Page content inaccessible for members without editing permissions

[louischance]

description
When creating a collective and sharing it with other users, if the editing rights are not shared with them, they can't see properly the content of the collective pages (but they can still access it and navigate the pages, which are empty).

Steps to reproduce the behavior

1. Go to 'Collectives'
2. Create a new collective
3. Add some pages, with some content in it : text, images, etc
4. Then go in the collective settings, and restrict the editing to the admins only (or admins and moderators)
5. Then manage the members and add a user without giving him/her any admin/moderator right
6. Log in with this user account
7. Open the collective
8. You can see the pages titles, but they're all empty
9. If you come back to the collective admin account and allow the editing for all members, then the dummy user will be able to see everything (except the images that don't appear)

Expected behavior

• When a collective is shared with others without the editing rights, they should still be able to see the content of every page.
• And when a collective is shared, images should be propermy displayed.

Screenshots

These are 2 collective pages seen from the collective admin account:

Same 2 pages but from a user account (with no editing rights) :

Second page again from the dummy user account but after having changed the editing rights from administrators only to everybody:

The settings to limit the edition to administrators only (French version):

Server details:

• Collectives app version: 2.9.1
• Nextcloud version: 27.1.3.2
• PHP Version: 8.1.25
• Database: MariaDB 10.6

Client details:

• OS: Fedora Linux
• Browser: Firefox
• Browser version: 119.0.1 (64 bits)
• Device: Desktop

[mejo-]

Dear @louischance, thanks for your report. Unfortunately I'm unable to reproduce your issue so far. In order to better understand what happens on your side, we need some further information.

Could you please do the following:

1. Open the web console of your browser (Ctrl-Shift-I on Firefox/Chrome)
2. Open a collectives page as the user without editing rights (when the problem appears)
3. Send us any errors or warnings being logged there

Also, please do the following:

1. Open a collectives page as the user without editing rights
2. Open the Network tab of your browsers developer tools (Ctrl-Shift-I and then tab "Network" on Firefox/Chrome)
3. Navigate to another collectives page as the user without editing rights (when the problem appears)
4. Send us a screenshot of all the network requests that happened when switching to the new page

Please capture a log of your network requests to help with debugging.

You can do so the following way:

1. Open the developer tools of your browser, navigating to the "Network" tab
2. Do whatever reproduces the issue you reported
3. In the settings menu (rack-wheel button), select "Save as HAR"

Please note that the HAR file might contain personal data. It contains all network requests that your browser did in the open tab, i.e. URLs, page metadata and page content.

[louischance]

Hi @mejo- ,
Thanks for your message.

I did as you said and checked in the console, indeed there's a 500 error that prevents the md files from being rendered (error "Strict Cookie has not been found in request").

I'm sharing the HAR file with you I created after having visited several pages in the collectives while being logged as a user with no editing rights.

I can't upload the HAR file in Github, here's a link to download it :
https://cloud.louischance.com/index.php/s/aGRXQxmtGJB2gJP

Thanks for your help.

[punkyard]

same for me

with NC 27.1.5 AiO
can't see collectives in public shares in Brave, Safari, Waterfox

here is what comes out of Brave :

[punkyard]

it happened to me before #919

[louischance]

Have you found a way to fix the issue on your side @punkyard

[punkyard]

ha ha yes! It was actually all the share settings that had to be moved.

One user created the Collective and shared it with his group but didn't allow users to re-share in the Collective settings.
As I had no message, no warning, and the public share displayed partially, I was far from thinking it came from a 'simple' setting .. so, it was simply a mistake from us ..

[louischance]

ha ha yes! It was actually all the share settings that had to be moved.

One user created the Collective and shared it with his group but didn't allow users to re-share in the Collective settings. As I had no message, no warning, and the public share displayed partially, I was far from thinking it came from a 'simple' setting .. so, it was simply a mistake from us ..

So basically you were not part of that group is that what you mean ?
In my case I'm sharing a collective with a group of users (in which I belong).

But if I don't set the editing rights to everyone within the group, nobody can see the content but me.

I also noticed yesterday that by renaming the collective, it created a bug and some pages from the collectives can't be accessed by other users from the group anymore (even if they have the editing rights).

Maybe it's just bad luck, but it seems like there are still too many bugs to use the app. I spent hours trying to make it work. In the end, I came back to the old folders+files way.

[punkyard]

So basically you were not part of that group is that what you mean ? In my case I'm sharing a collective with a group of users (in which I belong).

yes I had to use the admin account and impersonate the user that created the Collective to have a look at it

But if I don't set the editing rights to everyone within the group, nobody can see the content but me.

