Nested Groupfolder Desktop Client Sync Exclusion via Flow - Access Denied

Steps to reproduce

Create a Invisible Tag named "Client"
Create create a toplevel Groupfolder eg. "Mainfolder"
Create a Subgroupfolder named Mainfolder/Subfolder
Give permissions to both folders to our main Usergroup "users"
Tag the toplevel Folder with the "Client" tag
Create File Access Control Flow which targets Dekstop Client Userstring and the grouptag "Client"
Connect a Desktop Client to the server and try to sync.

Expected behaviour

If just the topmost groupfolder is tagged and we want to add a folder to sync in the Desktop Client we get Access Denied. This is resolved if we manually also tag the subgroupfolder.

Actual behaviour

As in the documentation states (https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html#available-rules-label) the rules should work for the tagged folder itself and its contents. In the documentation the following is stated: "File collaborative tag: Either the file itself, or any of the file owner’s parent folders needs to be tagged with the tag." So this should work if we just tag the topmost groupfolder.

Server configuration

Operating system: Linux 5.15.0-122-generic

Web server: Apache/2.4.52 (Ubuntu) (fpm-fcgi)

Database: mysql 10.11.8

PHP version: 8.3.11

Nextcloud version: (see Nextcloud admin page) 29.0.7 Enterprise

Group folders version: 17.0.3

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Are you using external storage, if yes which one: local/s3/smb/sftp/...

Are you using encryption: no

Are you using an external user-backend, if yes which one: SAML

Client configuration

Browser:

Operating system: iOS 18/MacOS Sonoma 14.6.1

Logs

Web server error log

``` {"reqId":"ynVgToRNLEFX0RSaqZCx","level":3,"time":"2024-11-08T10:16:48+00:00","remoteAddr":"10.1.241.170","user":"nc-admin","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/nc-admin/","message":"Access denied","userAgent":"Mozilla/5.0 (Windows) mirall/3.14.13.14-Win64 (build 20240927) (Nextcloud, windows-10.0.22631 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.8.2","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":60,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->"},{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":75,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1171,"function":"mkdir","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":247,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1536,"function":"mkdir","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Node/Folder.php","line":106,"function":"getDirectoryContent","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php","line":261,"function":"getDirectoryListing","class":"OC\\Files\\Node\\Folder","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":61,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":393,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":172,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/files_accesscontrol/lib/Operation.php","Line":106,"message":"Access denied","exception":{},"CustomMessage":"Access denied"}} {"reqId":"nM6F2UQipfyjWugXBSTg","level":3,"time":"2024-11-08T10:16:57+00:00","remoteAddr":"10.1.241.170","user":"nc-admin","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/nc-admin/","message":"Access denied","userAgent":"Mozilla/5.0 (Windows) mirall/3.14.13.14-Win64 (build 20240927) (Nextcloud, windows-10.0.22631 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.8.2","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":60,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->"},{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":75,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1171,"function":"mkdir","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":247,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1536,"function":"mkdir","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Node/Folder.php","line":106,"function":"getDirectoryContent","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php","line":261,"function":"getDirectoryListing","class":"OC\\Files\\Node\\Folder","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":61,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":393,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":172,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/files_accesscontrol/lib/Operation.php","Line":106,"message":"Access denied","exception":{},"CustomMessage":"Access denied"}} {"reqId":"16RNGIRxQrN8EBQIoqHN","level":3,"time":"2024-11-08T10:17:21+00:00","remoteAddr":"10.1.241.170","user":"nc-admin","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/nc-admin/","message":"Access denied","userAgent":"Mozilla/5.0 (Windows) mirall/3.14.13.14-Win64 (build 20240927) (Nextcloud, windows-10.0.22631 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.8.2","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":60,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->"},{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":75,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1171,"function":"mkdir","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":247,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1536,"function":"mkdir","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Node/Folder.php","line":106,"function":"getDirectoryContent","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php","line":261,"function":"getDirectoryListing","class":"OC\\Files\\Node\\Folder","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":61,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":393,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":172,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/files_accesscontrol/lib/Operation.php","Line":106,"message":"Access denied","exception":{},"CustomMessage":"Access denied"}} {"reqId":"Ke9hvBIm7L7UqxSel2aN","level":3,"time":"2024-11-08T10:17:23+00:00","remoteAddr":"10.1.241.170","user":"nc-admin","app":"webdav","method":"PROPFIND","url":"/remote.php/dav/files/nc-admin/","message":"Access denied","userAgent":"Mozilla/5.0 (Windows) mirall/3.14.13.14-Win64 (build 20240927) (Nextcloud, windows-10.0.22631 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"29.0.8.2","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":60,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->"},{"file":"/var/www/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php","line":75,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1171,"function":"mkdir","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":247,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1536,"function":"mkdir","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Node/Folder.php","line":106,"function":"getDirectoryContent","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php","line":261,"function":"getDirectoryListing","class":"OC\\Files\\Node\\Folder","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Tree.php","line":218,"function":"getChildren","class":"OCA\\DAV\\Connector\\Sabre\\Directory","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":900,"function":"getChildren","class":"Sabre\\DAV\\Tree","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":982,"function":"generatePathNodes","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1662,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1647,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":61,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":393,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":172,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/files_accesscontrol/lib/Operation.php","Line":106,"message":"Access denied","exception":{},"CustomMessage":"Access denied"}} ```

nextcloud / groupfolders