Skip to content

Read-only recipient can lock a shared file to prevent the owner from modifying their own file #895

New issue
New issue
Open
Open
Read-only recipient can lock a shared file to prevent the owner from modifying their own file#895
Labels
0. Needs triagebugSomething isn't working
@Wrianzz

Description

@Wrianzz
Wrianzz
opened on Nov 10, 2025

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. User A creates a file in their personal space (not a Group folder, not external storage).
  2. User A shares that single file with user B with view-only permission (no edit, no upload, no delete).
  3. User B opens the file in Files app and clicks Lock in the file sidebar (Files Lock app enabled).
  4. Now the file is locked by B.
  5. User A (the owner of the file) opens the same file’s sidebar and tries to Unlock.

Expected behaviour

A user with view-only permission must not be able to lock the file and the owner of the file must always be able to unlock any lock on their own file (even if it was locked by someone else).

Actual behaviour

  • User B (view-only) can lock the file successfully.
  • User A (owner) cannot unlock from the UI (unlock button missing/disabled or results in an error).
  • The only way to remove the lock is for an admin to run occ files:lock --unlock.
  • This effectively lets a read-only recipient “lock out” the actual owner of the file.

Server configuration

Web server: Docker

Database: PostgreSQL

PHP version: 8.3

Nextcloud version: Nextcloud Hub 25 Autumn (32.0.1)

List of activated apps

Enabled:

  • activity: 5.0.0-dev.0
  • admin_audit: 1.22.0
  • app_api: 32.0.0
  • bruteforcesettings: 5.0.0-dev.0
  • circles: 32.0.0
  • cloud_federation_api: 1.16.0
  • comments: 1.22.0
  • contactsinteraction: 1.13.1
  • dashboard: 7.12.0
  • dav: 1.34.2
  • federatedfilesharing: 1.22.0
  • federation: 1.22.0
  • files: 2.4.0
  • files_accesscontrol: 3.0.1
  • files_automatedtagging: 3.0.0
  • files_downloadlimit: 5.0.0-dev.0
  • files_lock: 32.0.0
  • files_pdfviewer: 5.0.0-dev.0
  • files_reminders: 1.5.0
  • files_sharing: 1.24.0
  • files_trashbin: 1.22.0
  • files_versions: 1.25.0
  • firstrunwizard: 5.0.0-dev.0
  • group_default_quota: 0.1.12
  • groupfolders: 20.1.3
  • groupquota: 0.2.3
  • logreader: 5.0.0-dev.0
  • lookup_server_connector: 1.20.0
  • nextcloud_announcements: 4.0.0-dev.0
  • notifications: 5.0.0-dev.0
  • oauth2: 1.20.0
  • oidc_login: 3.2.2
  • onlyoffice: 9.11.0
  • password_policy: 4.0.0-dev.0
  • photos: 5.0.0-dev.1
  • privacy: 4.0.0-dev.0
  • profile: 1.1.0
  • provisioning_api: 1.22.0
  • quota_warning: 1.22.0
  • recommendations: 5.0.0-dev.0
  • related_resources: 3.0.0-dev.0
  • serverinfo: 4.0.0-dev.0
  • settings: 1.15.1
  • sharebymail: 1.22.0
  • support: 4.0.0-dev.0
  • survey_client: 4.0.0-dev.0
  • systemtags: 1.22.0
  • text: 6.0.1
  • theming: 2.7.0
  • theming_customcss: 1.19.0
  • twofactor_backupcodes: 1.21.0
  • twofactor_totp: 14.0.0
  • updatenotification: 1.22.0
  • user_ldap: 1.23.0
  • user_status: 1.12.0
  • viewer: 5.0.0-dev.0
  • weather_status: 1.12.0
  • webhook_listeners: 1.3.0
  • workflowengine: 2.14.0
    Disabled:
  • encryption: 2.20.0
  • files_external: 1.24.0
  • richdocuments: 9.0.1 (installed 9.0.1)
  • suspicious_login: 10.0.0-dev.0
  • twofactor_nextcloud_notification: 6.0.0-dev.0
  • user_saml: 7.0.0 (installed 7.0.0)
Nextcloud configuration

{
"system": {
"htaccess.RewriteBase": "/",
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"upgrade.disable-web": true,
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
REMOVED SENSITIVE VALUE
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "pgsql",
"version": "32.0.1.2",
"overwrite.cli.url": "REMOVED SENSITIVE VALUE",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"instanceid": "REMOVED SENSITIVE VALUE",
"app_install_overwrite": [
"gluusso",
"oidc_login"
],
"oidc_login_provider_url": "REMOVED SENSITIVE VALUE",
"oidc_login": {
"client_secret": "REMOVED SENSITIVE VALUE",
"login_scopes": "openid profile email groups",
"client_id": "nextcloud"
},
"oidc_login_client_id": "nextcloud",
"oidc_login_login_scopes": "openid profile email groups",
"oidc_login_client_secret": "REMOVED SENSITIVE VALUE",
"oidc_login_auto_create_users": "true",
"oidc_login_disable_registration": false,
"oidc_login_logout_url": "REMOVED SENSITIVE VALUE",
"oidc_login_end_session_redirect": true,
"defaultapp": "dashboard",
"ldapProviderFactory": "REMOVED SENSITIVE VALUE"
}
}

Browser

Browser name: Chrome

Browser version: Version 133.0.6943.54 (Official Build) (64-bit)

Operating system: Windows

Browser log

No JS errors related to locking; UI shows file as locked by user B.
If needed I can attach a network/console log.

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagebugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions