Bug after Update from NC10 to NC11: Sharing with users breaks

[FelixOliverLange]

Hello Community & Developers,

I found a potential Bug in NC11. It appears after an update from NC10, but is not directly linked to the update process itself.

The Problem is that if Avatars are disabled in the Config
(see https://docs.nextcloud.com/server/9/admin_manual/configuration_server/config_sample_php_parameters.html) , the sharing function, that relies on the function Avatar.avatar or avatars.avatar( not sure), breaks. This leads to two effects:

1. If any files in the root directory of user A where shared to user B, login in the UI will fail (redirect loop of infinity) but the client will sync.

2. If no files where shared up to now, the feature will simply not work. When trying to share files to another local user, no drop down of the available users appears, and even a manual entry is not accepted.

the Webconsole of both Firefox and Chrome gives the following error messages:

1. Scenario: to many redirects (304)
2. Scenario: JS-error: avatar.avatar is not a function (or avatars.avatar, not sure)

The error was first encountered on a NC11 instance with over 110.000 files of one user. As this user had shared files in his root folder, scenario 1 appeared.
Later it was confirmed on a second instance (running on the same web server), but as no files had been shared, scenario 2 appeared.

After debugging the issue of the Major instance on a separate server, the issue was found. As the first instance had been deleted by then for rebuild reasons, we could only verify it in the second instance. (it worked there).

Further things i noticed:
NC11 copied all the shared Files to all the users that the files had been shared to. As the number of maximum files in the filesystem was reached during this process, eventually NC11 terminated the copy process. It is unknown if the first instance would have been able to resolve the infinite 304 loop if it had been allowed to copy all files. But I do not know if NC11 copies files from user to user on share by default for I/O reasons, so not sure if this is bug related or not - if NC11 does copy on share, then forget this part - as then NC11 did not even copy files during the 304 loop.

FIX:
For Instances with scenario 2: enable Avatars again and everything is fine, no Data lost!
For Instances with Scenario 1: unknown, potential damage to Filesystem or DB integrity or Data lost, as we where not able to test that.

Steps to reproduce

1. disable Avatars on NC10
2. share files from local user 1 to local user 2
3. upgrade to NC11

Hope that helps. Thanks for working on this awesome project and you dudes rock! keep it up!

Additional stuff:

Expected behaviour

Usually, there should be either no problem in disabling avatars (possibly updater should simply check this before updating, as it was no problem in NC10) or a warning should be displayed.

Actual behaviour

See the description above

Server configuration

Operating system: unknown, whatever 1and1 uses - probably a Ubuntu Server

**Web server:**Apache 2, Version number unknown

Database: MySQL 5.something, unknown as 1and1 does this for us

PHP version: php7.something, don't know that either

Nextcloud version:
NC10 to NC11 transition

Updated from an older Nextcloud/ownCloud or fresh install:
Updated

Where did you install Nextcloud from:
Archived file from project page, via ssh

Signing status:
Sorry, not available as the instance had to be deleted.

List of activated apps:
Standard + Calendar + Activities, that's it (no detailed list, as instance deleted).

The content of config/config.php:
Standard config.php + disabled Avatars

Are you using external storage, if yes which one:
no external Storage or Users!

Are you using encryption:
yes, standard encryption module

Are you using an external user-backend, if yes which one:
no.

Client configuration

Browser:
Current FF and Chrome

Operating system:
Opensuse 42.2, Windows 10, Windows 7

Nextcloud log (data/nextcloud.log)

Not available, as instance deleted. No Webserver log either, as i do not have access.

Browser log

Nope, that is gone as well, sorry Guys!

[toddpfaff]

I also experienced this problem, as described here:
https://help.nextcloud.com/t/problem-sharing-in-nextcloud-11-web-interface/7252
and I can confirm that this problem was eliminated by enabling avatars.

[schiessle]

Sharing shouldn't have a hard dependency on Avatars. @rullzer any idea where we introduced this dependency?

[rullzer]

No clue but I can try to reproduce. I just knew this whole disable avatars thing would come back to haunt us.

[FelixOliverLange]

@schiessle and @rullzer
From what I experienced in the web console, when trying to share a file the search field tries to display a drop-down that contains the avatar images - if no Avatars, then no images, hence no dropdown. And manualy typing in a username is not accepted.
Regarding the hard dependency Avaters -> Sharing in Szenario 1: no clue, but could be a problem of resolving the users that a file has been shared to.

[FriedCircuits]

Enabling avatars didn't seem to work for me. I still don't get a drop down and unable to share with anyone. It was fine in 11 which was a fresh install and then upgraded to 11.0.1. Any other ideas?

[FriedCircuits]

I checked the browser console and found it is failing on the API url. If I manually navigate to it I get the famous

Access forbidden
CSRF check failed

So I don't know if that URL should work manually. Maybe this gives a clue to the problem.

[FriedCircuits]

This is what the browser response is when it requests a search using the API

{"ocs":{"meta":{"status":"failure","statuscode":998,"message":"Invalid query, please check the syntax. API specifications are here: http://www.freedesktop.org/wiki/Specifications/open-collaboration-services. DEBUG OUTPUT:\n"},"data":[]}}

[FriedCircuits]

Figured it out! If I disable the share by mail it works!

[DoubleMalt]

@FriedCircuits How did you turn off share by mail?

[FriedCircuits]

@DoubleMalt I just disabled the app under enabled apps.

[ARMistice]

Using the actual Docker Container of Nextcloud 11.0.1. No sharing is possible, even after adding 'enable_avatars' => true

The call of:
https://cloud.bre....t.de/ocs/v1.php/apps/files_sharing/api/v1/sharees?format=json&search={some namestuff here}&perPage=200&itemType=folder

Fails:
{"ocs":{"meta":{"status":"failure","statuscode":998,"message":"Invalid query, please check the syntax. API specifications are here: http://www.freedesktop.org/wiki/Specifications/open-collaboration-services. DEBUG OUTPUT:\n"},"data":[]}}

[krisj]

This is really annoying. We installed the Nextcloud 11.0.2 in hopes of being able to share files with remote users via email and we can't add them. Any idea when / how to fix this?

[faichelbaum]

Hi guys, any update regarding this issue ?
Nor disabling/enabling the avatar neither the share by email thing solved the case.

Any idea why this CSRF ? Is it due to the nginx (ssl)/php-fpm setup ?

[schiessle]

I can reproduce at least the part that disabling avatars breaks the auto completion in the share drop-down. I will try to have a look tomorrow

[ARMistice]

Updating my docker container to 11.0.2 worked like charm. Sharing is possible now. Everything works fine now. Btw. Many thanks for the great work.

[schiessle]

The problem with the share dialog auto-complete is fixed here: #4214

But keep in mind, that this config option ("avatars_enabled") was removed for Nextcloud 12. From Nextcloud 12 on avatars will always be enabled. Therefore my recommendation: enable avatars on Nextcloud 11 because you will see them anyway after the next upgrade and it should solve all the issues discussed here.

[faichelbaum]

the CSRF error on the sharing script does not seem to be related to the avatar feature

[krisj]

I opened an issue which might or might not be related.

#4219

[skjnldsv]

As I cannot reproduce the original issue anymore, I will close this ticket. If this is still happening please make sure to upgrade to the latest version. After that, feel free to reopen.