I don't think this should work this way - have a look below for the config pics

I also noticed yesterday that by renaming the collective, it created a bug and some pages from the collectives can't be accessed by other users from the group anymore (even if they have the editing rights).

Then you may try creating a new Collective - but don't delete that one!!!
change its name before deleting or you won't be able to create a new one with the previous name ⚠️
suppress users permission on the old one - add users to the new one (see below, they actually use a Circle: add users to a circle, share the Collective with the Circle)

Maybe it's just bad luck, but it seems like there are still too many bugs to use the app. I spent hours trying to make it work. In the end, I came back to the old folders+files way.

I understand, I've been quite upset myself - especially when they have decided to add the 'recent pages' and a list of the users on the main page. I found this perfectly ridiculous on a public share!!
I've huffed and puffed, but they didn't change a thing. We are trying other apps (outside NC), to replace Collectives.

See, the Collective settings now allow Admins and moderators to edit
and allows sharing with all members:

In the member list, we can see the main user / admin
and the Circle with which the Collective is shared

I hope this helps

[louischance]

Thanks a lot for your detailed answer and the screenshots.

However I think I'm doing it exactly as in your example:

• I created a collective
• I shared it with a group I belong to (so basically it creates a circle that contains that group, since the app relies on the circle feature)
• I set the editing rights to only admins and mods (like in your screenshot)
• I create some pages and content etc
• If another user that is part of the group clicks on collective he/she will see the collective and the various pages on the left hand side. But their content will be empty

I've given it a few trials since november, just did again last week. I managed to have the users see the content only when they were allowed to edit it too (without being promoted to admin/mod).

But then I noticed a typo I had done in the collective title and simply renamed it, and it screwed it all. I could still see the pages contents but not the others (some pages became empty for them).

It wasn't a drama as I was testing with a dummy group to check it would be working first. So no user noticed it.

But I can't risk such errors as I use it for work related projects.

I found it nice and handy to have such a feature directly within Nextcloud, but I might have to use third-party tools like Appflowy or Anytype (wanna stick to open source solutions).

[punkyard]

I found it nice and handy to have such a feature directly within Nextcloud, but I might have to use third-party tools like Appflowy or Anytype (wanna stick to open source solutions).

yes, those two are great apps!

If you have also checked the Share preferences in the NC admin panel, I think you've tried it all ..
Which are your versions of NC and Collectives?

[louischance]

Hi,
The settings seem to be correct in the admin panel :

I'm running Nextcloud 27.1.5 with Collective 2.9.2.

There might be something wrong somewhere, but I don't know what nor why ...

I'm planning to reinstall Nextcloud on another self hosted server soon, I'll see if that fixes the issue.

[punkyard]

what about this part?

[louischance]

I just tried and set it as in your screen shot (The third toggle was off initially in my settings).

But no luck, the collective pages contents remains invisible for members if I don't authorize everyone to edit it.

Thanks for your help, I'm just giving up on it, already spent countless hours trying to make it work.

I might give it another go on a new install, see if that works (apparently it supposed to since you're able to use it correctly !)

[punkyard]

I might give it another go on a new install, see if that works (apparently it supposed to since you're able to use it correctly !)

have you tried the AiO version of NC?

I almost gave up on using NC after one year of tests, when I found this composed version

I still get crazy amounts of logs -from the apps but not only- but at least it runs!! and the guy how manages it is really reactive and open to discussion

I guess the better the NC the lowest amount of apps ^^

bonne chance ! et bon courage avec tout ça !

[louischance]

I read about it but haven't really understood what it is nor how it works yet, but I'll have a look!
I'm not thinking of giving up on Nextcloud, I love many features it has, it's just this peculiar bug I encountered that drove me crazy ^^

Merci pour ton aide !

[mejo-]

To those who still encounter this issue: could you please try again to make sure that it is still reproducible to you and then send me the output of occ config:list core? I'm particularly interested in all the shareapi_ config settings.

[louischance]

Hi,
I just checked and I still have the issue, even if the latest Nextcloud update.

However I'm sorry but I'm not too sure where and how to run this command, my instance is hosted somewhere, I didn't find where to use the terminal in the client panel...

[mejo-]

Dear @louischance, you could also go to 'Settings -> Admin -> Sharing' and send a screenshot of the "Sharing" settings there (first section). I don't need the other sections (Federation, etc) below.

