Unable to Open Document Inside Tagged Folder that has Restricted File Access

[dl-lim]

Nextcloud 19.0.1

Trying to access documents inside a folder with a Restricted Tag that Blocks File Access (using Flow) to certain users.

Accessed the folder as a privileged user and was unable to open the document.

Error message:

Nextcloud logs as Admin

Collabora works fine on other documents that do not have the file access restrictions.

Any solutions to this? How can I help fix this? Happy to post more logs

Reference: #202 - marked as stale and wontfix - However, this problem persists.

EDIT: draw.io, a NC extension that edits diagrams work fine in the same environment, so this must be an issue with Collabora.

I need to get this working ASAP in production - any temporary solutions that works while maintaining the folder access control rights?

[GregKinMD]

I am seeing the same issue and can provide input. I'm using the docker version of CODE and see these errors in the docker logs.

wsd-00007-00067 2020-10-26 22:08:17.920355 [ docbroker_003 ] ERR WOPI::GetFile failed with 403 []| wsd/Storage.cpp:931
wsd-00007-00067 2020-10-26 22:08:17.920550 [ docbroker_003 ] ERR loading document exception: WOPI::GetFile failed: []| wsd/DocumentBroker.cpp:1426

`

[MikeK123]

Nextcloud 19.0.3

I'm running into same issue. Collabora fails to open a file with any restricted tag assigned to it or to parent folder.

[juliusknorr]

Could you share a screenshot of the affecting flow rule?

[MikeK123]

Nextcloud 19.0.3
CODE - Collabora Office 6.4-14
Both running in separate docker containers.

User is member of group Dev and have no problem opening files from shared folders, but once a folder/parent folder/file is taged with restricted tag, I get the message "Failed to read document from storage" from Collabora

[juliusknorr]

This is the expected behavior by the files_accesscontrol app:

https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html#denying-access-to-folders

Denying access to folders

The easiest way to block access to a folder, is to use a collaborative tag. As mentioned in the Available rules section below, either the file itself or one of the parents needs to have the given tag assigned.

[MikeK123]

What? I dont get it. If your access to a file has been denied, then of course collabora should not open that file, but our complain was about the time access to a file is granted, but collabora still fails to open that file. Once there is a restricted tag on that file, it just fails to read. Only time my setup works and Collabora does open a file, is when there is no restricted tag anywhere on the path to that file (file/parent/grandparent...)

[juliusknorr]

Sorry, then I might have misunderstood your comment:

User is member of group Dev and have no problem opening files from shared folders, but once a folder/parent folder/file is taged with restricted tag, I get the message "Failed to read document from storage" from Collabora

Maybe you can clarify that a bit further then about what folder structure is in place with which tags and which file fails to open.

[MikeK123]

Sure. I just tried to create a "Test" folder in the root of "admin" account and created a "New document" named test.odt without any sharing, just a local file.
Collabora had no problem opening that file. Once I applied a restricted tag "onlyDev" (see the flow rule above) either on the Test folder or directlly onto the test.odt, Collabora fails to load the document with the message @alderson59 originally reported here. Admin can do all other actions on that file (f.e. download), because the "block access" flow doesnt engage, thats why nextcloud starts Collabora online enviroment in the first place.

btw. Running all in docker containers, all together with docker compose: Nextcloud 21.0.5 (cloud.domain.com), MariaDB 10.5.12, Collabora Online 4.2.3 connector app, Collabora office 6.4-48 (docs.domain.com)

nextcloud error message:
[richdocuments] Error: OCP\Files\NotPermittedException: at <>

0. /var/www/html/custom_apps/richdocuments/lib/Controller/WopiController.php line 402
   OC\Files\Node\File->fopen("rb")
1. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 218
   OCA\Richdocuments\Controller\WopiController->getFile("71746", "henNcEX9R10gxvSvNYx8NOPGs6sYcbHH")
2. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 127
   OC\AppFramework\Http\Dispatcher->executeController(OCA\Richdocument ... {}, "getFile")
3. /var/www/html/lib/private/AppFramework/App.php line 157
   OC\AppFramework\Http\Dispatcher->dispatch(OCA\Richdocument ... {}, "getFile")
4. /var/www/html/lib/private/Route/Router.php line 302
   OC\AppFramework\App::main("OCA\Richdocume ... r", "getFile", OC\AppFramework\ ... {}, {fileId: "71746_ ... "})
5. /var/www/html/lib/base.php line 993
   OC\Route\Router->match("/apps/richdocum ... s")
6. /var/www/html/index.php line 37
   OC::handleRequest()

GET /index.php/apps/richdocuments/wopi/files/71746_oc94bwebkvxy/contents?access_token=henNcEX9R10gxvSvNYx8NOPGs6sYcbHH&access_token_ttl=0
from xxx.xxx.xxx.xxx at 2021-10-08T09:04:03+00:00

[MikeK123]

I just tried the same process with new shiny Nextcloud Hub II (23.0.0) and now called Nextcloud Office. No luck. I even tried using the demo server. No luck there either. Once I put a restricted tag (with a access restriction flow) on the folder where any document I would like to edit resides, Collabora throws the same error. Its frustrating :(
Is it wrong to use collaborative tags with resticting access? Soon to be deprecated functionality? Am I using it wrong?

