Steps to reproduce
- Share a board with a user (e.g. POST
/index.php/apps/deck/api/v1.0/boards/{id}/acl with {"type":0,"participant":"alice","permissionEdit":true,"permissionShare":true,"permissionManage":true}).
- Call the same endpoint a second time with the same payload.
Expected behaviour
A 4xx client error (409 Conflict, or 400 Bad Request) indicating that the ACL entry already exists. Clients can handle this idempotently.
Actual behaviour
HTTP 500 Internal Server Error. Response body:
{
"status": 500,
"message": "Internal server error: Please contact the server administrator if this error reappears multiple times, please include the request ID \"XXXX\" below in your report.",
"requestId": "XXXX"
}Server logs likely contain a UNIQUE constraint failed on oc_deck_board_acl (user+board pair).
Why this matters
Many client integrations call shareBoard idempotently on startup/initialize. Receiving a 500 instead of a 4xx forces clients to either (a) pre-fetch the full ACL and diff it before every share call, or (b) treat 500s as potentially-retryable, which masks real server errors. A proper 4xx lets clients write cleaner code.
Suggested fix
In the ACL controller, catch the unique-constraint violation and return 409 (or 400). The existing check could be simplified to a pre-read-and-skip or an INSERT ... ON CONFLICT pattern.
Server configuration
- Operating system: Hosted (STRATO HiDrive/storageshare)
- Web server: Nginx
- Database: PostgreSQL (presumed — hosted)
- PHP version: 8.x
- Nextcloud version: 32.0.6
- Deck version: 1.16.3
- Updated from an older Nextcloud/Deck or fresh install: long-running install
Client configuration
- Browser: N/A (API client)
- Operating system: Linux
Reproduction command
curl -u USER:PASS -H "OCS-APIRequest: true" -H "Content-Type: application/json" \
-X POST "https://NC_HOST/index.php/apps/deck/api/v1.0/boards/{BOARD_ID}/acl" \
-d '{"type":0,"participant":"EXISTING_USER","permissionEdit":true,"permissionShare":true,"permissionManage":true}'
# → HTTP 500
Steps to reproduce
/index.php/apps/deck/api/v1.0/boards/{id}/aclwith{"type":0,"participant":"alice","permissionEdit":true,"permissionShare":true,"permissionManage":true}).Expected behaviour
A 4xx client error (409 Conflict, or 400 Bad Request) indicating that the ACL entry already exists. Clients can handle this idempotently.
Actual behaviour
HTTP 500 Internal Server Error. Response body:
{ "status": 500, "message": "Internal server error: Please contact the server administrator if this error reappears multiple times, please include the request ID \"XXXX\" below in your report.", "requestId": "XXXX" }Server logs likely contain a
UNIQUE constraint failedonoc_deck_board_acl(user+board pair).Why this matters
Many client integrations call
shareBoardidempotently on startup/initialize. Receiving a 500 instead of a 4xx forces clients to either (a) pre-fetch the full ACL and diff it before every share call, or (b) treat 500s as potentially-retryable, which masks real server errors. A proper 4xx lets clients write cleaner code.Suggested fix
In the ACL controller, catch the unique-constraint violation and return 409 (or 400). The existing check could be simplified to a pre-read-and-skip or an
INSERT ... ON CONFLICTpattern.Server configuration
Client configuration
Reproduction command