Access rules malfunction with group folders

[Menzaah]

Describe the bug
We encounter a problem when we want to put access rules on certain files of a folder or the folder directly with the notion of inheritance for the documents in the folders. The result is the same.

Access rules are not taken into account and even worse, they malfunction.
For example :

I have the "grp-home" group which is supposed to be able to read files only. Unfortunately it is impossible for me to open this document with a user of this group. I took the opportunity to retrieve the logs that appear at this time from the administration panel.

To Reproduce
Steps to reproduce the behavior:
1 - Have user groups and a group folder
2 - Create authorization rules on this folder or a document inside "Excel/Table" type
3 - Test if with a read-only user/group we manage to open the file to read it and not be able to modify or delete it as indicated in the access rule

Expected behavior

Be able to use read/write access rules according to user group membership.

Actual behavior

Access rules are ignored and users cannot open the file.

Host OS

Ubuntu 22.04.2 LTS

Nextcloud AIO version

Nextcloud AIO v6.3.0

Current channel

Stable

Other valuable info

apache.log
collabora.log
database.log


nextcloud.log

Thank you in advance for your help or any contribution. This is a very interesting feature that we would like to be able to use without problems.

Regards,

[solracsf]

Visible error in your screenshot ix fixed by #2476

[Menzaah]

Visible error in your screenshot ix fixed by #2476

Hello and thank you for your help.

After having studied the outcome that you give me, I tried to launch a scan on the group folders unfortunately without success since the following command results in an error message.
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ groupfolders:scan --all

An unhandled exception has been thrown:
TypeError: OCA\GroupFolders\ACL\ACLManagerFactory::getACLManager(): Argument #1 ($user) must be of type OCP\IUser, null given, called in /var/www/html/custom_apps/groupfolders/lib/Mount/MountProvider.php on line 206 and defined in /var/www/html/custom_apps/groupfolders/lib/ACL/ACLManagerFactory.php:37
Stack trace:
#0 /var/www/html/custom_apps/groupfolders/lib/Mount/MountProvider.php(206): OCA\GroupFolders\ACL\ACLManagerFactory->getACLManager(NULL, 2)
#1 /var/www/html/custom_apps/groupfolders/lib/Command/Scan.php(82): OCA\GroupFolders\Mount\MountProvider->getMount(4, '/ACCUEIL', 31, 5368709120)
#2 /var/www/html/3rdparty/symfony/console/Command/Command.php(255): OCA\GroupFolders\Command\Scan->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /var/www/html/core/Command/Base.php(177): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /var/www/html/3rdparty/symfony/console/Application.php(1009): OC\Core\Command\Base->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#5 /var/www/html/3rdparty/symfony/console/Application.php(273): Symfony\Component\Console\Application->doRunCommand(Object(OCA\GroupFolders\Command\Scan), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /var/www/html/3rdparty/symfony/console/Application.php(149): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#7 /var/www/html/lib/private/Console/Application.php(211): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#8 /var/www/html/console.php(100): OC\Console\Application->run()
#9 /var/www/html/occ(11): require_once('/var/www/html/c...')
#10 {main}

Did I misunderstand or execute something ?

Regards,

[solracsf]

Apply the patch at #2476

[Menzaah]

Good morning,

Indeed, I had not seen the patch concerning the modification in the config file.
After applying the patch, I was able to scan my group folders perfectly and the famous log concerning the latter no longer appears.

Unfortunately this did not solve my problem because I still encounter the same malfunction and despite myself I still have this log there which appears during a file opening test.

Thank you again for your help.

Regards

[Menzaah]

After several tests and different approaches, it seems that we only encounter this problem on the mobile application.

I oriented my research in this direction and the only link related to my problem is this one (https://github.com/nextcloud/richdocuments/pull/2874/files) but which is a bit dated.

I take this opportunity to put the raw logs if it can help.

{"reqId":"UyjoUwu9G821VtIobTL3","level":4,"time":"2023-07-31T21:26:50+00:00","remoteAddr":"81.185.163.90","user":"--","app":"richdocuments","method":"GET","url":"/apps/richdocuments/direct/NGR3xlZjiMw5sTHun9BoHikXZV4Kydy8HUS9cjknEhQonJHqkPlPTBoDsD3Mx4jf","message":"Failed to generate token for existing file on direct editing","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.25.0","version":"26.0.4.2","data":{"exception":"{\"class\":\"Exception\",\"message\":\"\",\"code\":0,\"file\":\"/var/www/html/custom_apps/richdocuments/lib/Controller/DirectViewController.php:149\",\"trace\":\"#0 /var/www/html/lib/private/AppFramework/Http/Dispatcher.php(230): OCA\\Richdocuments\\Controller\\DirectViewController->show('NGR3xlZjiMw5sTH...')\\n#1 /var/www/html/lib/private/AppFramework/Http/Dispatcher.php(137): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OCA\\Richdocuments\\Controller\\DirectViewController), 'show')\\n#2 /var/www/html/lib/private/AppFramework/App.php(183): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OCA\\Richdocuments\\Controller\\DirectViewController), 'show')\\n#3 /var/www/html/lib/private/Route/Router.php(315): OC\\AppFramework\\App::main('OCA\\\\Richdocumen...', 'show', Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\\n#4 /var/www/html/lib/base.php(1065): OC\\Route\\Router->match('/apps/richdocum...')\\n#5 /var/www/html/index.php(36): OC::handleRequest()\\n#6 {main}\"}","app":"richdocuments"},"id":"64c90f928960b"}

{"reqId":"UyjoUwu9G821VtIobTL3","level":3,"time":"2023-07-31T21:26:50+00:00","remoteAddr":"81.185.163.90","user":"--","app":"PHP","method":"GET","url":"/apps/richdocuments/direct/NGR3xlZjiMw5sTHun9BoHikXZV4Kydy8HUS9cjknEhQonJHqkPlPTBoDsD3Mx4jf","message":"Undefined array key 0 at /var/www/html/custom_apps/richdocuments/lib/Controller/DirectViewController.php#147","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.25.0","version":"26.0.4.2","data":{"app":"PHP"},"id":"64c90f9289643"}

[solracsf]

Your last logs come from the richdocuments app, not groupfolders.

[Menzaah]

Yes I totally agree with you but there is a causal link since if there are no access rules from the groups the files open without any problems.

[provokateurin]

Duplicate of #598