This operation is forbidden

Nextcloud version (eg, 12.0.2): 16.0.4.1
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.29
PHP version (eg, 7.1): 7.2

The issue you are facing:

After moving the nextcloud files (and DB) from a shared hosting to a new dedicated one, all the applications seem to work fine but trying to open a shared folder in Files results in “This operation is forbidden”.

Only for shared folders, non shared folders are opened and their contents shown.

The nextcloud log shows a read permission issue, but I can’t figure out why.
I’ve been trying to unshare and re-share a folder to see if it could help, but with no success.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Select Files
  2. Click on a shared folder

The output of your Nextcloud log in Admin > Logging:

Fatal	webdav	OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions

0. /var/www/nextcloud/apps/dav/lib/Connector/Sabre/TagsPlugin.php - line 224:
OCA\DAV\Connector\Sabre\Directory->getChildren()

1. <<closure>>
OCA\DAV\Connector\Sabre\TagsPlugin->handleGetProperties(Sabre\DAV\PropFind {}, OCA\DAV\Conn ... {})

2. /var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105:
call_user_func_array([ OCA\DAV\Co ... "], [ Sabre\DAV\ ... }])

3. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1059:
Sabre\Event\EventEmitter->emit("propFind", [ Sabre\DAV\ ... }])

4. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 981:
Sabre\DAV\Server->getPropertiesByNode(Sabre\DAV\PropFind {}, OCA\DAV\Conn ... {})

5. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1666:
Sabre\DAV\Server->getPropertiesIteratorForPath("files/Manue ... e", [ "{DAV:}get ... "], 1)

6. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 355:
Sabre\DAV\Server->generateMultiStatus(Generator {}, false)

7. <<closure>>
Sabre\DAV\CorePlugin->httpPropFind(Sabre\HTTP\R ... "}, Sabre\HTTP\Response {})

8. /var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105:
call_user_func_array([ Sabre\DAV\ ... "], [ Sabre\HTTP ... }])

9. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 479:
Sabre\Event\EventEmitter->emit("method:PROPFIND", [ Sabre\HTTP ... }])

10. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254:
Sabre\DAV\Server->invokeMethod(Sabre\HTTP\R ... "}, Sabre\HTTP\Response {})

11. /var/www/nextcloud/apps/dav/lib/Server.php - line 316:
Sabre\DAV\Server->exec()

12. /var/www/nextcloud/apps/dav/appinfo/v2/remote.php - line 35:
OCA\DAV\Server->exec()

13. /var/www/nextcloud/remote.php - line 163:
require_once("/var/www/ne ... p")

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'ocrk02ojevdb',
  'passwordsalt' => '**********J',
  'secret' => '*********',
  'trusted_domains' => 
  array (
    0 => 'cloud.xxx.fr',
    1 => 'cloud.yyy.fr',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '16.0.4.1',
  'dbname' => 'the_dbname',
  'dbhost' => 'localhost',
  'dbport' => '3306',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'the_dbuser',
  'dbpassword' => 'the_dbpassword',
  'installed' => true,
  'theme' => '',
  'loglevel' => 2,
  'maintenance' => false,
  'filelocking.enabled' => true,
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => array(
     'host' => 'localhost',
     'port' => 6379,
     'timeout' => 0.0,
      ),
);

The output of your Apache/nginx/system log in /var/log/____:

IP@ - - [09/Oct/2019:11:19:10 +0200] "PROPFIND /remote.php/dav/files/Manuel/combustible-numerique HTTP/1.1" 403 1330 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"

Still looking for a solution…

I guess the “Fatal webdav OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions” is the key to the problem, and from what I could find here and there, it seems to have to do with the File Access Control app.

So, I’ve been de-activating it, and even removed it. No change, still getting “This operation is forbidden” when trying to open a shared folder.

The other thing I tried is “occ files:scan” for each user, which leads to a situation where we loose all the shares and their contents! :unamused:

Smells bad, so far.

Did you maintain file and folder permissions while transferring the data folder?

Thanks @KarlF12 for participating. Yes, it’s one of the 1st things I’ve been checking.
Files and folders are owned by www-data:www-data and 755 permissions.

This is struggling with the stuff!..

After so many actions, rollbacks and so forth, I’m now getting to a new situation : I may access only 1st level shared folders. It’s sort of a start but not enough!

What I did so far is :

  • re-install NC 16.0.4 from scratch,
  • move the data directory to some new /home/nextcloud_data directory (which I could have done before…),
  • import a MySQL dump made on the previous shared hosting,
  • update lines FROM oc_storages where id was like ‘local::old-path’ to ‘local::/home/nextcloud_data’
  • remove lines (maybe I was wrong?) in oc_storages like local::/home/koweb-backup/web/data/, local::/var/www/nextcloud/data/ and local::/var/www/owncloud/data/

Now, for instance, let’s say user X shares a “Projects” folder with a users group.

I now can access this folder content. Right! That’s a good point.

In this Projects folder, I can see many shared sub-folders and files. I can open files, not folders : always the same This operation is forbidden

When I log in as user X, I can browse through the whole directory tree under Projects, that’s quite a good point! At least, the data is here, not lost, and one amongst many users has the possibility to access all of them.

This is not the expected behaviour, though.:stuck_out_tongue_closed_eyes:

I (really!) need to know what can be done to give access the users group to these sub-folders.

Been trying to unshare and share again Projects, same song. When I explicitly share a sub-folders, while it appears in another account as shared, it remains forbidden…

I’ve also been checking in the /home/nextcloud_data/X sub-directories, but I just can’t find the shared folders and files in them, although this tree is just a copy of what was existing in the source shared hosting…

Any help very welcomed and appreciated. Tomorrow is another day.

OK, at the end I’ve been downloading all the 2nd level folders from the source cloud and then uploaded them to the new cloud, loosing their creation date obviously. :dizzy_face:

I never expected such an NC move being so messy. Been moving WP, prestashop and other LAMP systems before. It’s never so touchy…