[Bug]: Update to Nextcloud 29 has changed ACL permissions

[ohashi-haruka]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Create groupfolders with subfolders, and set specific ACL permissions on each subfolder.
2. Update from Nextcloud 28.0.6 to 29.0.5.
3. Execute a PROPFIND request with curl and check the nc:acl-permissions:

curl -sS -X PROPFIND -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propfind xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns">
  <d:prop>
    <oc:fileid/>
    <nc:inherited-acl-list/>
    <nc:acl-list/>
  </d:prop>
</d:propfind>'

Expected behaviour

• Post-update, there should be no changes to nc:acl-permissions.
• Users should retain the same permissions and be able to perform all file operations as before the update.
• The nc:acl-mask values should remain unchanged unless intentionally modified.

Actual behaviour

After updating from Nextcloud 28.0.6 to 29.0.5, the permissions for certain subfolders in some groupfolders with Advanced Permissions setting enabled has changed unexpectedly.
This change results in:

• The "+New" button being grayed out for affected users.
• Those users being unable to perform file operations (e.g., upload, create, edit, or delete files) within these folders.

Although there were no changes in the oc_group_folders_acl table in the database, when checking the nc:acl-permissions values through a PROPFIND request with curl, the values had changed to 0.

To resolve this issue, I ran occ groupfolders:scan, occ files:scan, and occ files:cleanup, but the issue persisted.

When I attempted to restore the permissions using a PROPPATCH request with curl, which allowed file uploads, but the PROPFIND results remained unchanged.

curl -sS -X PROPPATCH  -u "username:password" "https://your-nextcloud-url/remote.php/dav/files/username/path/to/folder/" \
--data '<d:propertyupdate xmlns:d="DAV:" xmlns:nc="http://nextcloud.org/ns">
  <d:set>
    <d:prop>
      <nc:acl-list>
          <nc:acl>
            <nc:acl-mapping-type>group</nc:acl-mapping-type>
            <nc:acl-mapping-id>admin</nc:acl-mapping-id>
            <nc:acl-mapping-display-name>admin</nc:acl-mapping-display-name>
            <nc:acl-mask>0</nc:acl-mask>
            <nc:acl-permissions>31</nc:acl-permissions>
          </nc:acl>
      </nc:acl-list>
    </d:prop>
  </d:set>
</d:propertyupdate>'

After running occ groupfolders:permissions, file uploads became possible. Regarding the PROPFIND results, nc:acl-permissions returned to expected values, however nc:acl-mask was unintentionally changed to 31 for all entries.

This issue didn't occur when updating to Nextcloud 28.0.11.

Server configuration

Operating system: Amazon Linux release 2 (Karoo)

Web server: Apache

Database: MariaDB

PHP version: PHP 8.2

Nextcloud version: (see Nextcloud admin page) 29.0.5

Group folders version: 17.0.5

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded to a MAJOR version (ex. 28 to 29)

Where did you install Nextcloud from:

Are you using external storage, if yes which one:

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP

Configuration report:

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "JP",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwritewebroot": "\/nextcloud",
        "dbtype": "mysql",
        "version": "29.0.5.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "log_type": "file",
        "logfile": "nextcloud.log",
        "loglevel": 1,
        "logtimezone": "Asia\/Tokyo",
        "logdateformat": "F d, Y H:i:s",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "theme": "",
        "auth.bruteforce.protection.enabled": false,
        "integrity.check.disabled": true,
        "mail_smtpauthtype": "",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "groupfolders"
        ],
        "trashbin_retention_obligation": "auto, 14",
        "mail_smtpport": "4"
    }
}

List of activated Apps:

List of activated Apps

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.1
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - groupfolders: 17.0.5
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_ldap: 1.20.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - bruteforcesettings: 2.9.0 (installed 1.0.3)
  - circles: 29.0.0-dev (installed 24.0.1)
  - dashboard: 7.9.0 (installed 7.1.0)
  - encryption: 2.17.0
  - federation: 1.19.0 (installed 1.14.0)
  - files_downloadlimit: 2.0.0 (installed 2.0.0)
  - password_policy: 1.19.0 (installed 1.2.2)
  - recommendations: 2.1.0 (installed 1.3.0)
  - sharebymail: 1.19.0 (installed 1.2.0)
  - support: 1.12.0 (installed 1.4.0)
  - survey_client: 1.17.0 (installed 1.1.0)
  - suspicious_login: 7.0.0
  - twofactor_totp: 11.0.0-dev
  - user_status: 1.9.0 (installed 1.1.1)
  - weather_status: 1.9.0 (installed 1.1.0)

Client configuration

Browser:

Operating system:

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...