"Deny" Group permission prevails over "allow" User permission

Question

"Deny" Group permission prevails over "allow" User permission

slaver666 opened this issue 6 months ago · comments

slaver666 commented 6 months ago

How to use GitHub

Please use the 👍 reaction to show that you are affected by the same issue.
Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
Subscribe to receive notifications on status change and new comments.

Steps to reproduce

User has extended permission to the root folder. Group has read permissions to the root folder.
User creates a folder inside root folder. The child folder inherits root folder permissions.
User removes Group read permission to the child folder.

Expected behaviour

User must have all permissions to the folder.

Actual behaviour

User even doesn't see the folder any more.

Server configuration

Operating system:
Ubuntu Linux 22.04.3 LTS

Web server:
Nginx 1.25.3

Database:
PostgreSQL 15.5

PHP version:
8.2

Nextcloud version: (see Nextcloud admin page)
28.0.2

Group folders version:
16.0.3

Updated from an older Nextcloud/ownCloud or fresh install:
updated from 27

Where did you install Nextcloud from:
community edition from official site

Are you using external storage, if yes which one: local/s3/smb/sftp/...
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/Saml/...
Active Directory

Client configuration

Browser:
Google Chrome, Microsoft Edge

Operating system:
Windows 10, Ubuntu Linux 22

Logs

Can't see any log entries belonged to Group folders app

Web server error log

No errors in web server log

Nextcloud log (data/nextcloud.log)

Nextcloud log

[Uploading nextcloud.log…]()

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

slaver666 · Answer 1 · Fri Feb 09 2024 19:13:29 GMT+0800 (China Standard Time)

nextcloud.log

Jérôme Herbinet · Answer 2 · Thu Feb 22 2024 17:33:38 GMT+0800 (China Standard Time)

Hi @slaver666,
Can you detail a way to reproduce the bug. This will allow me to see if it's the same bug as the one I found on my side.
Thx

Kevin Köllmann · Answer 3 · Fri Mar 01 2024 15:00:55 GMT+0800 (China Standard Time)

@Jerome-Herbinet Do the Steps to reproduce from the OP not work for reproducing the issue? If not can you elaborate what result you see instead?

Steps to reproduce
1. User has extended permission to the root folder. Group has read permissions to the root folder.
2. User creates a folder inside root folder. The child folder inherits root folder permissions.
3. User removes Group read permission to the child folder.
Expected behaviour

User must have all permissions to the folder.

Actual behaviour

User even doesn't see the folder any more.

slaver666 · Answer 4 · Fri Mar 01 2024 15:50:01 GMT+0800 (China Standard Time)

Hi @slaver666, Can you detail a way to reproduce the bug. This will allow me to see if it's the same bug as the one I found on my side. Thx

Hi. I thought my "Steps to reproduce" are well described. I'm ready to give any information/screenshots if you need.

Jérôme Herbinet · Answer 5 · Fri Mar 01 2024 23:53:22 GMT+0800 (China Standard Time)

@Jerome-Herbinet Do the Steps to reproduce from the OP not work for reproducing the issue? If not can you elaborate what result you see instead?
Steps to reproduce
1. User has extended permission to the root folder. Group has read permissions to the root folder.
2. User creates a folder inside root folder. The child folder inherits root folder permissions.
3. User removes Group read permission to the child folder.
Expected behaviour

User must have all permissions to the folder.

Actual behaviour

User even doesn't see the folder any more.

I read it again, and I think the description is good. Test and result are similar to mine.

Frieder Schrempf · Answer 6 · Sat Mar 02 2024 00:42:28 GMT+0800 (China Standard Time)

I think this is one of the many issues which all describe the same kind of defect. The inherited permissions from the root folder are not taken into account when there is a deny rule for the subdirectory.

Please read through #1212 and other related reports and you might come to the same conclusion as me, which is that groupfolder ACLs are a total mess and pretty much unusable.

motiosw · Answer 7 · Mon Mar 25 2024 15:37:53 GMT+0800 (China Standard Time)

I am in the admin and in the employee group. When I restrict a permission for the employee group, I lose access to that folder. By adding me as person with all permissions, I still have no access. I am looking forward for a solution.

Sebastian · Answer 8 · Tue May 14 2024 17:38:56 GMT+0800 (China Standard Time)

I just want to add that this behaviour definitely changed within the last year (not exactly sure when).

It is also easy to reproduce:

Make a folder which inherits read permission i.e. of an "admin" group.
Now explicitly deny read access to a "team_member" group to this folder, of which you are also a member. The deny entry now has priority over the inherited read permission of the "admin" group of the parent folder.

I assume this is not intended behaviour and I'm suprised this bug has not been fixed yet..

I also think this is related to or a duplicate of #2934

Sebastian · Answer 9 · Tue May 21 2024 17:53:04 GMT+0800 (China Standard Time)

I think this issue is also fixed by following this post: #2934 (comment)
It is not a bug, but a feature which changed the default permission behaviour when there are inherited permissions.