[Bug]: Copy/move to writable subfolder of write protected folder is not possible

[bwurst]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When I write protect a folder (via low level file system permissions or with the ACLs of group folder app) and have a writeable folder inside it, this folder is not selectable on copy/move dialog on the web frontend.

I can copy files to that writeable subfolder if it is directly shared to me or if I use third party webdav access but not with the NC web interface. The issue is the same for regular folders or folders shared by someone else.

We need a fixed folder structure shared to our users and allow users to only write to deeper folders. Currently, they can upload and store files there but not move anything from their storage to the shared folder from NC UI.

Steps to reproduce

1. create directory "folder" and "subfolder" inside it
2. go to low level files directory and issue "setfacl -m u:apache:rx folder ; setfacl -m u:apache:rwx folder/subfolder" (if PHP runs as apache)
3. rescan files with "occ files:scan"
4. move a arbitrary file or folder to "folder/subfolder", you cannot step into "folder" at all.

Expected behavior

Folder should be visible, perhaps decorated with a write protection indicator.

Installation method

Community Web installer on a VPS or web space

Nextcloud Server version

28

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

You may have a legitimate point in the Web UI (if there is indeed a discrepancy versus when accessed via one of the clients - or even standard WebDAV), however I'm not clear why you think this would work:

go to low level files directory and issue "setfacl -m u:apache:x folder ; setfacl -m u:apache:rwx folder/subfolder" (if PHP runs as apache)

Nextcloud expects full access throughout its datadirectory. OS level adjustments like this aren't reflected in Nextcloud. At best, they do nothing. At worst, they interfere with Nextcloud's ability to enforce it's own permissions. Based on the example OS level ACL I would not expect Nextcloud to even be able to access folder after running the scan against it.

[bwurst]

Sorry, for the confusion, I made a mistake. The first ACL should include read-permission. I fixed it in the report.

The customer's wish is that arbitrary users cannot change the basic directory structure of a share but can modify files in subfolders.
This is not possible with plain nextcloud.
This can be done with advanced permissions in group folders app or file system level ACLs. Remote access works with both methods as intended. The behaviour of nextcloud web UI is also the same. So I left out the group folders app to get a more minimalistic example.

Nextcloud internally can handle the situation just fine as permissions are saved for every folder. But the copy/move dialog of WebUI behaves bad with this.

[fuco809]

i think this issue covers the same problem - nextcloud/groupfolders#2926