Open imadevel opened 1 year ago
To me, this behavior seems logical: Nextcloud's first priority is data security. This logic is similar to the one applied in the management of rights on NTFS: access denials are always prioritized over authorizations.
On the other hand, it's strange that you can delete a file when one of your group doesn't have the permission to do it.
It seems that a little clarification is needed to determine which rights management policy should be applied on Nextcloud: Denial priority or Authorization priority in order to avoid inconsistencies within the application.
I think it is not comparable to a deny in NTFS, because it is just an allow that is not set, also the other rights behave as expected. Also from the practical point of view I accept to be Able to set a Group employees that might have low rights, that have every person in it and then a group with more rights, for example a group it or finance, but all of them are in the group employees. So there might be a folder that both can read but only one should be able to write, and it would be quite a pain to not be able to put a person in the group with lower right and high rights at the same time
If this is a normal behavior, it seems important to explain to users why the access is refused... User are quite confused when the PDF viewer just display a red error "Unatended response from the server" instead of opening the document. They can open it with onlyoffice but not with the pdf viewer, so it's quite strange.
At least display the error in log "Access to this resource has been denied because it is in view-only mode". But even this error is strange, cause it's not in view-only mode if we cannot open it :/
And from a user sight, "the permission to download the document" could be different from "the permission to view the document"...
Similar or duplicate case no ? https://github.com/nextcloud/server/issues/36013
⚠️ This issue respects the following points: ⚠️
Bug description
Hello, the Server is a Debian Bullseye and the Nextcloud Version is 25.0.2, I checked the changelog here https://nextcloud.com/de/changelog/ and Version 25.0.3 does not mention any changes regarding file permissions
The Problem is the following. As soon as a user is in 2 groups one with "allow download" disabled and one with "allow download" enabled files are not accessible. I got a 403 error and the sync client reports "(Access to this resource has been denied because it is in view-only mode" But the higher rights from the group still apply because I could still delete the file in the webinterface
Steps to reproduce
Expected behavior
Expect to be able to download the files because one group is able to download
Installation method
Community Manual installation with Archive
Operating system
Debian/Ubuntu
PHP engine version
PHP 7.4
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
No response
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
No response
Additional info
No response