[Bug]: Group Admins (Subadmins) are unable to access the API endpoint /ocs/v2.php/cloud/groups/detail

[Black-Shadow29]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

In one of our Nextcloud 30.0.9 instances, Group Admins (Subadmins) are unable to access the API endpoint /ocs/v2.php/cloud/groups/detail, even though they are properly assigned to groups as Group Admins.

Only the local cloud admin is shown a group list.

The API call fails with the following message:

{"reqId":"G5n3o9gC6FWTImfZFCv4","level":0,"time":"2025-04-22T10:03:42+00:00","remoteAddr":"ip","user":"user_id","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/groups/details?search=f&offset=0&limit=25","message":"The logged-in account must be an administrator, a subadministrator, or have special permissions to access this setting","

Steps to reproduce

1. Create a user and assign them as Group Admin (Subadmin) of at least one group.
2. Log in as this Group Admin.
3. Open developer tools in the browser or use curl to call

➡️ Note: This behavior occurs only on one of our environments. On a second, nearly identical setup, the same request as Group Admin works as expected.

I'm not sure what causes the difference. Same roles, same endpoint, same version (30.0.9). This could point to an inconsistent permission check or edge case.

Expected behavior

A user who is assigned as Group Admin for one or more groups should be able to query groups (at least for their own groups) via /ocs/v2.php/cloud/groups/detail.

Nextcloud Server version

30

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

"system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.9.2",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "skeletondirectory": "\/var\/www\/html\/nc-skeleton",
        "default_phone_region": "DE",
        "activity_use_cached_mountpoints": "true",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance_window_start": "1",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "maintenance": false,
        "loglevel": 2

List of activated Apps

- activity: 3.0.0
  - app_api: 4.0.6
  - bruteforcesettings: 3.0.0
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - dav: 1.31.1
  - federatedfilesharing: 1.20.0
  - files: 2.2.0
  - files_downloadlimit: 3.0.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - groupfolders: 18.1.2
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - provisioning_api: 1.20.0
  - related_resources: 1.5.0
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - text: 4.1.0
  - theming: 2.6.0
  - twofactor_backupcodes: 1.19.0
  - updatenotification: 1.20.0
  - user_ldap: 1.21.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0

Nextcloud Signing status

Nextcloud Logs

{"reqId":"G5n3o9gC6FWTImfZFCv4","level":0,"time":"2025-04-22T10:03:42+00:00","remoteAddr":"ip","user":"user_id","app":"no app in context","method":"GET","url":"/ocs/v2.php/cloud/groups/details?search=f&offset=0&limit=25","message":"Das angemeldete Konto muss ein Administrator, ein Unteradministrator sein oder ein Sonderrecht haben, um auf diese Einstellung zuzugreifen","

Additional info

[madrzejewski]

I think I'm also impacted by this bug and as a side effect I think that it also block the creation of users because the "admin" group is forced. It was not the case before.

In my Nextcloud instance, I have :

• one admin user
• I create normal user that are admin of a group named with the same name of the user. So User1 is admin and part of group User1
• When I'm connected with User1, I can't create users because the "admin" group is forced, and I can't remove it
• And I have the same 403 on https://xxxxxx.com/ocs/v2.php/cloud/groups/details?search=&offset=0&limit=25

So I'm guessing the frontend is not able to retrieve the group list or the group the user is in, and so it forces "admin" but it block later because user is not admin.

[Black-Shadow29]

Yes, I also notice this effect. Sometimes the Admin group is preselected and sometimes I can only select this group.

[madrzejewski]

Can it be related to #51336 ? I'm almost sure it's related to the last update, the issue is recent, I'm on Nextcloud 31.0.4 and the pull request I found was backported.

I'm not familiar with Nextcloud internals, but when checking the last commit log, #51336 seems to be a good candidate.

[kvahr]

We're having the same issue as @madrzejewski since updating from 31.0.2 to 31.0.4 about a week ago. Whether the admin group automatically appears when creating a new account depends on which tab you're currently on. If you do it while looking at the deactivated users, it does not happen. Either way it's not possible to assign a group you administrate, leaving our group admins unable to correctly create new accounts.

Another thing I noticed is that when you're in the process of creating a new account, it's impossible to remove a group once you've added it. This is an issue for everyone, not just group admins. Removing a group when editing an existing account works fine. I'm not sure if this issue is related though.