Server: Blocking desktop synchronization for folders not working as expected

Created on 27 Mar 2017 · 14Comments · Source: nextcloud/server

Steps to reproduce

Add restricted tag "NoSync"
Create file access rule (Block Desktop Sync)
- Rule 1: File system tag is tagged with NoSync (restricted)
- Rule 2: Request user agent is Desktop client
Tag a folder containing other folders and files with "NoSync"
Share the tagged folder with a user using Desktop Client

Expected behaviour

tagged folder should not appear in Desktop Client settings or should not be able to be selected for synchronization
folders and sub folders should not be downloaded to local Nextcloud folder on client
sync errors notifications and fatal errors in Nextcloud log should not be reported whenever a file is updated in the tagged folder

Actual behaviour

tagged folder is available for desktop synchronization (listed in Desktop Client settings)
tagged folder and all sub-folders are downloaded to local Nextcloud folder
files in tagged folder and sub-folders are not downloaded to local folder, however:
- sync error reported on Windows desktop
  
  " could not be synced due to errors. See the log for details."
- error reported in Nextcloud log:
  
  "Fatal webdav OCA\DAV\Connector\Sabre\Exception\Forbidden: HTTP/1.1 403 Access denied"

Server configuration

Operating system: Linux REBL-S4 4.4.0-66-generic #87-Ubuntu SMP Fri Mar 3 15:29:05 UTC 2017 x86_64

Web server: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: mysql 10.0.29

PHP version: 7.0.15-0ubuntu0.16.04.4
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, json, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 11.0.2 (stable) - 11.0.2.7

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Updater

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

Enabled:
 - activity: 2.4.1
 - admin_audit: 1.1.0
 - comments: 1.1.0
 - dav: 1.1.1
 - federatedfilesharing: 1.1.1
 - files: 1.6.1
 - files_accesscontrol: 1.1.2
 - files_automatedtagging: 1.1.1
 - files_external: 1.1.2
 - files_pdfviewer: 1.0.1
 - files_sharing: 1.1.1
 - files_texteditor: 2.2
 - files_trashbin: 1.1.0
 - files_versions: 1.4.0
 - gallery: 16.0.0
 - issuetemplate: 0.2.1
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - nextcloud_announcements: 1.0
 - notifications: 1.0.1
 - password_policy: 1.1.0
 - provisioning_api: 1.1.0
 - serverinfo: 1.1.1
 - sharebymail: 1.0.1
 - survey_client: 0.1.5
 - systemtags: 1.1.3
 - theming: 1.1.1
 - twofactor_backupcodes: 1.0.0
 - updatenotification: 1.1.1
 - workflowengine: 1.1.1

Disabled:
 - encryption
 - external
 - federation
 - files_retention
 - files_videoplayer
 - firstrunwizard
 - templateeditor
 - user_external
 - user_ldap
 - user_saml

The content of config/config.php:

Config report

{
    "instanceid": "ocqznqxlb9f2",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "nnn.nnn.nnn.nnn"
    ],
    "allow_user_to_change_display_name": true,
    "datadirectory": "\/var\/www\/data",
    "overwrite.cli.url": "http:\/\/nnn.nnn.nnn.nnn",
    "dbtype": "mysql",
    "version": "11.0.2.7",
    "dbname": "nextcloud",
    "dbhost": "localhost",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "enable_avatars": true,
    "enable_previews": true,
    "loglevel": 1,
    "logdateformat": "Y-m-d H:i:s",
    "installed": true,
    "knowledgebaseenabled": false,
    "mail_smtpmode": "smtp",
    "mail_from_address": "support",
    "mail_domain": "nnnn.com",
    "mail_smtphost": "smtp.nnnnn.net",
    "mail_smtpport": "25",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "localhost",
        "port": 6379
    },
    "remember_login_cookie_lifetime": 86400,
    "session_keepalive": false,
    "session_lifetime": 3600,
    "skeletondirectory": "",
    "maintenance": false,
    "theme": "",
    "updater.release.channel": "stable"
}

Are you using external storage, if yes which one:

Are you using encryption: no

Are you using an external user-backend, if yes which one:

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Operating system: Windows 10 Pro

Logs

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"sds9Xd4pUsZiXgLPjwHH","remoteAddr":"192.168.1.161","app":"webdav","message":"Exception: {\"Message\":\"HTTP\\\/1.1 403 Acc
ess denied\",\"Exception\":\"OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Exception\\\\Forbidden\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\
\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(85): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\File->get()\\n#1 [i
nternal function]: Sabre\\\\DAV\\\\CorePlugin->httpGet(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\
/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#3
 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('met
hod:GET', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Serv
er->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/da
v\\\/appinfo\\\/v1\\\/webdav.php(60): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/remote.php(165): require_on
ce('\\\/var\\\/www\\\/nextcl...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\
\/File.php\",\"Line\":316,\"User\":\"nnnnn\"}","level":4,"time":"2017-03-27 15:30:55","method":"GET","url":"\/remote.php\/webdav\/Fo
rms\/Test2.txt","user":"nnnnn","version":"11.0.2.7"}

