[Bug]: Public share link not working when OutgoingServer2serverShare is disabled

[AsamK]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Opening a public share link leads to a reload loop, because the /public.php/webdav/ endpoint returns a status 401.
The issue occurs with a link created with an older NC version and also with a link created in the NC 28.
Bug only occurs when OutgoingServer2serverShare is disabled.

I've debugged this and it seems the ajax check in apps/dav/appinfo/v1/publicwebdav.php isn't working correctly, leading to a NotAuthenticated exception.

The headers sent by the browser to /public.php/webdav/ contain X-Requested-With: XMLHttpRequest, XMLHttpRequest, but the ajax check in publicwebdav.php only checks $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest'.

Steps to reproduce

1. Create a public share link for a folder
2. Disable OutgoingServer2serverShare option in admin settings
3. Open share link in browser (tested in latest firefox and chromium)
   -> Continuous reload of the page in the browser

Expected behavior

The shared folder should be shown after opening the link.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{                                                                                                                                                                                                                                                "system": {                                                                                                                                                                                                                                      "passwordsalt": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                             "secret": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                                   "trusted_domains": [                                                                                                                                                                                                                             "***REMOVED SENSITIVE VALUE***"                                                                                                                                                                                                             ],                                                                                                                                                                                                                                           "datadirectory": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                            "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                           "dbtype": "mysql",                                                                                                                                                                                                                           "version": "28.0.0.11",                                                                                                                                                                                                                      "dbname": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                                   "dbhost": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                                   "dbport": "",                                                                                                                                                                                                                                "dbtableprefix": "oc_",                                                                                                                                                                                                                      "dbuser": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                                   "dbpassword": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                               "installed": true,                                                                                                                                                                                                                           "instanceid": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                               "theme": "",                                                                                                                                                                                                                                 "loglevel": 2,                                                                                                                                                                                                                               "maintenance": false,                                                                                                                                                                                                                        "app_install_overwrite": [                                                                                                                                                                                                                       "gallery"                                                                                                                                                                                                                                ],                                                                                                                                                                                                                                           "mysql.utf8mb4": true,                                                                                                                                                                                                                       "memcache.local": "\\OC\\Memcache\\APCu",                                                                                                                                                                                                    "default_phone_region": "DE",                                                                                                                                                                                                                "mail_from_address": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                        "mail_smtpmode": "smtp",                                                                                                                                                                                                                     "mail_sendmailmode": "smtp",                                                                                                                                                                                                                 "mail_domain": "***REMOVED SENSITIVE VALUE***",                                                                                                                                                                                              "preview_max_memory": 1024,                                                                                                                                                                                                                  "preview_max_filesize_image": 100                                                                                                                                                                                                        }

List of activated Apps

Enabled:
  - admin_audit: 1.18.0
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - dav: 1.29.1
  - federatedfilesharing: 1.18.0
  - files: 2.0.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - lookup_server_connector: 1.16.0
  - oauth2: 1.16.3
  - photos: 2.4.0
  - provisioning_api: 1.18.0
  - related_resources: 1.3.0
  - settings: 1.10.0
  - sharebymail: 1.18.0
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - accessibility: 1.10.0
  - activity: 2.20.0 (installed 2.6.1)
  - bruteforcesettings: 2.8.0
  - comments: 1.18.0 (installed 1.8.0)
  - contactsinteraction: 1.9.0 (installed 1.1.0)
  - dashboard: 7.8.0 (installed 7.0.0)
  - encryption: 2.16.0
  - federation: 1.18.0 (installed 1.3.0)
  - files_external: 1.20.0
  - files_rightclick: 1.6.0 (installed 1.6.0)
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.17.0 (installed 2.7.0)
  - groupfolders: 16.0.1 (installed 16.0.1)
  - logreader: 2.13.0 (installed 2.0.0)
  - metadata: 0.19.0 (installed 0.19.0)
  - nextcloud_announcements: 1.17.0 (installed 1.9.0)
  - notifications: 2.16.0 (installed 2.1.2)
  - password_policy: 1.18.0 (installed 1.3.0)
  - privacy: 1.12.0 (installed 1.4.0)
  - recommendations: 2.0.0 (installed 0.4.0)
  - serverinfo: 1.18.0 (installed 1.3.0)
  - support: 1.11.0 (installed 1.1.0)
  - survey_client: 1.16.0 (installed 1.1.0)
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0 (installed 1.3.0)
  - text: 3.9.1 (installed 2.0.0)
  - twofactor_totp: 10.0.0-beta.2
  - user_ldap: 1.19.0
  - user_status: 1.8.1 (installed 1.0.0)
  - weather_status: 1.8.0 (installed 1.0.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[chris246]

I can confirm this issue

[nullinger]

Same as #42200 ?

[PriceChild]

Notably, the help text in the admin interface now explains that it is required for webdav access to public shares. (I don't think that text was there for 27?)

I'm guessing the new sharing ui in 28 has been updated to rely on webdav.

[joshtrichards]

Duplicate of #42200

[jims-code]

My nextcloud 28.0.1 instance is not capable of creating new working shares anymore. It seems to be a kind of deadlock:

• As a workaround for issue [Bug]: Public share link not working when OutgoingServer2serverShare is disabled #42313 the option "Allow users on this server to send shares to other servers" must be enabled.
• This option has no effect. Is it another bug? This behaviour sounds like Issue [Bug]: "Allow users on this server to send shares to groups on other servers" don’t work #42650 regarding the "...send shares to groups on other servers..." setting that does not work anymore.