Skip to content

Attachments: No error message appears in the UI, but only in the browser console in certain cases where permissions are restricted in a team folder #7932

Open
Open
Attachments: No error message appears in the UI, but only in the browser console in certain cases where permissions are restricted in a team folder#7932
Labels
bugfeature: attachmentsux
@Jerome-Herbinet

Description

@Jerome-Herbinet
Jerome-Herbinet
opened on May 11, 2026

Describe the bug

Steps to reproduce:

  • Attempt to link a file located in a team folder as an attachment to a card.
  • The user must not have write and/or share permissions for the file in question.

Current result:

  • Nothing happens in the UI.
  • In the browser's console, a 404 error is returned with the following error cause:
    • No sharing, no writing: {"ocs":{"meta":{"status":"failure","statuscode":404,"message":"Vous n\u2019\u00eates pas autoris\u00e9 \u00e0 partager MY_FILE"},"data":[]}}
    • Share, no write: {"ocs":{"meta":{"status":"failure","statuscode":404,"message":"Impossible d'augmenter les permissions de MY_FILE"},"data":[]}}

Expected result:

  • At a minimum, the error message should be displayed on the screen to inform the user.
  • Ideally, read permission should be sufficient to attach a file to a card.

Complementary details :

  • It makes perfect sense that you can’t attach a file for which you don’t have sharing permissions, because when you add an attachment to a card, technically, the file is shared with the card.
  • However, it makes less sense that you can’t attach a file if you don’t have write permissions.
  • In both cases, the fact that nothing happens on the user’s end (no error message of any kind) is not normal.

To Reproduce
Steps to reproduce the behaviour:

  1. Make sure to have a fil in a team folder (No sharing and no write rights for test 1 and no write right for test 2)
  2. Try to attach the file to a Deck card (from Files)
  3. See the error message in console

Expected behaviour
The error message should be understandable for human beings (and talk about user's quota)

Screenshots
N/A

Client details:

  • OS: [e.g. iOS] Linux Mint Cinnamon 22.3
  • Browser Firefox 150.0.1
  • Device: Desktop
Server details

Operating system: Linux

Web server: Nginx

Database: MadiaDB

PHP version: 8.3

Nextcloud version: 32.0.9

Where did you install Nextcloud from: Manual

Signing status:

[]

List of activated apps:

Enabled:
 - activity: 5.0.0
 - admin_audit: 1.22.0
 - admincockpit: 1.3.0
 - announcementbanner: 2.4.2
 - announcementcenter: 7.3.0
 - app_api: 32.0.0
 - assistant: 2.13.0
 - bbb: 2.9.1
 - bruteforcesettings: 5.0.0
 - calendar: 6.2.4
 - call_summary_bot: 3.3.0
 - circles: 32.0.0
 - collectives: 4.4.0
 - comments: 1.22.0
 - contacts: 8.3.9
 - contactsinteraction: 1.13.1
 - context_chat: 5.3.1
 - dashboard: 7.12.0
 - deck: 1.16.4
 - end_to_end_encryption: 2.0.0-rc.7
 - external: 7.0.1
 - federation: 1.22.0
 - files_archive: 1.2.8
 - files_downloadlimit: 5.0.0
 - files_external: 1.24.1
 - files_fulltextsearch: 32.0.2
 - files_lock: 32.0.2
 - files_pdfviewer: 5.0.0
 - files_reminders: 1.5.0
 - files_sharing: 1.24.1
 - files_trashbin: 1.22.0
 - files_versions: 1.25.0
 - firstrunwizard: 5.0.0
 - forms: 5.2.7
 - formvox: 1.2.0
 - fulltextsearch: 32.0.0
 - fulltextsearch_elasticsearch: 32.0.2
 - group_everyone: 0.1.19
 - groupfolders: 20.1.13
 - guests: 4.7.2
 - impersonate: 3.0.1
 - integration_deepl: 2.2.0
 - integration_giphy: 2.2.1
 - integration_github: 3.2.2
 - integration_gitlab: 5.0.0
 - integration_mastodon: 4.0.0
 - integration_matrix: 1.0.0
 - integration_openai: 3.10.1
 - integration_openstreetmap: 3.0.0
 - integration_peertube: 2.1.1
 - integration_replicate: 4.2.0
 - integration_tmdb: 3.1.0
 - integration_youtube: 0.7.0
 - integration_zimbra: 1.0.17
 - intravox: 1.3.4
 - introvox: 1.4.3
 - libresign: 12.4.4
 - logreader: 5.0.0
 - mail: 5.8.0-beta.0
 - memegen: 1.1.3
 - metavox: 2.0.8
 - nextcloud_announcements: 4.0.0
 - notes: 5.0.0
 - notifications: 5.0.0
 - notify_push: 1.3.2
 - ocs_api_viewer: 1.0.12
 - onlyoffice: 9.13.0
 - password_policy: 4.0.0
 - photos: 5.0.0
 - polls: 9.1.1
 - privacy: 4.0.0
 - recommendations: 5.0.0
 - related_resources: 3.0.0
 - richdocuments: 9.0.6
 - secrets: 3.0.3
 - serverinfo: 4.0.0
 - sharebymail: 1.22.0
 - sharereview: 2.1.0
 - sketch_picker: 2.4.0
 - spreed: 22.0.12
 - support: 4.0.0
 - systemtags: 1.22.0
 - tables: 2.0.0-beta.2
 - terms_of_service: 4.7.0-rc.2
 - text: 6.0.2
 - theming_customcss: 1.20.0
 - twofactor_email: 3.0.9-beta.2
 - twofactor_gateway: 2.4.0
 - twofactor_nextcloud_notification: 6.0.0
 - twofactor_totp: 14.0.0
 - updatenotification: 1.22.0
 - user_ldap: 1.23.0
 - user_migration: 10.3.0
 - user_oidc: 8.10.1
 - user_retention: 1.16.0
 - user_status: 1.12.0
 - users_picker: 1.2.2
 - weather_status: 1.12.0
 - webhook_listeners: 1.3.0
 - whiteboard: 1.5.7
 - workspace: 4.4.0
Disabled:
 - encryption: 2.20.0
 - folder_protection: 2.1.1
 - occweb: 0.2.3
 - survey_client: 4.0.0-dev.0
 - suspicious_login

