Unable to delete files in teamfolder

[enjeck]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Create a teamfolder with pdf files. Create a group and grant "Write" and "Delete" permissions to the group.
2. Create a new flow/rule under "Files Access Control"
3. Set the rule logic to Deny access (Block access to files).
4. Add the following checks:
   • Check 1: File MIME type is application/octet-stream.
   • Check 2: File name is not keybag.dat.
5. Try to delete the pdf file

Expected behaviour

The file should be deleted

Actual behaviour

The access control rule is hit, preventing the file from being deleted, despite the file mime type not being application/octet-stream on the surface. You'll see an error in the log like:

DELETE - xxxxxxxxxxxxx - Access denied by access control
{"id":6,"class":"OCA\FilesAccessControl\Operation","name":"","checks":"
[12,35]","operation":"deny","entity":"OCA\WorkflowEngine\Entity\File","events":"
[]","scope_type":0,"scope_actor_id":""}

A workaround that allows deletion is to add the regex:
Check: File name
Operator: does not match (Regular Expression)
Value: /.*.d\d+$/i
Image of flow config:

Server configuration

Web server: Apache/Nginx

Database: MySQL/Maria/SQLite/PostgreSQL

PHP version: 8.2/8.3/8.4

Nextcloud version: (see Nextcloud admin page)

List of activated apps

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

Browser

Browser name: Firefox/Chrome/Safari/…

Browser version: 124/125/…

Operating system: Windows/Ubuntu/Mac/…

Browser log

Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...

[enjeck]

cc @blizzz

[nickvergessen]

Can reproduce, but only when the file is in the root of the teamfolder
problem is this shortcut:

files_accesscontrol/lib/Operation.php

Lines 123 to 125 in 43405d5

	if (substr_count($path, '/') < 1) {
	return $path;
	}

It skips the path translations from versions and trashbin