Skip to content

Fix downloading files from public share#3476

Open
danxuliu wants to merge 3 commits intomasterfrom
fix-downloading-files-from-public-share
Open

Fix downloading files from public share#3476
danxuliu wants to merge 3 commits intomasterfrom
fix-downloading-files-from-public-share

Conversation

@danxuliu
Copy link
Copy Markdown
Member

@danxuliu danxuliu commented Apr 21, 2026
edited
Loading

Fixes #3442, which is a regression introduced in 4a65c8c

When a file is open in the viewer the Photos app provides an object with the file information. The object includes the source attribute, which is used to get the URL to download the file open in the viewer.

Before 4a65c8c the source was created by appending the file name (/photospublic/TOKEN/FILE) to the remote DAV URL (https://DOMAIN/remote.php/dav). In 4a65c8c1b7b8f5016d1189a0f4eb403be77bfaee instead of the remote DAV URL defined in the app the default remote URL provided by @nextcloud/files/dav is used, which in the case of public pages is https://DOMAIN/public.php/dav. However, the file name is not just appended to the default remote URL, but generated through a URL object. As the file name is relative to the root only the site part of the base URL is used (in this case, the default remote URL), so the final "assembled" URL becomes https://DOMAIN/photospublic/TOKEN/file.

A bit later, in 999d49b, genFileInfo was replaced with resultToNode from @nextcloud/files/dav, which composes the source attribute by appending the file name to the default remote URL, so it becomes https://DOMAIN/public.php/dav/photospublic/TOKEN/FILE. While it is now using a "valid" Nextcloud URL the shared files can not be downloaded from it.

The problem with /public.php/dav is that it can be used only for "normal" public shares, as it uses a custom DAV server that does not load the additional authentication backends and always uses the public DAV authentication, which treats the token as a share token and therefore fails. On the other hand, /remote.php/dav uses a full DAV server, which loads the additional authentication backends and therefore allows access to /photospublic/ URLs.

While it might make sense to explicitly support additional authentication backends in /public.php/dav I am not familiar with any of this to know if it would be the right approach or not. Moreover, the DAV client used for public albums explicitly uses /remote.php/dav rather than the default remote URL (/public.php/dav), so for now the provided fix just passes /remote.php/dav to resultToNode when generating the album node. Note that there are other resultToNode calls throughout the code, although I only touched the one that fixes the reproduction steps below (and the added E2E test). It might be necessary to change others as well.

Another possibility to fix this without explicitly passing the remote URL would have been to remove the isPublic element from the template, so @nextcloud/files does not replace remote.php with public.php. However, conceptually it makes sense to provide the isPublic element.

But, moreover, that seems to actually be a brittle hack. Apparently the isPublic element would still be needed in PhotosAppPublic.vue (not only based on the comment, but also because if it is removed the public share no longer works); I have not digged into why that one is not used by @nextcloud/files, or why the one in the template is not used by whatever uses the one in PhotosAppPublic.vue, but it seems that the element from the template is used only during the app startup or something like that 🤔

Independently of that, note that CI will keep failing until the breaking API change in server is fixed, either by merging #3475 or by adjusting the API change in server to be backwards compatible. For now this pull request is just based on #3475 to be able to run the tests.

How to test

  • Create an album
  • Add photos to the album
  • Create a public share for the album
  • In a private window, open the link to the public share
  • Open a photo in the viewer
  • Download the photo

Result with this pull request

The photo is download

Result without this pull request

A 503 Service Unavailable error is returned

@danxuliu danxuliu added this to the Nextcloud 34 milestone Apr 21, 2026
@danxuliu danxuliu added bug Something isn't working regression Regression of a previous working feature 2. developing Work in progress labels Apr 21, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@danxuliu danxuliu force-pushed the fix-downloading-files-from-public-share branch from d014a27 to 635d5a9 Compare April 27, 2026 10:12
@danxuliu
Copy link
Copy Markdown
Member Author

danxuliu commented Apr 27, 2026

/compile /

@danxuliu
Copy link
Copy Markdown
Member Author

danxuliu commented Apr 27, 2026

/backport to stable33 please

@backportbot backportbot Bot added the backport-request Pending backport by the backport-bot label Apr 27, 2026
@danxuliu
Copy link
Copy Markdown
Member Author

danxuliu commented Apr 27, 2026

/backport to stable32 please

@danxuliu danxuliu added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Apr 27, 2026
@danxuliu danxuliu requested review from artonge and susnux April 27, 2026 10:41
artonge
artonge reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@artonge artonge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, any reason this is still a draft?

@danxuliu danxuliu marked this pull request as ready for review April 30, 2026 12:23
@danxuliu
Copy link
Copy Markdown
Member Author

danxuliu commented Apr 30, 2026
edited
Loading

Looks good, any reason this is still a draft?

I forgot to mention it in the pull request description, sorry 🤦 I kept it as a draft to ensure that it would not be merged before rebasing first onto master (as it is currently based on #3475, but that is something independent).

Great, and now I undrafted it by mistake with the touchpad 😅 Anyway, as it has conflicts I will rebase onto master and recompile.

danxuliu added 2 commits April 30, 2026 14:28
@danxuliu
test: Add E2E test for downloading files from a public share
4665c4a 
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
@danxuliu
fix: Fix downloading files from public share
3d20af2 
The "public.php/dav" endpoint from server is not compatible with the
tokens used for public albums by the Photos app, but they work fine with
the "remote.php/dav" endpoint. By default @nextcloud/files/dav uses
"public.php/dav" for remote URLs in public pages, so they need to be
explicitly replaced with "remote.php/dav" (which is the one already used
for non public pages, so it is fine to use it unconditionally).

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
@danxuliu danxuliu force-pushed the fix-downloading-files-from-public-share branch from c0f04be to 3d20af2 Compare April 30, 2026 12:29
@danxuliu
Copy link
Copy Markdown
Member Author

danxuliu commented Apr 30, 2026

/compile /

@nextcloud-command
chore(assets): Recompile assets
54e2b16 
Signed-off-by: nextcloud-command <nextcloud-command@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susnux susnux susnux approved these changes

@artonge artonge artonge approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews backport-request Pending backport by the backport-bot bug Something isn't working regression Regression of a previous working feature

Projects

None yet

Milestone

Nextcloud 34

Development

Successfully merging this pull request may close these issues.

[Bug]: Video playback fails (503) on publicly shared albums - null user ID in DAV URL

4 participants

@danxuliu @susnux @artonge @nextcloud-command