[Bug]: Update to Nextcloud 29 has changed ACL permissions

[ohashi-haruka]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Create groupfolders with subfolders, and set specific ACL permissions on each subfolder.
2. Update from Nextcloud 28.0.6 to 29.0.5.
3. Execute a PROPFIND request with curl and check the nc:acl-permissions:

curl -sS -X PROPFIND -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
  <d:prop>
    <oc:fileid/>
    <nc:inherited-acl-list/>
    <nc:acl-list/>
  </d:prop>
</d:propfind>'

Expected behaviour

• Post-update, there should be no changes to nc:acl-permissions.
• Users should retain the same permissions and be able to perform all file operations as before the update.
• The nc:acl-mask values should remain unchanged unless intentionally modified.

Actual behaviour

After updating from Nextcloud 28.0.6 to 29.0.5, the permissions for certain subfolders in some groupfolders with Advanced Permissions setting enabled has changed unexpectedly.
This change results in:

• The "+New" button being grayed out for affected users.
• Those users being unable to perform file operations (e.g., upload, create, edit, or delete files) within these folders.

Although there were no changes in the oc_group_folders_acl table in the database, when checking the nc:acl-permissions values through a PROPFIND request with curl, the values had changed to 0.

To resolve this issue, I ran occ groupfolders:scan, occ files:scan, and occ files:cleanup, but the issue persisted.

When I attempted to restore the permissions using a PROPPATCH request with curl, which allowed file uploads, but the PROPFIND results remained unchanged.

curl -sS -X PROPPATCH  -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propertyupdate xmlns:d="DAV:" xmlns:nc="http://nextcloud.org/ns">
  <d:set>
    <d:prop>
      <nc:acl-list>
          <nc:acl>
            <nc:acl-mapping-type>group</nc:acl-mapping-type>
            <nc:acl-mapping-id>admin</nc:acl-mapping-id>
            <nc:acl-mapping-display-name>admin</nc:acl-mapping-display-name>
            <nc:acl-mask>0</nc:acl-mask>
            <nc:acl-permissions>31</nc:acl-permissions>
          </nc:acl>
      </nc:acl-list>
    </d:prop>
  </d:set>
</d:propertyupdate>'

After running occ groupfolders:permissions, file uploads became possible. Regarding the PROPFIND results, nc:acl-permissions returned to expected values, however nc:acl-mask was unintentionally changed to 31 for all entries.

This issue didn't occur when updating to Nextcloud 28.0.11.

Server configuration

Operating system: Amazon Linux release 2 (Karoo)

Web server: Apache

Database: MariaDB

PHP version: PHP 8.2

Nextcloud version: (see Nextcloud admin page) 29.0.5

Group folders version: 17.0.5

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded to a MAJOR version (ex. 28 to 29)

Where did you install Nextcloud from:

Are you using external storage, if yes which one:

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP

Configuration report:

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "JP",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwritewebroot": "\/nextcloud",
        "dbtype": "mysql",
        "version": "29.0.5.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "log_type": "file",
        "logfile": "nextcloud.log",
        "loglevel": 1,
        "logtimezone": "Asia\/Tokyo",
        "logdateformat": "F d, Y H:i:s",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "theme": "",
        "auth.bruteforce.protection.enabled": false,
        "integrity.check.disabled": true,
        "mail_smtpauthtype": "",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "groupfolders"
        ],
        "trashbin_retention_obligation": "auto, 14",
        "mail_smtpport": "4"
    }
}

List of activated Apps:

List of activated Apps

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.1
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - groupfolders: 17.0.5
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - bruteforcesettings: 2.9.0 (installed 1.0.3)
  - circles: 29.0.0-dev (installed 24.0.1)
  - dashboard: 7.9.0 (installed 7.1.0)
  - encryption: 2.17.0
  - federation: 1.19.0 (installed 1.14.0)
  - files_downloadlimit: 2.0.0 (installed 2.0.0)
  - password_policy: 1.19.0 (installed 1.2.2)
  - recommendations: 2.1.0 (installed 1.3.0)
  - sharebymail: 1.19.0 (installed 1.2.0)
  - support: 1.12.0 (installed 1.4.0)
  - survey_client: 1.17.0 (installed 1.1.0)
  - suspicious_login: 7.0.0
  - twofactor_totp: 11.0.0-dev
  - user_status: 1.9.0 (installed 1.1.1)
  - weather_status: 1.9.0 (installed 1.1.0)

[sparunakian]

I encountered the same change of behavior. It seems to come from this commit: afeef5c

[knuff22]

Based on the steps to reproduce described by the issue author, I now understand the specific conditions.

In Nextcloud version 29.0.9, specifying "Inherit permission" in advanced permission rules causes permissions not to be applied.
The issue can be reproduced with the following steps:

1. Enable advanced permissions setting to a groupfolder.
2. In the group folder or its subfolder, configure an Advanced Permission rule by assigning it to a user or group.
3. Specify "Inherit permission" for each permission. The issue did not occur when 'Allow' or 'Deny' was specified.

[solracsf]

Can you confirm this is not fixed in v18.0.6 or v17.0.6?
#3404

[ohashi-haruka]

@solracsf

Can you confirm this is not fixed in v18.0.6 or v17.0.6?
#3404

We updated the Group Folders to version 17.0.8, but the issue was not fixed.

[natoponen]

@solracsf Hi! Are there any updates on this issue? We cannot update our Nextcloud because of this.