search

nextcloud / user_oidc

OIDC connect user backend for Nextcloud
GNU Affero General Public License v3.0
88 stars 35 forks source link

Access to group shares is not granted when adding a user to a group in NC 28 #827

Open lukasrad02 opened 7 months ago

lukasrad02 commented 7 months ago

When a user, who already logged in via OIDC once, gets added to a group, the user does not get access to shares granted to these groups.

Steps to reproduce

  1. Set up a nextcloud instance (tested with 28.0.3 using Docker) with this app.
  2. Configure your identity provider. Make sure to enable group provisioning and adjust the groups claim name if necessary.
  3. At your IDP, create two users Alice and Bob. Alice should be a member of "testgroup", Bob not.
  4. Sign in to the Nextcloud both using Alice and Bob one after the other. (We have to sign in as Alice so the "testgroup" will be created in our Nextcloud. We have to sign in as Bob because the bug only occurs if a user already exists before assigning the group membership.)
  5. As Alice, create a folder and share it with the group "testgroup".
  6. At your IDP, add Bob to the "testgroup" group.
  7. Sign in as Bob to the Nextcloud. Bob won't be able to see the folder although he's a member of "testgroup" (membership can be confirmed by visiting /settings/user).
  8. As an administrator, remove and re-add Bob from/to "testgroup"
  9. Sign in as Bob again. Now, Bob is able to see the folder shared by Alice.

Expected behavior

Bob should be able to see the folder in step 7.

Additional context

This bug seems to be caused by some changes in Nextcloud 28. Performing the steps from above using Nextcloud 27.0.0, the behavior is as expected. Other OIDC apps also seem to be affected (e. g. https://github.com/pulsejet/nextcloud-oidc-login/issues/256).

waza-ari commented 7 months ago

Can confirm on NC 28.0.4 in our setup, same behaviour unfortunately.

sirkrypt0 commented 2 months ago

Same issue appeared to me as well and I created the issue above in Nextcloud server (https://github.com/nextcloud/server/issues/47712) with some more details on the actual bug.

TL;DR: users are granted access to the shares, but they have to accept them manually by visiting the pending shares (https://nextcloud.example.com/apps/files/pendingshares), even though automatic acceptance is configured (as it is by default).