"Deny" Group permission prevails over "allow" User permission

[slaver666]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. User has extended permission to the root folder. Group has read permissions to the root folder.
2. User creates a folder inside root folder. The child folder inherits root folder permissions.
3. User removes Group read permission to the child folder.

Expected behaviour

User must have all permissions to the folder.

Actual behaviour

User even doesn't see the folder any more.

Server configuration

Operating system:
Ubuntu Linux 22.04.3 LTS

Web server:
Nginx 1.25.3

Database:
PostgreSQL 15.5

PHP version:
8.2

Nextcloud version: (see Nextcloud admin page)
28.0.2

Group folders version:
16.0.3

Updated from an older Nextcloud/ownCloud or fresh install:
updated from 27

Where did you install Nextcloud from:
community edition from official site

Are you using external storage, if yes which one: local/s3/smb/sftp/...
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/Saml/...
Active Directory

Client configuration

Browser:
Google Chrome, Microsoft Edge

Operating system:
Windows 10, Ubuntu Linux 22

Logs

Can't see any log entries belonged to Group folders app

Web server error log

Web server error log

No errors in web server log

Nextcloud log (data/nextcloud.log)

Nextcloud log

[Uploading nextcloud.log…]()

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[slaver666]

nextcloud.log

[Jerome-Herbinet]

Hi @slaver666,
Can you detail a way to reproduce the bug. This will allow me to see if it's the same bug as the one I found on my side.
Thx

[koelle25]

@Jerome-Herbinet Do the Steps to reproduce from the OP not work for reproducing the issue? If not can you elaborate what result you see instead?

Steps to reproduce

1. User has extended permission to the root folder. Group has read permissions to the root folder.
2. User creates a folder inside root folder. The child folder inherits root folder permissions.
3. User removes Group read permission to the child folder.

Expected behaviour

User must have all permissions to the folder.

Actual behaviour

User even doesn't see the folder any more.

[slaver666]

Hi @slaver666, Can you detail a way to reproduce the bug. This will allow me to see if it's the same bug as the one I found on my side. Thx

Hi. I thought my "Steps to reproduce" are well described. I'm ready to give any information/screenshots if you need.

[Jerome-Herbinet]

@Jerome-Herbinet Do the Steps to reproduce from the OP not work for reproducing the issue? If not can you elaborate what result you see instead?

Steps to reproduce

1. User has extended permission to the root folder. Group has read permissions to the root folder.
2. User creates a folder inside root folder. The child folder inherits root folder permissions.
3. User removes Group read permission to the child folder.

Expected behaviour

User must have all permissions to the folder.

Actual behaviour

User even doesn't see the folder any more.

I read it again, and I think the description is good. Test and result are similar to mine.

[fschrempf]

I think this is one of the many issues which all describe the same kind of defect. The inherited permissions from the root folder are not taken into account when there is a deny rule for the subdirectory.

Please read through #1212 and other related reports and you might come to the same conclusion as me, which is that groupfolder ACLs are a total mess and pretty much unusable.

[motiosw]

I am in the admin and in the employee group. When I restrict a permission for the employee group, I lose access to that folder. By adding me as person with all permissions, I still have no access. I am looking forward for a solution.

[chaosgrid]

I just want to add that this behaviour definitely changed within the last year (not exactly sure when).

It is also easy to reproduce:

Make a folder which inherits read permission i.e. of an "admin" group.
Now explicitly deny read access to a "team_member" group to this folder, of which you are also a member. The deny entry now has priority over the inherited read permission of the "admin" group of the parent folder.

I assume this is not intended behaviour and I'm suprised this bug has not been fixed yet..

I also think this is related to or a duplicate of #2934

[chaosgrid]

I think this issue is also fixed by following this post: #2934 (comment)
It is not a bug, but a feature which changed the default permission behaviour when there are inherited permissions.

[provokateurin]

Duplicate of #598