[Bug]: Recipient of a shared directory without "Allow download" permission can download older versions of a contained file. #38135
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- Nextcloud Server is running on 64bit capable CPU, PHP and OS.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
When the Versions app is enabled, older versions of a file in a shared directory can be downloaded by the recipient even if "Allow download" is disabled.
Steps to reproduce
- Activate Versions app
- Create a directory and share it with a second account. Disable all permissions including "Allow download".
- Upload a file (e.g. PDF) to the directory.
- Replace the file with another file with the same filename.
- In the second account, display the details of the received file.
- Select the Versions tab in the details.
- Use the three dots to download an older version of the file "Download Version".
Expected behavior
As with the "Current version", older versions of a file should not be downloadable if the "Allow download" permission is disabled.
Installation method
Community Manual installation with Archive
Nextcloud Server version
26
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.0
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
No response
List of activated Apps
Enabled:
- activity: 2.18.0
- cloud_federation_api: 1.9.0
- comments: 1.16.0
- dav: 1.25.0
- federatedfilesharing: 1.16.0
- files: 1.21.1
- files_rightclick: 1.5.0
- files_sharing: 1.18.0
- files_versions: 1.19.1
- logreader: 2.11.0
- lookup_server_connector: 1.14.0
- oauth2: 1.14.0
- password_policy: 1.16.0
- privacy: 1.10.0
- provisioning_api: 1.16.0
- related_resources: 1.1.0-alpha1
- richdocuments: 8.0.1
- richdocumentscode: 22.5.1301
- serverinfo: 1.16.0
- settings: 1.8.0
- systemtags: 1.16.0
- theming: 2.1.1
- twofactor_backupcodes: 1.15.0
- twofactor_totp: 8.0.0-alpha.0
- twofactor_webauthn: 1.1.2
- viewer: 1.10.0
- workflowengine: 2.8.0
Disabled:
- admin_audit: 1.16.0
- bruteforcesettings: 2.6.0
- circles: 26.0.0 (installed 26.0.0)
- contactsinteraction: 1.7.0 (installed 1.7.0)
- dashboard: 7.6.0 (installed 7.6.0)
- encryption: 2.14.0
- federation: 1.16.0 (installed 1.16.0)
- files_external: 1.18.0
- files_pdfviewer: 2.7.0 (installed 2.7.0)
- files_trashbin: 1.16.0 (installed 1.16.0)
- firstrunwizard: 2.15.0 (installed 2.15.0)
- nextcloud_announcements: 1.15.0 (installed 1.15.0)
- notifications: 2.14.0 (installed 2.14.0)
- photos: 2.2.0 (installed 2.2.0)
- recommendations: 1.5.0 (installed 1.5.0)
- sharebymail: 1.16.0 (installed 1.16.0)
- support: 1.9.0 (installed 1.9.0)
- survey_client: 1.14.0 (installed 1.14.0)
- suspicious_login: 4.4.0
- text: 3.7.2 (installed 3.7.2)
- updatenotification: 1.16.0 (installed 1.16.0)
- user_ldap: 1.16.0
- user_status: 1.6.0 (installed 1.6.0)
- weather_status: 1.6.0 (installed 1.6.0)Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response