[BUG]: Document cannot be saved, please check your permissions.

[BennoHouse]

⚠️ This issue respects the following points: ⚠️

• This is a single bug, not a question or a configuration/webserver/proxy issue.
• This is not a bug in the browser extension or another client.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and the Passwords App is up to date. See Nextcloud Apps.
• There are no warnings and errors reported in the Passwords App settings in the admin area
• The following apps are not installed: Rainloop

Server Information

Version
Server Version: 29.0.7.1
App: 2024.9.20
LSR: False
PHP: 8.2.23
CronPHP: 8.2.23

Environment
OS: Linux
Architecture: x86_64
Database: PostgreSQL
Cron: System Cron
Proxy: False
SSLProxy: True
Subdirectory: False

Services
Images: imagick
Favicons: DDG
Previews: Default
Security: BigDB+Hibp
Words: Random
PreviewAPI: False
FaviconAPI: False

Status
AutoBackupRestored: False

Settings
Channel: Stable
Nightlies: False
Handbook: False
Performance: 5

Encryption: SSE
SSEv1r1: False
SSEv1r2: Ture
SSEv2r1: False
SSEv3r1: False
None: False
Default: SSEv1r2

CSE
CSEv1r1: False
None: Ture
Default: None

Client Information

Browser and Version: Firefox 115.11.0esr (64-bit)
Client OS and Version: Debian 12

Bug description

After upgrading our Nextcloud instance to major version 29 and switching from Onlyoffice to Nextcloud Office (Collabora) with the Built-in CODE server, repeated "Document cannot be saved, please check your permissions." errors are displayed when saving shared documents. The documents are actually saved, but the error messages prevent further user interaction and reappear after a few seconds when closed, requiring quitting and reopening of the document.

The error disappears when the Passwords app is disabled in the administrative app settings.

Every time the error message is shown to a user, the following log entry appears:

Exception OCA\Passwords\Services\EnvironmentService::loadUserFromBearerAuth(): Argument #1 ($userId) must be of type string, null given, called in /var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php on line 383 in file '/var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php' line 433
Uncaught error: OCA\Passwords\Services\EnvironmentService::loadUserFromBearerAuth(): Argument #1 ($userId) must be of type string, null given, called in /var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php on line 383 in file '/var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php' line 433

Apparently, the function in question is the following:

    protected function loadUserInformation(?string $userId, IRequest $request): bool {
        $authHeader   = $request->getHeader('Authorization');
        $userIdString = $userId ? :'invalid user id';
        if($this->session->exists('login_credentials')) {
            if($this->loadUserFromSession($userId, $request)) return true;
            $this->logger->warning('Login attempt with invalid session for '.$userIdString);
        } else if($authHeader !== '') {
            [$type, $value] = explode(' ', $authHeader, 2);

                if($type === 'Basic' && $this->loadUserFromBasicAuth($userId, $request)) return true;

            if($type === 'Bearer' && $this->loadUserFromBearerAuth($userId, $value)) return true;
            $this->logger->warning('Login attempt with invalid authorization header for '.$userIdString);
        } else if(isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['PHP_AUTH_PW'])) {
            if($this->loadUserFromBasicAuth($userId, $request)) return true;
            $this->logger->warning('Login attempt with invalid basic auth for '.$userIdString);
        } else if($userId !== null) {
            if($this->loadUserFromSessionToken($userId)) return true;
            $this->logger->warning('Login attempt with invalid session token for '.$userIdString);
        } else {
            $this->client = self::CLIENT_PUBLIC;

            return false;
        }

        $this->client = self::CLIENT_PUBLIC;
        if($userId !== null) throw new Exception('Unable to verify user '.$userIdString);

        return false;
    }

There appears to be some incompatibility between Passwords and the Nextcloud Office / Built-in Collabora CODE apps.

Steps to reproduce

1. Install Nextcloud via docker-compose according to this example
2. Install Nextcloud Office, Collabora Online - Built-in CODE Server and Passwords
3. Share an office document with another user
4. Save the document as the shared user

Expected behavior

Documents should save without error

Nextcloud Logs

Exception OCA\Passwords\Services\EnvironmentService::loadUserFromBearerAuth(): Argument #1 ($userId) must be of type string, null given, called in /var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php on line 383 in file '/var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php' line 433
Uncaught error: OCA\Passwords\Services\EnvironmentService::loadUserFromBearerAuth(): Argument #1 ($userId) must be of type string, null given, called in /var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php on line 383 in file '/var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php' line 433

Browser Logs

No response

[0-wHiTeHand-0]

Yes, same here.

[0-wHiTeHand-0]

@BennoHouse I've found a fix that seems to work.
Just add an "?" in /var/www/html/custom_apps/passwords/lib/Services/EnvironmentService.php:433

protected function loadUserFromBearerAuth(?string $userId, string $value): bool {

[BennoHouse]

That's great, thanks @0-wHiTeHand-0

I don't know enough about PHP to understand the consequences of that change. I only find something about ? being used as a if-condition, so is it just a missed operator or is there more to it? The other functions seem to be written that way.

I might also have copied the wrong section of code in the excerpt.

[0-wHiTeHand-0]

Yes, I think it was just a missed operator. Now I have new errors ("InvalidTokenException Token does not exist: token does not exist"), but at least Collabora and Passwords are both working apparently well.

[BennoHouse]

Okay, I just tried this and it seems to work just fine. The only "downside" is that Nextcloud shows the modified file as an error in the logs, because the checksum doesn't match.

Where do you get that invalid token error? I can't verify that currently for our setup, at least I don't see it in the logs.

[0-wHiTeHand-0]

Yeah, we'll have the checksum error until @marius-wieschollek releases a new version with the fix. But at least it's working :)

And the 'invalid token error' was just that I had too many old sessions in Personal Settings -> Security -> Devices & sessions , but after cleaning them now everything is back to normal 👍