[Bug]: public zip download fails if folder contains a file that the richdocuments app can open

[akarl10]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

The public link share is configured as "View only", hide download is not enabled, so on the top there is a download button.

for each file there seems to be a call to fopen, that in that case goes to SecureViewWrapper of richtdocument in the case of a classic document or pdf file.

The issue is that now this calls a exception (throw new ForbiddenException('Download blocked due the secure view policy', false);)

This breaks the .zip file (even tough a .zip file is downloaded, but the file is simply broken)

I checked a lot of settings but I don't get why richdocument wants to protect the download if I don't set "hide download".

This however could be considered as oversight, but creating a broken zip is definitvely a bug. at least the zip file should have simply that file missing (main reason why this bug is here, not richdocuments)

Steps to reproduce

1. create a folder
2. upload a .pdf file
3. make sure the richdocuments app is enabled
4. create a public share link on the folder with default settings (default view only)
5. open that public link
6. click on the download button on the top right
7. see that the .zip file is broken

Expected behavior

step 7 should give a working .zip file. if that file contains the .pdf file mentioned above is to be discussed with richdocuments (to be exact shen secureViewService->shouldSecure should actually prevent read only access)

Nextcloud Server version

32

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "version": "32.0.3.2",
        "installed": true,
        "forcessl": true,
        "maintenance": false,
        "overwriteprotocol": "https",
        "theme": "",
        "trusted_domains": [
            "<REDACTED>"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "updatechecker": true,
        "loglevel": 3,
        "check_for_working_htaccess": false,
        "secret": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "trashbin_retention_obligation": "auto,30",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "singleuser": false,
        "updater.release.channel": "stable",
        "overwrite.cli.url": "https:\/\/<REDACTED>",
        "htaccess.RewriteBase": "\/",
        "mysql.utf8mb4": true,
        "app_install_overwrite": [
            "admin_notifications",
            "oidc_login",
            "impersonate",
            "memories",
            "talk_matterbridge"
        ],
        "default_phone_region": "it",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "oidc_login_provider_url": "https:\/\/<REDACTED>,
        "oidc_login_auto_redirect": true,
        "oidc_login_redir_fallback": true,
        "oidc_login_scope": "openid profile email safeids group",
        "oidc_login_client_id": "<REDACTED>",
        "oidc_login_client_secret": "<REDACTED>",
        "oidc_login_button_text": "Sign in with <REDACTED>",
        "oidc_login_end_session_redirect": true,
        "oidc_login_logout_url": "https:\/\/<REDACTED>\/",
        "oidc_login_attributes": {
            "id": "username",
            "groups": "group"
        },
        "oidc_login_disable_registration": false,
        "oidc_create_groups": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\Movie",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\AVI",
            "OC\\Preview\\Image"
        ],
        "memories.gis_type": 1
    }
}

