[Bug]: Error loading preview on readonly shares

[adi-dev]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I discovered that my photo album shared as read-only doesn't show previews nor allow to view files. In debug console: Similar issue: https://github.com/nextcloud/server/issues/21740, tried to adjust to 'preview_max_memory' => 512, but no effect (restarted whole computer). Found that, if I enable editing on the share, the previews are loading as expected.

Steps to reproduce

1. Share folder internally (with another, local account) with photos as read-only -> no previews
2. Enable editing on the same share -> previews are as expected
3. Disable editing -> no previews

Expected behavior

Previews shown as in original folder

Installation method

Community Manual installation with Archive

Operating system

No response

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.0.100",
            "adiit.net",
            "127.0.0.1",
            "80.1.140.106"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/adiit.net",
        "dbtype": "pgsql",
        "version": "25.0.1.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "mail_smtpmode": "sendmail",
        "appstore.experimental.enabled": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\SVG",
            "OCC\\Preview\\WebP"
        ],
        "trashbin_retention_obligation": "auto, 61",
        "versions_retention_obligation": "auto, 365",
        "preview_max_x": 2048,
        "preview_max_y": 2048,
        "preview_max_scale_factor": 1,
        "preview_max_memory": 512,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "htaccess.RewriteBase": "\/",
        "asset-pipeline.enabled": true,
        "app_install_overwrite": [
            "tasks",
            "checksum",
            "files_retention",
            "camerarawpreviews",
            "breezedark",
            "metadata",
            "richdocumentscode",
            "twofactor_nextcloud_notification",
            "previewgenerator"
        ],
        "mail_sendmailmode": "smtp",
        "default_phone_region": "GB",
        "allow_local_remote_servers": true,
        "mail_smtpsecure": "ssl",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": []
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - bruteforcesettings: 2.5.0
  - calendar: 4.1.0
  - camerarawpreviews: 0.8.0
  - checksum: 1.1.5
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.1
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - event_update_notification: 2.0.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_automatedtagging: 1.15.0
  - files_external: 1.17.0
  - files_pdfviewer: 2.6.0
  - files_retention: 1.14.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - mail: 2.1.2
  - maps: 0.2.1
  - metadata: 0.17.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.0
  - previewgenerator: 5.1.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recognize: 3.2.2
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - richdocuments: 7.0.1
  - richdocumentscode: 22.5.802
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - suspicious_login: 4.3.0
  - systemtags: 1.15.0
  - tasks: 0.14.5
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - twofactor_nextcloud_notification: 3.5.0
  - twofactor_totp: 7.0.0
  - twofactor_webauthn: 1.0.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - encryption: 2.12.0
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

There is nothing really, except of my initial fail attempt to log into the second account

Additional info

[szaimen]

cc @juliushaertl

[PVince81]

there's a slight chance that this might be a regression as we touched the preview system in NC 24 to optimize it, not sure if permission checks were affected as well

@CarlSchwan

[szaimen]

Isnt this the reason? https://github.com/nextcloud/server/pull/34788

[PVince81]

@szaimen that one is only when download is forbidden.

but this ticket here is about read-only, which implies allowed download

[adi-dev]

@szaimen that one is only when download is forbidden.

but this ticket here is about read-only, which implies allowed download

Yes, the Download is enabled:

[szaimen]

@szaimen that one is only when download is forbidden.

but this ticket here is about read-only, which implies allowed download

Ah I see

[EricThi]

Hello, I have the same case for internal and external share.

If hide download, workaround work.

[EricThi]

For information, all request since app (talk; nextcloud) are break for any share (same if download are disabled) workaround work only via web page

[Samonitari]

Same error here, although setup is different:

• Nextcloud 25.0.2
• caddy 2.6.2
• php 8.0.25
• PostgreSQL 14.5
• LDAP user-backend

I marked as bold the components that are the ~same as in @adi-dev's setup.

If a folder share is readonly, 404 is returned for previews. BTW #21740 is a different issue, as browser returned 500 for that. Logs doesn't show anything relevant even in debug level ('loglevel => 0) "Viewing" them is technically a preview too - if I understand correctly, as browser passes x and y in the GET request - so neither does that work. Download does work.

@PVince81

there's a slight chance that this might be a regression as we touched the preview system in NC 24 to optimize it, not sure if permission checks were affected as well

The chances are not that slight 😆 ... The issue is somewhere in the preview's permission checks, in the case when the folder is read-only.

I know that everybody's problem is the most important for the person in question, but let me express it with mustering some objectivism: Sharing photo folders feels like one of the most relevant or core functionality (and a pretty important subset is sharing read-only). I remember NC 22 (or around that) breaking the folder shares' photo view altogether (or to be more precise, refactor came without a working one). Please, make it to some test case that preview works in (read-only) shares (and don't release, if that fails).

[EricThi]

Patch are linked for this case no ? https://github.com/nextcloud/server/pull/35213

If found time, i will test on my preprod for this case

[PVince81]

@come-nc can you have a look ? this issue is specifically for "read-only shares" or where the "upload/write" permission was removed

there were mentions of "remove download permission" but this is another separate issue

[come-nc]

I am unable to reproduce this, I tried on master, stable25, and 25.0.1, previews always load fine.

[come-nc]

I see @adi-dev is using https://apps.nextcloud.com/apps/previewgenerator , @Samonitari is that also your case?

[EricThi]

@come-nc , Here, i can reproduce on last build 25.0.2 If create default share link ;

• expiration date set per default
• can download
• can't edit I get this error :

If hide dowload on same share and reload :

I don't use your apps and i have disable shareRenammer for test, don't fix

On my side, now, any share can be view, for see picture/video ; users need to be download files

[come-nc]

@EricThi This does not look like the same issue, this issue is not with a share link but an internal link according to original description. And the screenshots seems to suggest it was in photos app as well.

[Samonitari]

I see @adi-dev is using https://apps.nextcloud.com/apps/previewgenerator , @Samonitari is that also your case? ... @EricThi This does not look like the same issue, this issue is not with a share link but an internal link according to original description.

Crap, I made a mistake, and did not read the bug description carefully enough. I am having this issue with link shares. To further complicate things, I had previewgenerator installed, but (thinking that maybe that was the problem's root) I uninstalled it, deleted appdata previews, issued occ files:scan-app-data, and visited the link-shared folder with my account to (re)generate the previews by demand. -> Previews still don't work for non-editable shares.

[come-nc]

I see @adi-dev is using https://apps.nextcloud.com/apps/previewgenerator , @Samonitari is that also your case? ... @EricThi This does not look like the same issue, this issue is not with a share link but an internal link according to original description.

Crap, I made a mistake, and did not read the bug description carefully enough. I am having this issue with link shares. To further complicate things, I had previewgenerator installed, but (thinking that maybe that was the problem's root) I uninstalled it, deleted appdata previews, issued occ files:scan-app-data, and visited the link-shared folder with my account to (re)generate the previews by demand. -> Previews still don't work for non-editable shares.

Can you give steps to reproduce your problem then? I was never able to reproduce any problem with previews, they show fine in my tests.

[Jerome-Herbinet]

Hi, I've got this problem on a "Ionos Managed" Nextcloud instance (27.1.5) which uses Preview Generator 5.4.0. Do some of you still have this problem ? Do some solutions (or problem origin) have been found to fix this ?

[EricThi]

Hello, I'm now on 29.0.1 and don't get these error on web share (sorry, missed to update it) on my side.

Now, I get only error on preview side : https://github.com/nextcloud/server/issues/37186

I have upgrade to 27.1.4|5 to 29.0.1 directly (keep 1 day on 28.x and no test)