Blocking desktop synchronization for folders not working as expected

[Dave-REBL]

Steps to reproduce

1. Add restricted tag "NoSync"
2. Create file access rule (Block Desktop Sync)
   • Rule 1: File system tag is tagged with NoSync (restricted)
   • Rule 2: Request user agent is Desktop client
3. Tag a folder containing other folders and files with "NoSync"
4. Share the tagged folder with a user using Desktop Client

Expected behaviour

• tagged folder should not appear in Desktop Client settings or should not be able to be selected for synchronization
• folders and sub folders should not be downloaded to local Nextcloud folder on client
• sync errors notifications and fatal errors in Nextcloud log should not be reported whenever a file is updated in the tagged folder

Actual behaviour

• tagged folder is available for desktop synchronization (listed in Desktop Client settings)
• tagged folder and all sub-folders are downloaded to local Nextcloud folder
• files in tagged folder and sub-folders are not downloaded to local folder, however:
  • sync error reported on Windows desktop
    " could not be synced due to errors. See the log for details."
  • error reported in Nextcloud log:
    "Fatal webdav OCA\DAV\Connector\Sabre\Exception\Forbidden: HTTP/1.1 403 Access denied"

Server configuration

Operating system: Linux REBL-S4 4.4.0-66-generic #87-Ubuntu SMP Fri Mar 3 15:29:05 UTC 2017 x86_64

Web server: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: mysql 10.0.29

PHP version: 7.0.15-0ubuntu0.16.04.4
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, json, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 11.0.2 (stable) - 11.0.2.7

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Updater

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

Enabled:
 - activity: 2.4.1
 - admin_audit: 1.1.0
 - comments: 1.1.0
 - dav: 1.1.1
 - federatedfilesharing: 1.1.1
 - files: 1.6.1
 - files_accesscontrol: 1.1.2
 - files_automatedtagging: 1.1.1
 - files_external: 1.1.2
 - files_pdfviewer: 1.0.1
 - files_sharing: 1.1.1
 - files_texteditor: 2.2
 - files_trashbin: 1.1.0
 - files_versions: 1.4.0
 - gallery: 16.0.0
 - issuetemplate: 0.2.1
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - nextcloud_announcements: 1.0
 - notifications: 1.0.1
 - password_policy: 1.1.0
 - provisioning_api: 1.1.0
 - serverinfo: 1.1.1
 - sharebymail: 1.0.1
 - survey_client: 0.1.5
 - systemtags: 1.1.3
 - theming: 1.1.1
 - twofactor_backupcodes: 1.0.0
 - updatenotification: 1.1.1
 - workflowengine: 1.1.1

Disabled:
 - encryption
 - external
 - federation
 - files_retention
 - files_videoplayer
 - firstrunwizard
 - templateeditor
 - user_external
 - user_ldap
 - user_saml

The content of config/config.php:

Config report

{
    "instanceid": "ocqznqxlb9f2",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "nnn.nnn.nnn.nnn"
    ],
    "allow_user_to_change_display_name": true,
    "datadirectory": "\/var\/www\/data",
    "overwrite.cli.url": "http:\/\/nnn.nnn.nnn.nnn",
    "dbtype": "mysql",
    "version": "11.0.2.7",
    "dbname": "nextcloud",
    "dbhost": "localhost",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "enable_avatars": true,
    "enable_previews": true,
    "loglevel": 1,
    "logdateformat": "Y-m-d H:i:s",
    "installed": true,
    "knowledgebaseenabled": false,
    "mail_smtpmode": "smtp",
    "mail_from_address": "support",
    "mail_domain": "nnnn.com",
    "mail_smtphost": "smtp.nnnnn.net",
    "mail_smtpport": "25",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "localhost",
        "port": 6379
    },
    "remember_login_cookie_lifetime": 86400,
    "session_keepalive": false,
    "session_lifetime": 3600,
    "skeletondirectory": "",
    "maintenance": false,
    "theme": "",
    "updater.release.channel": "stable"
}

Are you using external storage, if yes which one:

Are you using encryption: no

Are you using an external user-backend, if yes which one:

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Operating system: Windows 10 Pro

