Adding lists to shared board without permission leads to 403

[simonspa]

Describe the bug

When adding a list to a shared deck without management permission, the API returns 403, see stacktrace. From the app it is however not clear at all, and the list is created anyway but not synced. The error message is just briefly shown. I'd consider this more of a UI/UX issue than a bug.

Steps to reproduce the behavior:

1. Receive shared deck without management permission
2. Try to add list
3. List is added in Android app
4. See error

Expected behavior The app shows an error detailing why a list cannot be created, and no list is created.

Stacktrace

App Version: 1.22.1
App Version Code: 1022001
Server App Version: 1.9.2
App Flavor: play

Files App Version Code: 30250090

---

OS Version: 4.14.276-g6ef255005cea-ab9062920(9382335)
OS API Level: 33
Device: flame
Manufacturer: Google
Model (and Product): Pixel 4 (flame)

---

com.nextcloud.android.sso.exceptions.NextcloudHttpRequestFailedException: HTTP-Anfrage ist fehlgeschlagen mit HTTP-Statuscode: 403
    at com.nextcloud.android.sso.api.AidlNetworkRequest.performNetworkRequestV2(AidlNetworkRequest.java:188)
    at com.nextcloud.android.sso.api.NextcloudAPI.performNetworkRequestV2(NextcloudAPI.java:199)
    at com.nextcloud.android.sso.api.NextcloudAPI.lambda$performRequestObservableV2$1$com-nextcloud-android-sso-api-NextcloudAPI(NextcloudAPI.java:129)
    at com.nextcloud.android.sso.api.NextcloudAPI$$ExternalSyntheticLambda0.subscribe(Unknown Source:6)
    at io.reactivex.internal.operators.observable.ObservableFromPublisher.subscribeActual(ObservableFromPublisher.java:31)
    at io.reactivex.Observable.subscribe(Observable.java:12284)
    at io.reactivex.internal.operators.observable.ObservableMap.subscribeActual(ObservableMap.java:32)
    at io.reactivex.Observable.subscribe(Observable.java:12284)
    at io.reactivex.internal.operators.observable.ObservableSubscribeOn$SubscribeTask.run(ObservableSubscribeOn.java:96)
    at io.reactivex.internal.schedulers.ScheduledDirectTask.call(ScheduledDirectTask.java:38)
    at io.reactivex.internal.schedulers.ScheduledDirectTask.call(ScheduledDirectTask.java:26)
    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
    at java.lang.Thread.run(Thread.java:1012)
Caused by: java.lang.IllegalStateException: {"status":403,"message":"Permission denied"}

    at com.nextcloud.android.sso.InputStreamBinder.processRequestV2(InputStreamBinder.java:454)
    at com.nextcloud.android.sso.InputStreamBinder.performNextcloudRequestAndBodyStreamV2(InputStreamBinder.java:127)
    at com.nextcloud.android.sso.InputStreamBinder.performNextcloudRequestV2(InputStreamBinder.java:110)
    at com.nextcloud.android.sso.aidl.IInputStreamService$Stub.onTransact(IInputStreamService.java:158)
    at android.os.Binder.execTransactInternal(Binder.java:1280)
    at android.os.Binder.execTransact(Binder.java:1244)

[stefan-niedermann]

Thank you for the detailled report! It should of course not be possible to add lists in this scenario.