Open dl-lim opened 4 years ago
GregKinMD
commented
4 years ago I am seeing the same issue and can provide input. I'm using the docker version of CODE and see these errors in the docker logs.
wsd-00007-00067 2020-10-26 22:08:17.920355 [ docbroker_003 ] ERR WOPI::GetFile failed with 403 []| wsd/Storage.cpp:931 wsd-00007-00067 2020-10-26 22:08:17.920550 [ docbroker_003 ] ERR loading document exception: WOPI::GetFile failed: []| wsd/DocumentBroker.cpp:1426
`
MikeK123
commented
3 years ago Nextcloud 19.0.3
I'm running into same issue. Collabora fails to open a file with any restricted tag assigned to it or to parent folder.
juliusknorr
commented
3 years ago Could you share a screenshot of the affecting flow rule?
MikeK123
commented
3 years ago Nextcloud 19.0.3 CODE - Collabora Office 6.4-14 Both running in separate docker containers.
User is member of group Dev and have no problem opening files from shared folders, but once a folder/parent folder/file is taged with restricted tag, I get the message "Failed to read document from storage" from Collabora
juliusknorr
commented
3 years ago This is the expected behavior by the files_accesscontrol app:
The easiest way to block access to a folder, is to use a collaborative tag. As mentioned in the Available rules section below, either the file itself or one of the parents needs to have the given tag assigned.
MikeK123
commented
3 years ago What? I dont get it. If your access to a file has been denied, then of course collabora should not open that file, but our complain was about the time access to a file is granted, but collabora still fails to open that file. Once there is a restricted tag on that file, it just fails to read. Only time my setup works and Collabora does open a file, is when there is no restricted tag anywhere on the path to that file (file/parent/grandparent...)
juliusknorr
commented
3 years ago Sorry, then I might have misunderstood your comment:
User is member of group Dev and have no problem opening files from shared folders, but once a folder/parent folder/file is taged with restricted tag, I get the message "Failed to read document from storage" from Collabora
Maybe you can clarify that a bit further then about what folder structure is in place with which tags and which file fails to open.
MikeK123
commented
3 years ago Sure. I just tried to create a "Test" folder in the root of "admin" account and created a "New document" named test.odt without any sharing, just a local file. Collabora had no problem opening that file. Once I applied a restricted tag "onlyDev" (see the flow rule above) either on the Test folder or directlly onto the test.odt, Collabora fails to load the document with the message @alderson59 originally reported here. Admin can do all other actions on that file (f.e. download), because the "block access" flow doesnt engage, thats why nextcloud starts Collabora online enviroment in the first place.
btw. Running all in docker containers, all together with docker compose: Nextcloud 21.0.5 (cloud.domain.com), MariaDB 10.5.12, Collabora Online 4.2.3 connector app, Collabora office 6.4-48 (docs.domain.com)
nextcloud error message:
[richdocuments] Error: OCP\Files\NotPermittedException: at <
GET /index.php/apps/richdocuments/wopi/files/71746_oc94bwebkvxy/contents?access_token=henNcEX9R10gxvSvNYx8NOPGs6sYcbHH&access_token_ttl=0 from xxx.xxx.xxx.xxx at 2021-10-08T09:04:03+00:00
MikeK123
commented
2 years ago I just tried the same process with new shiny Nextcloud Hub II (23.0.0) and now called Nextcloud Office. No luck. I even tried using the demo server. No luck there either. Once I put a restricted tag (with a access restriction flow) on the folder where any document I would like to edit resides, Collabora throws the same error. Its frustrating :( Is it wrong to use collaborative tags with resticting access? Soon to be deprecated functionality? Am I using it wrong?
MikeK123
commented
2 years ago As I'm blocking access to folders only by the restricted tag, I was able to modify already mentioned flow rule by adding
With this modification, Collabora don't have a problem to open files in any subfolders, if the access was not blocked by that flow rule of course. Fortunately, in my case, blocking access on folders is good enough.
Nils160988
commented
1 year ago I am having the same issue with NC 27.1.3
In my setup, I want to allow access to word-files, which exist in a groupfolder to only a sub-group. This works very well with restricted file access. When a privileged user now wants to access one of the word-files with collabora, it doesn't work with the same error message as seen above. Unfortunately, I cannot use @MikeK123's workaround with the MIME type, because I need it to filter for word-documents.