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

0. Needs triage bug 💻 desktop tags

Source

Dave-REBL

Most helpful comment

@skjnldsv This issue still exists with current desktop client (Windows version 2.5.2), running Nextcloud 15.0.8. The folders tagged for no synchronization appear in the desktop client list of folders and can be selected for synchronization. Selecting/applying a folder tagged for no synchronization results in a fatal error in the Nextcloud log: "[webdav] Fatal: OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions". In the desktop client under the Activity tab the selected folder is listed with "Access forbidden". However it appears that the folder is no longer created in the local Nextcloud folder (the sync folder on the user's computer), so not much of an issue any more (in my opinion).

Dave-REBL on 7 Jun 2019

👍2

All 14 comments

@nickvergessen any clue?

blizzz on 3 Apr 2017

Well I assume, that the sync client creates the folders itself from the file list. But the access control does not block listing, but only reading/downloading.
So the folder structure is created but the actual files can not be downloaded.

I know this sounds "weird", but I don't have any idea how to prevent this atm.

nickvergessen on 5 Apr 2017

As a workaround: Could the Desktop client somehow detect that it is not allowed to access any content in a folder - and then automatically remove sync flag for this folder?

MrManor on 9 Dec 2017

@camilasan does this issue still make sense?

skjnldsv on 6 Jun 2019

Dave-REBL on 7 Jun 2019

👍2

@camilasan ping :hugs:

skjnldsv on 6 Aug 2019

cc @nextcloud/desktop

kesselb on 14 Sep 2019

cc @nextcloud/desktop

kesselb on 15 Oct 2019

I have this problem also in Nextcloud 17. Linux Ubuntu 18.04 ppa Desktop sync client.
The folder tagged not to sync are still syncing.

NielBuys on 12 Nov 2019

Problem still exist in newest version Nextcloud 17 and latest Desktop client, I am posting to remove the stale label.
The bug is a bit in contrast to the blog of whats new in Nextcloud 17. Where I learned about this type of settings I could use. But on setting it up it do not work.

Find attached screenshots of my test setup.
Rule setup
Sync client includes folder
Folder tagged

Thanks in advance.

NielBuys on 12 Dec 2019

https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html

Access is denied if the rules evaluate to true. For example Request user agent is Desktop client to block the desktop client.

cc @blizzz @nickvergessen should we move this to desktop? I'm not sure if we are able to add a check to propfind "is there at least one file visible and if not don't show the folder".

kesselb on 11 Jan 2020

In the desktop client under the Activity tab the selected folder is listed with "Access forbidden". However it appears that the folder is no longer created in the local Nextcloud folder (the sync folder on the user's computer), so not much of an issue any more (in my opinion).

Sounds good to me. Closing? ;)

kesselb on 11 Jan 2020

In the desktop client under the Activity tab the selected folder is listed with "Access forbidden". However it appears that the folder is no longer created in the local Nextcloud folder (the sync folder on the user's computer), so not much of an issue any more (in my opinion).

Sounds good to me. Closing? ;)

In my version the folder is downloaded to the computer via the desktop software with the settings set same as screenshots shown above. Not sure why this ticket is believed to be solved.
Should I load a beta version to test the change.
Thanks in advance.

NielBuys on 20 Jan 2020

Not sure why this ticket is believed to be solved.

Because the person who reported this issue said it's fixed.

In my version the folder is downloaded to the computer via the desktop software with the settings set same as screenshots shown above.

Please note that GitHub is not our support channel. It's to track bugs and feature requests. https://help.nextcloud.com/ is the place for questions / configuration problems / ...

However I already answered your question. The whole rule must be true to block access to a file / folder. There are also some examples at the documentation.

File system tag is tagged with Privaat
Request user agent is Desktop Client

kesselb on 20 Jan 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

New folder creation flow: descend into newly created folder by clicking enter again

jancborchardt · 3Comments

[personal settings] Move "Change password" to "Security"-settings

MariusBluem · 3Comments

2FA: let users create and authenticate via backup codes

ChristophWurst · 3Comments

UX / UI: Make upload button more visible on upload enabled shares

ThomasLeister · 3Comments

quota: unlimited value

mama21mama · 3Comments