Shared Link "This operation is forbidden" after update

Nextcloud version (eg, 29.0.5): 29.0.8
Operating system and version (eg, Ubuntu 24.04): Amazon Linux 2
Apache or nginx version (eg, Apache 2.4.25): 2.4.62
PHP version (eg, 8.3): 8.0.3

The issue you are facing:
After updating NC from 24.0.4 to 29.0.8, my external shared links produce a “This operation is not permitted” error. I receive this message using both a share in the data directory and an SMB mount.

I have three VMs running NC behind a proxy. They all use the same NFS mount for /var/www/html and apache configs.

No other changes made outside of the updates.

Is this the first time you’ve seen this error? (Y/N): Y

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => 'xxx',
    1 => 'xxx',
  ),
  'trusted_proxies' => 
  array (
    0 => 'xxx',
    1 => 'xxx',
  ),
  'forwarded_for_headers' => 
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'HTTP_FORWARDED_FOR',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '29.0.8.1',
  'overwrite.cli.url' => 'https://xxx',
  'dbname' => 'nextcloudcluster',
  'dbhost' => 'xxx',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpauth' => 1,
  'mail_smtpsecure' => 'tls',
  'mail_from_address' => 'xxx',
  'mail_domain' => 'xxx.com',
  'mail_smtphost' => 'xxx',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'xxx',
  'mail_smtppassword' => 'xxx',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'skeletondirectory' => '',
  'overwriteprotocol' => 'https',
  'htaccess.RewriteBase' => '/',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'xxx',
    'port' => 6379,
  ),
  'enable_previews' => false,
  'simpleSignUpLink.shown' => false,
  'mysql.utf8mb4' => true,
  'default_phone_region' => 'US',
);

I enabled debugging logging and this is the output when I access the shared link and receive the “This operation is forbidden.” message. I’m still parsing through it but my ignorant eyes are not seeing anything stand out.

{“reqId”:“Zxuf_Wr26AaaurAlWrQKBwAAAJM”,“level”:0,“time”:“2024-10-25T13:41:17+00:00”,“remoteAddr”:“xxx”,“user”:“–”,“app”:“no app in context”,“method”:“GET”,“url”:“/s/EPrbZYMxZKAKY6L”,“message”:“The loading of lazy AppConfig values have been requested”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0”,“version”:“29.0.8.1”,“exception”:{“Exception”:“RuntimeException”,“Message”:“ignorable exception”,“Code”:0,“Trace”:[{“file”:“/var/www/html/nextcloud/lib/private/AppConfig.php”,“line”:1208,“function”:“loadConfig”,“class”:“OC\AppConfig”,“type”:“->”,“args”:[null]},{“file”:“/var/www/html/nextcloud/lib/private/AppConfig.php”,“line”:127,“function”:“loadConfigAll”,“class”:“OC\AppConfig”,“type”:“->”,“args”:},{“file”:“/var/www/html/nextcloud/lib/private/AllConfig.php”,“line”:196,“function”:“getKeys”,“class”:“OC\AppConfig”,“type”:“->”,“args”:[“user_ldap”]},{“file”:“/var/www/html/nextcloud/apps/user_ldap/lib/Helper.php”,“line”:133,“function”:“getAppKeys”,“class”:“OC\AllConfig”,“type”:“->”,“args”:[“user_ldap”]},{“file”:“/var/www/html/nextcloud/apps/user_ldap/lib/Helper.php”,“line”:74,“function”:“getServersConfig”,“class”:“OCA\User_LDAP\Helper”,“type”:“->”,“args”:[“ldap_configuration_active”]},{“file”:“/var/www/html/nextcloud/apps/user_ldap/lib/AppInfo/Application.php”,“line”:133,“function”:“getServerConfigurationPrefixes”,“class”:“OCA\User_LDAP\Helper”,“type”:“->”,“args”:[true]},{“file”:“/var/www/html/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php”,“line”:66,“function”:“OCA\User_LDAP\AppInfo\{closure}”,“class”:“OCA\User_LDAP\AppInfo\Application”,“type”:“->”,“args”:[“*** sensitive parameters replaced ***”]},{“file”:“/var/www/html/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php”,“line”:50,“function”:“injectFn”,“class”:“OC\AppFramework\Bootstrap\FunctionInjector”,“type”:“->”,“args”:[[“Closure”]]},{“file”:“/var/www/html/nextcloud/apps/user_ldap/lib/AppInfo/Application.php”,“line”:147,“function”:“injectFn”,“class”:“OC\AppFramework\Bootstrap\BootContext”,“type”:“->”,“args”:[[“Closure”]]},{“file”:“/var/www/html/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php”,“line”:200,“function”:“boot”,“class”:“OCA\User_LDAP\AppInfo\Application”,“type”:“->”,“args”:[[“OC\AppFramework\Bootstrap\BootContext”]]},{“file”:“/var/www/html/nextcloud/lib/private/App/AppManager.php”,“line”:437,“function”:“bootApp”,“class”:“OC\AppFramework\Bootstrap\Coordinator”,“type”:“->”,“args”:[“user_ldap”]},{“file”:“/var/www/html/nextcloud/lib/private/App/AppManager.php”,“line”:216,“function”:“loadApp”,“class”:“OC\App\AppManager”,“type”:“->”,“args”:[“user_ldap”]},{“file”:“/var/www/html/nextcloud/lib/private/legacy/OC_App.php”,“line”:128,“function”:“loadApps”,“class”:“OC\App\AppManager”,“type”:“->”,“args”:[[“authentication”]]},{“file”:“/var/www/html/nextcloud/lib/base.php”,“line”:1030,“function”:“loadApps”,“class”:“OC_App”,“type”:“::”,“args”:[[“authentication”]]},{“file”:“/var/www/html/nextcloud/index.php”,“line”:49,“function”:“handleRequest”,“class”:“OC”,“type”:“::”,“args”:}],“File”:“/var/www/html/nextcloud/lib/private/AppConfig.php”,“Line”:1222,“message”:“The loading of lazy AppConfig values have been requested”,“exception”:{},“CustomMessage”:“The loading of lazy AppConfig values have been requested”}}
{“reqId”:“Zxuf_Wr26AaaurAlWrQKBwAAAJM”,“level”:0,“time”:“2024-10-25T13:41:17+00:00”,“remoteAddr”:“xxx”,“user”:“–”,“app”:“user_ldap”,“method”:“GET”,“url”:“/s/EPrbZYMxZKAKY6L”,“message”:“Calling LDAP function ldap_explode_dn with parameters ["6B8BE64D-431F-4423-BC45-8F9C2BCABEA0",0]”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0”,“version”:“29.0.8.1”,“data”:{“app”:“user_ldap”}}

