[Bug]: Group shares are not updated when new users are added to existing groups (Federation + OIDC)

[dercaptainbc]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When a user is added to an already shared group, the existing group share is not updated for the new member.

While removing a user from a group correctly removes the corresponding entry from the oc_shares table, adding a user to an existing group does not create a new oc_shares entry for that user. As a result, the newly added group member does not receive access to the shared folder.

This behavior makes group-based sharing unreliable, especially in environments where group membership is synchronized via external identity providers and happens per user login.

Steps to reproduce

1. Create a new group in an external IdP (Authentik) with two users.
2. Log in to Nextcloud via OIDC with the first user.
   • The group is synchronized into Nextcloud.
   • Only this user is a member at this point (group sync happens per user login).
3. Log in / Impersonate with a dedicated federation user and create a federated share to the new group.
4. Log in again with the first user and verify that the federated share is visible.
   • A corresponding entry exists in the oc_shares table.
5. Log in later with the second user.
   • The group is successfully synchronized in Nextcloud.
   • The federated share is NOT visible.
   • No corresponding oc_shares entry exists for this user.
6. Delete the group share and recreate it.
   • After recreating the share, the second user receives access and a new oc_shares entry is created.

Expected behavior

When a user is added to a group, all existing group shares should automatically apply to the new member.

A corresponding entry in oc_shares should be created without requiring the group share to be deleted and recreated.

Nextcloud Server version

31

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

• Setup uses federated shares between two Nextcloud instances.
• Authentication is handled via Authentik using OIDC. (But the same thing happens when I manually add or delete a user from the group.)
• A dedicated user is used to manage federation shares.
• Issue is reproducible consistently.