[MikeK123]

As I'm blocking access to folders only by the restricted tag, I was able to modify already mentioned flow rule by adding

With this modification, Collabora don't have a problem to open files in any subfolders, if the access was not blocked by that flow rule of course. Fortunately, in my case, blocking access on folders is good enough.

[Nils160988]

I am having the same issue with NC 27.1.3

In my setup, I want to allow access to word-files, which exist in a groupfolder to only a sub-group. This works very well with restricted file access. When a privileged user now wants to access one of the word-files with collabora, it doesn't work with the same error message as seen above. Unfortunately, I cannot use @MikeK123's workaround with the MIME type, because I need it to filter for word-documents.

My workaround now uses the "request remote address": As the access by collabora always comes from the specific IP of the collabora server, I can exclude this IP in the rule and it works fine.

Still, it would be nice if this issue could be resolved.

Edit: Does anyone know how to configure how to configure ipv4 vs. ipv6 access? It seems to be a little random and so my workaround does not work well because I can either exclude ipv6- OR ipv4-address...

[maximelehericy]

having the same here. NC29.0.7.

file access control rule as follow:

• when file is accessed
• if file is tagged with "Team B"
• and groupmembership is not "Team B"
• then block access to the file.

As Bob, member of group "Team B", if I apply the tag "Team B" on a folder, I can navigate into the folder.
As Bob, member of group "Team B", if I apply the tag "Team B" on a text file, I can open and edit the text file.
As Bob, member of group "Team B", if I apply the tag "Team B" on a document/presentation/spreadsheet, Collabora fails to open the document/presentation/spreadhseet.

{"reqId":"y7tlLRdlvOFT8NVI3e5q","level":3,"time":"2024-09-26T20:58:09+00:00","remoteAddr":"127.0.0.1","user":"--","app":"richdocuments","method":"GET","url":"/index.php/apps/richdocuments/wopi/files/2407_ocy6wpr78ta9/contents?access_token=ZSaBki6ZMHFVXLKs3yPTNMP9iFc7AzWo&access_token_ttl=0","message":"getFile failed: Access denied","userAgent":"COOLWSD HTTP Agent 24.04.7.2","version":"29.0.7.1","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Access denied","Code":0,"Trace":[{"file":"/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php","line":60,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\Operation","type":"->","args":[["OCA\\FilesAccessControl\\StorageWrapper",null,["OC\\Files\\Cache\\Scanner"],null,null,null,"/bob/"],"files/Documents/Welcome to Nextcloud Hub.docx",false]},{"file":"/var/www/html/custom_apps/files_accesscontrol/lib/StorageWrapper.php","line":236,"function":"checkFileAccess","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->","args":["files/Documents/Welcome to Nextcloud Hub.docx",false]},{"file":"/var/www/html/lib/private/Files/View.php","line":1169,"function":"fopen","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->","args":["files/Documents/Welcome to Nextcloud Hub.docx","r"]},{"file":"/var/www/html/lib/private/Files/View.php","line":997,"function":"basicOperation","class":"OC\\Files\\View","type":"->","args":["fopen","/bob/files/Documents/Welcome to Nextcloud Hub.docx",["read"],"r"]},{"file":"/var/www/html/lib/private/Files/Node/File.php","line":116,"function":"fopen","class":"OC\\Files\\View","type":"->","args":["/bob/files/Documents/Welcome to Nextcloud Hub.docx","r"]},{"file":"/var/www/html/custom_apps/richdocuments/lib/Controller/WopiController.php","line":385,"function":"fopen","class":"OC\\Files\\Node\\File","type":"->","args":["rb"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"getFile","class":"OCA\\Richdocuments\\Controller\\WopiController","type":"->","args":["2407","ZSaBki6ZMHFVXLKs3yPTNMP9iFc7AzWo"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Richdocuments\\Controller\\WopiController"],"getFile"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Richdocuments\\Controller\\WopiController"],"getFile"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":331,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Richdocuments\\Controller\\WopiController","getFile",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["2407_ocy6wpr78ta9","richdocuments.wopi.getfile"]]},{"file":"/var/www/html/lib/base.php","line":1058,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/richdocuments/wopi/files/2407_ocy6wpr78ta9/contents"]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/custom_apps/files_accesscontrol/lib/Operation.php","Line":106,"message":"getFile failed: Access denied","exception":[],"CustomMessage":"getFile failed: Access denied"},"id":"66f5cae1a3ee7"}

no groupfolder, no share, pure personal files.