Even though I get the “This operation is forbidden” message and the page doesn’t list any files, I can click on the “Download all files” button and it will download a zip of all the files that should be there.

image

Found the following poking around the browser. Appears to be something I can work with.

Request URL: xxx/public.php/dav/files/EPrbZYMxZKAKY6L/
Request Method: PROPFIND
Status Code: 403 Forbidden
Remote Address: xxx:443
Referrer Policy: no-referrer

Request URL: xxx/ocs/v2.php/apps/text/public/workspace?path=%2F&shareToken=EPrbZYMxZKAKY6L
Request Method: GET
Status Code: 404 Not Found
Remote Address: xxx:443
Referrer Policy: no-referrer

I was able to clear the 404 error by disabling rich workspaces

I’m still getting that 403 forbidden error and no files being displayed, yet I’m still able to download all the files.

Further digging through debug messages, I was able to find that nextcloud appears to be trying to make LDAP calls for shared links with passwords. I would assume an LDAP lookup wouldn’t be needed

Debug user_ldap No DN found for EPrbZYMxZKAKY6L on ldap://xxx.xxx

I did try disabling the LDAP app, creating a share using the local admin account, but still received the same 403 forbidden message. So this appears to not be an LDAP issue.

Now I’m starting to get a little frustrated. Weird stuff.

I am at a complete loss. At this point I will simply rebuild as I only have a few instances where I use the shared links. Very unfortunate.

Michael,

I have exactly the same issue. My version is 30.0.1 – updated a few days ago.

I’m unable to share a folder, with or without a password.

I thought the problem was related to our WAF (application firewall) blocking some new URI. I even explicitly authorized the “/public.php/dav/files/” substring in the firewall (#PROPFIND_METHOD), which seemed to have been blocked before, but it did not solve the problem. I could not find any other blocked URI that would explain the behavior.

And I confirme what you did: the Download button works, and offers to send the .zip file with all the content.

But I can’t see the folder contents.

Maybe the Nextcloud team will take a look at this?

1 Like

What version PHP are you on? Before I did a rebuild I am playing around with replacing the instances with ones using PHP 8.3 . So far I am getting a different error message stating the password is incorrect or expired. After I do further testing today or tomorrow I’ll post findings.

I created new ARM based instances running Amazon Linux 2023 with PHP 8.3, also updated to 29.0.9 and then to 30.0.2, but am still getting the same Operation is Forbidden message. I can’t reproduce that previous message I received about the password being expired or incorrect.

Hi Michael,

I just received an e-mail from Nextcloud about the newly released
version 30.0.2 (released today) with a lot of fixes. My server is not
updated yet; I’ll wait for the auto update and check if this issue is
solved.

Cplex.

I updated to 30.0.2 today and the problem persisted. Let me know if you have better luck.