Nextcloud configuration:

{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        ""
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "32.0.9.2",
    "overwrite.cli.url": "https:\/\/",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "updater.release.channel": "beta",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "log_type": "file",
    "logfile": "\/var\/log\/nextcloud\/\/nextcloud.log",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "password": "***REMOVED SENSITIVE VALUE***",
        "port": 6379,
        "dbindex": 6,
        "timeout": 0
    },
    "skeletondirectory": "",
    "logtimezone": "Europe\/Paris",
    "mail_smtpmode": "smtp",
    "mail_smtpsecure": "ssl",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "PLAIN",
    "default_language": "fr",
    "default_phone_region": "FR",
    "defaultapp": "",
    "trashbin_retention_obligation": "20,40",
    "versions_retention_obligation": "auto,40",
    "check_for_working_wellknown_setup": false,
    "quota_include_external_storage": false,
    "cron_log": true,
    "has_internet_connection": true,
    "updatechecker": true,
    "appstoreenabled": true,
    "filelocking.enabled": true,
    "session_keepalive": true,
    "knowledgebaseenabled": true,
    "allow_user_to_change_display_name": true,
    "enable_previews": true,
    "enable_avatars": true,
    "auth.bruteforce.protection.enabled": true,
    "loglevel": 0,
    "log_rotate_size": 104857600,
    "mail_smtpauth": 1,
    "mail_smtpport": 465,
    "session_lifetime": 86400,
    "remember_login_cookie_lifetime": 1296000,
    "preview_max_filesize_image": 50,
    "activity_expire_days": 120,
    "maintenance_window_start": 1,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "app_install_overwrite": {
        "0": "admin_audit",
        "1": "user_ldap",
        "2": "richdocuments",
        "4": "twofactor_gateway",
        "5": "bbb",
        "6": "fulltextsearch_elasticsearch",
        "7": "zimbradrive",
        "8": "occweb",
        "9": "calendar",
        "10": "contacts"
    },
    "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
    "maintenance": false,
    "twofactor_enforced": "true",
    "twofactor_enforced_groups": [
        "twofactor_email"
    ],
    "twofactor_enforced_excluded_groups": [],
    "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
    "forbidden_filename_basenames": [
        "con",
        "prn",
        "aux",
        "nul",
        "com0",
        "com1",
        "com2",
        "com3",
        "com4",
        "com5",
        "com6",
        "com7",
        "com8",
        "com9",
        "com\u00b9",
        "com\u00b2",
        "com\u00b3",
        "lpt0",
        "lpt1",
        "lpt2",
        "lpt3",
        "lpt4",
        "lpt5",
        "lpt6",
        "lpt7",
        "lpt8",
        "lpt9",
        "lpt\u00b9",
        "lpt\u00b2",
        "lpt\u00b3"
    ],
    "forbidden_filename_characters": [
        "<",
        ">",
        ":",
        "\"",
        "|",
        "?",
        "*",
        "\\",
        "\/"
    ],
    "forbidden_filename_extensions": [
        " ",
        ".",
        ".filepart",
        ".part"
    ],
    "activity_use_cached_mountpoints": true,
    "theme": ""
}

Are you using an external user-backend, if yes which one: LDAP

Logs

Nextcloud log (data/nextcloud.log)

Can be provided if necessary

Browser log

Can be provided if necessary

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugfeature: attachmentsux

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions