[Bug]: User in 2 groups, one "allow download" disabled and one "allow download" enabled, files are not accessible with 403

[imadevel]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Hello, the Server is a Debian Bullseye and the Nextcloud Version is 25.0.2, I checked the changelog here https://nextcloud.com/de/changelog/ and Version 25.0.3 does not mention any changes regarding file permissions

The Problem is the following. As soon as a user is in 2 groups one with "allow download" disabled and one with "allow download" enabled files are not accessible. I got a 403 error and the sync client reports "(Access to this resource has been denied because it is in view-only mode" But the higher rights from the group still apply because I could still delete the file in the webinterface

Steps to reproduce

1. Create 2 groups
2. add one user to both groups
3. create a folder
4. share the folder with both group, the first group get every permission (Allow editing, Allow Creating, Allow deleting, Allow resharing, Allow download), the second group gets all permissions removed, no checkbox at all is ticked
5. Upload a jpg to the folder
6. log in as the user who got the share
7. try to access the file either by Webbrowser or Syncclient

Expected behavior

Expect to be able to download the files because one group is able to download

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• [X] Default user-backend (database)
• [x] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

No response

List of activated Apps

Enabled:
  - calendar: 4.2.3
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.3
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - deck: 1.8.3
  - external: 5.0.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - mail: 2.2.3
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - notify_push: 0.5.2
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - richdocuments: 7.1.0
  - richdocumentscode: 22.5.802
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.3
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_ldap: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - activity: 2.17.0
  - admin_audit
  - bruteforcesettings
  - collectives: 2.2.1
  - encryption
  - files_external
  - files_fulltextsearch: 25.0.0
  - files_fulltextsearch_tesseract: 25.0.0
  - files_mindmap: 0.0.27
  - suspicious_login
  - twofactor_totp

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[PocketFR]

To me, this behavior seems logical: Nextcloud's first priority is data security. This logic is similar to the one applied in the management of rights on NTFS: access denials are always prioritized over authorizations.

On the other hand, it's strange that you can delete a file when one of your group doesn't have the permission to do it.

It seems that a little clarification is needed to determine which rights management policy should be applied on Nextcloud: Denial priority or Authorization priority in order to avoid inconsistencies within the application.

[imadevel]

I think it is not comparable to a deny in NTFS, because it is just an allow that is not set, also the other rights behave as expected. Also from the practical point of view I accept to be Able to set a Group employees that might have low rights, that have every person in it and then a group with more rights, for example a group it or finance, but all of them are in the group employees. So there might be a folder that both can read but only one should be able to write, and it would be quite a pain to not be able to put a person in the group with lower right and high rights at the same time

[zamentur]

If this is a normal behavior, it seems important to explain to users why the access is refused... User are quite confused when the PDF viewer just display a red error "Unatended response from the server" instead of opening the document. They can open it with onlyoffice but not with the pdf viewer, so it's quite strange.

At least display the error in log "Access to this resource has been denied because it is in view-only mode". But even this error is strange, cause it's not in view-only mode if we cannot open it :/

And from a user sight, "the permission to download the document" could be different from "the permission to view the document"...

[EricThi]

Similar or duplicate case no ? https://github.com/nextcloud/server/issues/36013