1.20.0
  - tasks: 0.16.1
  - theming: 2.5.0
  - twofactor_backupcodes: 1.19.0
  - twofactor_totp: 12.0.0-dev
  - updatenotification: 1.20.0
  - user_ldap: 1.21.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0
Disabled:
  - encryption: 2.18.0 (installed 2.14.0)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - text: 4.1.0 (installed 3.8.0)
  - twofactor_nextcloud_notification: 4.0.0

If something breaks like this during an upgrade, it’s worth checking the bug tracker. There are issues linked with ACL settings, not sure if any matches your case. If not, open a new one.

We have concluded that the policy for managing access to folders has changed: if a user is part of a group with denied access AND a group with inherited authorization, then the folder will be denied.

In conclusion, in this particular case, the inherited authorization must be passed on to an explicit authorization.