My workaround now uses the "request remote address": As the access by collabora always comes from the specific IP of the collabora server, I can exclude this IP in the rule and it works fine.
Still, it would be nice if this issue could be resolved.
Edit: Does anyone know how to configure how to configure ipv4 vs. ipv6 access? It seems to be a little random and so my workaround does not work well because I can either exclude ipv6- OR ipv4-address...
maximelehericy
commented
1 month ago having the same here. NC29.0.7.
file access control rule as follow:
As Bob, member of group "Team B", if I apply the tag "Team B" on a folder, I can navigate into the folder. As Bob, member of group "Team B", if I apply the tag "Team B" on a text file, I can open and edit the text file. As Bob, member of group "Team B", if I apply the tag "Team B" on a document/presentation/spreadsheet, Collabora fails to open the document/presentation/spreadhseet.
{"reqId":"y7tlLRdlvOFT8NVI3e5q","level":3,"time":"2024-09-26T20:58:09+00:00","remoteAddr":"127.0.0.1","user":"--","app":"richdocuments","method":"GET","url":"/index.php/apps/richdocuments/wopi/files/2407_ocy6wpr78ta9/contents?access_token=ZSaBki6ZMHFVXLKs3yPTNMP9iFc7AzWo&access_token_ttl=0","message":"getFile failed: Access denied","userAgent":"COOLWSD HTTP Agent 24.04.7.2","version":"29.0.7.1","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php","line":60,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->","args":[["OCA\\FilesAccessControl\\StorageWrapper",null,["OC\\Files\\Cache\\Scanner"],null,null,null,"/bob/"],"files/Documents/Welcome to Nextcloud Hub.docx",false]},{"file":"/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php","line":236,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->","args":["files/Documents/Welcome to Nextcloud Hub.docx",false]},{"file":"/var/www/html/lib/private/Files/View.php","line":1169,"function":"fopen","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->","args":["files/Documents/Welcome to Nextcloud Hub.docx","r"]},{"file":"/var/www/html/lib/private/Files/View.php","line":997,"function":"basicOperation","class":"OC\\Files\\View","type":"->","args":["fopen","/bob/files/Documents/Welcome to Nextcloud Hub.docx",["read"],"r"]},{"file":"/var/www/html/lib/private/Files/Node/File.php","line":116,"function":"fopen","class":"OC\\Files\\View","type":"->","args":["/bob/files/Documents/Welcome to Nextcloud Hub.docx","r"]},{"file":"/var/www/html/custom_apps/richdocuments/lib/Controller/WopiController.php","line":385,"function":"fopen","class":"OC\\Files\\Node\\File","type":"->","args":["rb"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"getFile","class":"OCA\\Richdocuments\\Controller\\WopiController","type":"->","args":["2407","ZSaBki6ZMHFVXLKs3yPTNMP9iFc7AzWo"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Richdocuments\\Controller\\WopiController"],"getFile"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Richdocuments\\Controller\\WopiController"],"getFile"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":331,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Richdocuments\\Controller\\WopiController","getFile",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["2407_ocy6wpr78ta9","richdocuments.wopi.getfile"]]},{"file":"/var/www/html/lib/base.php","line":1058,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/richdocuments/wopi/files/2407_ocy6wpr78ta9/contents"]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/custom_apps/files_accesscontrol/lib/Operation.php","Line":106,"message":"getFile failed: Access denied","exception":[],"CustomMessage":"getFile failed: Access denied"},"id":"66f5cae1a3ee7"}
no groupfolder, no share, pure personal files.
Nextcloud 19.0.1
Trying to access documents inside a folder with a Restricted Tag that Blocks File Access (using Flow) to certain users.
Accessed the folder as a privileged user and was unable to open the document.
Error message:
Nextcloud logs as Admin
Collabora works fine on other documents that do not have the file access restrictions.
Any solutions to this? How can I help fix this? Happy to post more logs
Reference: #202 - marked as
staleandwontfix- However, this problem persists.EDIT: draw.io, a NC extension that edits diagrams work fine in the same environment, so this must be an issue with Collabora.
I need to get this working ASAP in production - any temporary solutions that works while maintaining the folder access control rights?