[louischance]

Hi @mejo- , thanks for your reply, here's the screenshot, I hope it helps (I remember playing with the settings a while back but no luck).

[mejo-]

Thanks @louischance. So far I'm unable to reproduce the issue with similar sharing settings. Which versions of Collectives and Nextcloud server to you run?

[mejo-]

To everyone suffering from this bug ( 👀 @louischance): could you please try to reproduce it once more with the latest release of Collectives (2.11.0)?

Background: when implementing support for password-protected shares, I made some changes to the public page controller that might have an influence here. So maybe we're lucky and it finally solves this bug (that I'm still unable to reproduce) 🤞

[louischance]

Hi @mejo- thanks for the follow-up.

I just tried again but I still can't see the content if using an account with no editing right.

I'm running collective 2.11.0 with Nextcloud 28.0.5.

[l3ochan]

Hi, I was sent this issue by @mejo-
The same issue manifests itself for me when I forward real clients ips behind cloudflare's proxy. If you have a setup similar to mine with a proxy in the middle and client ip forwarding to your server, try to diable it. also does your public link shares work ? because when I have the issue with public collectives, all my public link shares don't work.

[mejo-]

@louischance and all others that suffer from this bug, do you have trusted_proxies configured in config.php? Maybe it's really a problem related to how the reverse proxy and trusted_proxies are configured? 🤔

[mejo-]

@louischance do you still see a request with error code 500? If so, could you again record a HAR and send it to me? The link you provided above seems to be no longer valid.

[louischance]

@mejo- Sorry for the late reply, I just tried and I still have the issue (not admin members being unable to correctly see the collective pages content).

The nextcloud instance I used is hosted by Webo hosting and they encrypt the data, I don't know if that could be a reason for this issue ...

I inspected the network events upon loading a page while connected with a non admin account, and the .md files of the page generates a 500 error.

Here's the .har file : https://cloud.ikacode.com/index.php/s/sjGrDFPC6xzmGG3

If you'd like to test by yourself, I can create you two accounts on my instance (one with admin rights, one without).

Regards

[mejo-]

@louischance, could you test whether the following patch fixes the issue for you?

https://patch-diff.githubusercontent.com/raw/nextcloud/collectives/pull/1548.patch

[louischance]

@mejo- thanks, just to be sure, I just need to copy the patch file into the collectives folder right ?

[mejo-]

@louischance you have to apply the patch, using patch -p1 < 1548.patch in the folder. But I'm going to release a new Collectives version with this fix today anyway, so you can just wait and update 😊

[louischance]

Great, I'll wait then ! I had uninstalled the app since last time, I'll take some time this week to reinstall and test it, thanks for your help !

[mejo-]

I have hope that this issue finally got fixed with #1548. Let's close it for now. But anybody who still experiences the bug after upgrading to Collectives 2.15.0 (just published), please comment, then I'll reopen.

[louischance]

Hi @mejo- ,
I just installed Collectives 2.15.0 and tested the issue and unfortunately still encounter it.

I recorded a 1min video, that's probably more helpful than rewriting a long text :
https://komododecks.com/recordings/7bNXPPhcbSMKajFK0OdA

I'd be interested to know if others are facing the same issue, and understand why, but no pressure to fix that !
Thanks

[mejo-]

Thanks for checking @louischance, even though I'm sorry it's still not fixed. Your video was very helpful!

So it's not about public shares, but about members of the collective that cannot access the page content if they're not admins.

What is even more weird, is that the client member can access the content of the landing page (the "Welcome to your collective" page".

Could you one more time reproduce the issue as client member (load the page that doesn't show the content) with the browsers developer console open and share a screenshot? I would expect an error to be logged to the console.

[mejo-]

The nextcloud instance I used is hosted by Webo hosting and they encrypt the data, I don't know if that could be a reason for this issue ...

Seems like I missed this earlier. Does this mean that the encryption app is enabled for external storage? Do you have further details on how Webo hosting encrypts the data?

[louischance]

Hi,
You're right, there are several errors in the console:

A detail : I just noticed I can't access the data of the subpage with the dummy account anymore (like Icould in thte video), even when granted admin level or changing the global collectives editing rights to all members. Might be because in the meantime I uninstalled the Circle app (I still have the Teams app though).

As for Webo Hosting encryption, I couldn't find much details on their website, it's just an option I ticked upon subscribing to their Nextcloud admin offer.
I can contact them and ask them more details, is there anything in special you'd like to know regarding this ?

Thanks