User can unshare external storage shared by group

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2): 15.0.2
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04.1 LTS
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.18 (Ubuntu)
PHP version (eg, 7.1): 7.0.32

The issue you are facing:
Users with r/o access to external storages can unlink themselfs without recovering options

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Privileged User shares an external storage with a group (only assigned right “can reshare”)
  2. User in this group can click on the 3 dots and “unshare”.
  3. Shared external storage disappears for the user (but not for the entire group - other users still have access)
  4. Privileged User is unable to share the storage for the user again.
  5. Under Activity, the actions are (misleading) mentioned as
    user_test10 removed group shared group from external storage
    user_test10 removed you (privileged user) from the share named external storage

The output of your Nextcloud log in Admin > Logging:

Nothing relevant found in the logs about this issue

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'blablubb',
  'passwordsalt' => 'blablubb',
  'secret' => 'blablubb',
  'trusted_domains' =>
  array (
    0 => 'blablubb.blablubb.cloudapp.azure.com',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'overwrite.cli.url' => 'http://blablubb.blablubb.cloudapp.azure.com',
  'dbtype' => 'mysql',
  'version' => '15.0.2.0',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'blablubb',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_smtphost' => 'mail.blablubb.net',
  'mail_smtpport' => '587',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'blablubb',
  'mail_domain' => 'blablubb.net',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'blablubb@blablubb.net',
  'mail_smtppassword' => 'blablubb',
  'updater.secret' => 'blablubb',
  'skeletondirectory' => '/var/www/nextcloud_skeleton',
);

The output of your Apache/nginx/system log in /var/log/____:

Nothing relevant found in the logs about this issue

I’m not sure if this behaviour is by design and intended, but IMHO there should be a possibility to either not allow users to deshare groupwide shares or to re-attach the share to users who deshared.

Thanks for your help
Tobsche

Anyone can help or even comment that this is expected behaviour?
Thanks
Tobias