List of activated Apps

Enabled:
  - activity: 5.0.0-dev.0
  - admin_audit: 1.22.0
  - app_api: 32.0.0
  - bruteforcesettings: 5.0.0-dev.0
  - circles: 32.0.0
  - cloud_federation_api: 1.16.0
  - comments: 1.22.0
  - contacts: 8.2.0
  - contactsinteraction: 1.13.1
  - dashboard: 7.12.0
  - dav: 1.34.2
  - federatedfilesharing: 1.22.0
  - federation: 1.22.0
  - files: 2.4.0
  - files_downloadlimit: 5.0.0-dev.0
  - files_external: 1.24.0
  - files_pdfviewer: 5.0.0-dev.0
  - files_reminders: 1.5.0
  - files_sharing: 1.24.1
  - files_trashbin: 1.22.0
  - firstrunwizard: 5.0.0-dev.0
  - impersonate: 3.0.0
  - logreader: 5.0.0-dev.0
  - lookup_server_connector: 1.20.0
  - nextcloud_announcements: 4.0.0-dev.0
  - notifications: 5.0.0-dev.0
  - notify_push: 1.2.2
  - oauth2: 1.20.0
  - oidc_login: 3.2.2
  - privacy: 4.0.0-dev.0
  - profile: 1.1.0
  - provisioning_api: 1.22.0
  - recommendations: 5.0.0-dev.0
  - related_resources: 3.0.0-dev.0
  - richdocuments: 9.0.2
  - serverinfo: 4.0.0-dev.0
  - settings: 1.15.1
  - sharebymail: 1.22.0
  - spreed: 22.0.7
  - support: 4.0.0-dev.0
  - survey_client: 4.0.0-dev.0
  - systemtags: 1.22.0
  - talk_matterbridge: 1.32.1026000
  - text: 6.0.1
  - theming: 2.7.0
  - twofactor_backupcodes: 1.21.0
  - updatenotification: 1.22.0
  - user_status: 1.12.0
  - viewer: 5.0.0-dev.0
  - weather_status: 1.12.0
  - webhook_listeners: 1.3.0
  - workflowengine: 2.14.0
Disabled:
  - encryption: 2.20.0 (installed 2.8.1)
  - files_versions: 1.25.0 (installed 1.24.0)
  - password_policy: 4.0.0-dev.0 (installed 1.4.0)
  - photos: 5.0.0-dev.1 (installed 2.2.0)
  - suspicious_login: 10.0.0-dev.0
  - twofactor_nextcloud_notification: 6.0.0-dev.0
  - twofactor_totp: 14.0.0 (installed 1.5.0)
  - user_ldap: 1.23.0 (installed 1.4.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"DRzMEz6GdnJP9lh1tsR5","level":3,"time":"2026-01-09T09:37:36+00:00","remoteAddr":"185.131.253.254","user":"--","app":"webdav","method":"GET","url":"/public.php/dav/files/NC4QZe72BDTPw64/?accept=zip","message":"Download blocked due the secure view policy","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0","version":"32.0.3.2","exception":{"Exception":"OCP\\Files\\ForbiddenException","Message":"Download blocked due the secure view policy","Code":0,"Trace":[{"file":"/var/www/nextcloud-32/apps/richdocuments/lib/Storage/SecureViewWrapper.php","line":43,"function":"checkFileAccess","class":"OCA\\Richdocuments\\Storage\\SecureViewWrapper","type":"->"},{"file":"/var/www/nextcloud-32/lib/private/Files/View.php","line":1210,"function":"fopen","class":"OCA\\Richdocuments\\Storage\\SecureViewWrapper","type":"->"},{"file":"/var/www/nextcloud-32/lib/private/Files/View.php","line":1038,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud-32/lib/private/Files/Node/File.php","line":95,"function":"fopen","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud-32/apps/dav/lib/Connector/Sabre/ZipFolderPlugin.php","line":74,"function":"fopen","class":"OC\\Files\\Node\\File","type":"->"},{"file":"/var/www/nextcloud-32/apps/dav/lib/Connector/Sabre/ZipFolderPlugin.php","line":179,"function":"streamNode","class":"OCA\\DAV\\Connector\\Sabre\\ZipFolderPlugin","type":"->"},{"file":"/var/www/nextcloud-32/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleDownload","class":"OCA\\DAV\\Connector\\Sabre\\ZipFolderPlugin","type":"->"},{"file":"/var/www/nextcloud-32/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud-32/apps/dav/lib/Connector/Sabre/Server.php","line":211,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud-32/apps/dav/appinfo/v2/publicremote.php","line":160,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud-32/public.php","line":90,"args":["/var/www/nextcloud-32/apps/dav/appinfo/v2/publicremote.php"],"function":"require_once"}],"File":"/var/www/nextcloud-32/apps/richdocuments/lib/Storage/SecureViewWrapper.php","Line":83,"message":"Download blocked due the secure view policy","exception":{},"CustomMessage":"Download blocked due the secure view policy"}}

Additional info

on Richdocuments settings enforce secure view is enabled for read only link shares

[susnux]

CC @juliusknorr