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"sds9Xd4pUsZiXgLPjwHH","remoteAddr":"192.168.1.161","app":"webdav","message":"Exception: {\"Message\":\"HTTP\\\/1.1 403 Acc
ess denied\",\"Exception\":\"OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Exception\\\\Forbidden\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\
\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(85): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\File->get()\\n#1 [i
nternal function]: Sabre\\\\DAV\\\\CorePlugin->httpGet(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\
/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#3
 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('met
hod:GET', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Serv
er->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/da
v\\\/appinfo\\\/v1\\\/webdav.php(60): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/remote.php(165): require_on
ce('\\\/var\\\/www\\\/nextcl...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\
\/File.php\",\"Line\":316,\"User\":\"nnnnn\"}","level":4,"time":"2017-03-27 15:30:55","method":"GET","url":"\/remote.php\/webdav\/Fo
rms\/Test2.txt","user":"nnnnn","version":"11.0.2.7"}

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[blizzz]

@nickvergessen any clue?

[nickvergessen]

Well I assume, that the sync client creates the folders itself from the file list. But the access control does not block listing, but only reading/downloading.
So the folder structure is created but the actual files can not be downloaded.

I know this sounds "weird", but I don't have any idea how to prevent this atm.

[MrManor]

As a workaround: Could the Desktop client somehow detect that it is not allowed to access any content in a folder - and then automatically remove sync flag for this folder?

[skjnldsv]

@camilasan does this issue still make sense?

[Dave-REBL]

@skjnldsv This issue still exists with current desktop client (Windows version 2.5.2), running Nextcloud 15.0.8. The folders tagged for no synchronization appear in the desktop client list of folders and can be selected for synchronization. Selecting/applying a folder tagged for no synchronization results in a fatal error in the Nextcloud log: "[webdav] Fatal: OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions". In the desktop client under the Activity tab the selected folder is listed with "Access forbidden". However it appears that the folder is no longer created in the local Nextcloud folder (the sync folder on the user's computer), so not much of an issue any more (in my opinion).

[skjnldsv]

@camilasan ping 🤗

[kesselb]

cc @nextcloud/desktop

[kesselb]

cc @nextcloud/desktop

[NielBuys]

I have this problem also in Nextcloud 17. Linux Ubuntu 18.04 ppa Desktop sync client.
The folder tagged not to sync are still syncing.

[NielBuys]

Problem still exist in newest version Nextcloud 17 and latest Desktop client, I am posting to remove the stale label.
The bug is a bit in contrast to the blog of whats new in Nextcloud 17. Where I learned about this type of settings I could use. But on setting it up it do not work.

Find attached screenshots of my test setup.

Thanks in advance.

[kesselb]

https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html

Access is denied if the rules evaluate to true. For example Request user agent is Desktop client to block the desktop client.

cc @blizzz @nickvergessen should we move this to desktop? I'm not sure if we are able to add a check to propfind "is there at least one file visible and if not don't show the folder".

[kesselb]

In the desktop client under the Activity tab the selected folder is listed with "Access forbidden". However it appears that the folder is no longer created in the local Nextcloud folder (the sync folder on the user's computer), so not much of an issue any more (in my opinion).

Sounds good to me. Closing? ;)

[NielBuys]

In the desktop client under the Activity tab the selected folder is listed with "Access forbidden". However it appears that the folder is no longer created in the local Nextcloud folder (the sync folder on the user's computer), so not much of an issue any more (in my opinion).

Sounds good to me. Closing? ;)

In my version the folder is downloaded to the computer via the desktop software with the settings set same as screenshots shown above. Not sure why this ticket is believed to be solved.
Should I load a beta version to test the change.
Thanks in advance.

[kesselb]

Not sure why this ticket is believed to be solved.

Because the person who reported this issue said it's fixed.

In my version the folder is downloaded to the computer via the desktop software with the settings set same as screenshots shown above.

Please note that GitHub is not our support channel. It's to track bugs and feature requests. https://help.nextcloud.com/ is the place for questions / configuration problems / ...

However I already answered your question. The whole rule must be true to block access to a file / folder. There are also some examples at the documentation.

File system tag is tagged with Privaat
Request user agent is Desktop Client