--- /dev/null
+From: =?utf-8?q?Sandro_Knau=C3=9F?= <hefee@debian.org>
+Date: Sun, 27 Jul 2025 12:24:51 +0200
+Subject: Revert "ensure no any user writable permissions in Nextcloud sync
+ folder"
+
+This reverts commit 5b2af166d3d9c8537c565922750392d4a3f6610e.
+
+Updated to apply and match for 3.16.6.
+
+Origin: backport
+Bug-Debian: https://bugs.debian.org/1091614
+Bug: https://github.com/nextcloud/desktop/issues/7613
+Forwarded: not-needed
+Last-Update: 2025-07-25
+---
+ src/csync/csync.h | 2 --
+ src/csync/vio/csync_vio_local_unix.cpp | 1 -
+ src/libsync/discovery.cpp | 11 -----------
+ src/libsync/discoveryphase.cpp | 1 -
+ src/libsync/discoveryphase.h | 1 -
+ src/libsync/owncloudpropagator.cpp | 7 +++++++
+ src/libsync/syncengine.cpp | 4 ----
+ src/libsync/syncfileitem.h | 2 --
+ 8 files changed, 7 insertions(+), 22 deletions(-)
+
+diff --git a/src/csync/csync.h b/src/csync/csync.h
+index 8329020..ff1ec56 100644
+--- a/src/csync/csync.h
++++ b/src/csync/csync.h
+@@ -218,7 +218,6 @@ struct OCSYNC_EXPORT csync_file_stat_s {
+ bool is_hidden BITFIELD(1); // Not saved in the DB, only used during discovery for local files.
+ bool isE2eEncrypted BITFIELD(1);
+ bool is_metadata_missing BITFIELD(1); // Indicates the file has missing metadata, f.ex. the file is not a placeholder in case of vfs.
+- bool isPermissionsInvalid BITFIELD(1);
+
+ QByteArray path;
+ QByteArray rename_path;
+@@ -246,7 +245,6 @@ struct OCSYNC_EXPORT csync_file_stat_s {
+ , is_hidden(false)
+ , isE2eEncrypted(false)
+ , is_metadata_missing(false)
+- , isPermissionsInvalid(false)
+ { }
+ };
+
+diff --git a/src/csync/vio/csync_vio_local_unix.cpp b/src/csync/vio/csync_vio_local_unix.cpp
+index 8f319a3..55cd0f0 100644
+--- a/src/csync/vio/csync_vio_local_unix.cpp
++++ b/src/csync/vio/csync_vio_local_unix.cpp
+@@ -169,7 +169,6 @@ static int _csync_vio_local_stat_mb(const mbchar_t *wuri, csync_file_stat_t *buf
+ buf->inode = sb.st_ino;
+ buf->modtime = sb.st_mtime;
+ buf->size = sb.st_size;
+- buf->isPermissionsInvalid = (sb.st_mode & S_IWOTH) == S_IWOTH;
+
+ return 0;
+ }
+diff --git a/src/libsync/discovery.cpp b/src/libsync/discovery.cpp
+index 5d2ab48..840b433 100644
+--- a/src/libsync/discovery.cpp
++++ b/src/libsync/discovery.cpp
+@@ -1127,10 +1127,6 @@ void ProcessDirectoryJob::processFileAnalyzeLocalInfo(
+ if (_queryLocal != NormalQuery && _queryServer != NormalQuery)
+ recurse = false;
+
+- if (localEntry.isPermissionsInvalid) {
+- recurse = true;
+- }
+-
+ if ((item->_direction == SyncFileItem::Down || item->_instruction == CSYNC_INSTRUCTION_CONFLICT || item->_instruction == CSYNC_INSTRUCTION_NEW || item->_instruction == CSYNC_INSTRUCTION_SYNC) &&
+ item->_direction != SyncFileItem::Up &&
+ (item->_modtime <= 0 || item->_modtime >= 0xFFFFFFFF)) {
+@@ -1159,13 +1155,6 @@ void ProcessDirectoryJob::processFileAnalyzeLocalInfo(
+ }
+ }
+
+- if (localEntry.isPermissionsInvalid && item->_instruction == CSyncEnums::CSYNC_INSTRUCTION_NONE) {
+- item->_instruction = CSYNC_INSTRUCTION_UPDATE_METADATA;
+- item->_direction = SyncFileItem::Down;
+- }
+-
+- item->isPermissionsInvalid = localEntry.isPermissionsInvalid;
+-
+ auto recurseQueryLocal = _queryLocal == ParentNotChanged ? ParentNotChanged : localEntry.isDirectory || item->_instruction == CSYNC_INSTRUCTION_RENAME ? NormalQuery : ParentDontExist;
+ processFileFinalize(item, path, recurse, recurseQueryLocal, recurseQueryServer);
+ };
+diff --git a/src/libsync/discoveryphase.cpp b/src/libsync/discoveryphase.cpp
+index 7edd684..f881a21 100644
+--- a/src/libsync/discoveryphase.cpp
++++ b/src/libsync/discoveryphase.cpp
+@@ -370,7 +370,6 @@ void DiscoverySingleLocalDirectoryJob::run() {
+ i.isSymLink = dirent->type == ItemTypeSoftLink;
+ i.isVirtualFile = dirent->type == ItemTypeVirtualFile || dirent->type == ItemTypeVirtualFileDownload;
+ i.isMetadataMissing = dirent->is_metadata_missing;
+- i.isPermissionsInvalid = dirent->isPermissionsInvalid;
+ i.type = dirent->type;
+ results.push_back(i);
+ }
+diff --git a/src/libsync/discoveryphase.h b/src/libsync/discoveryphase.h
+index 0c9edce..913f37f 100644
+--- a/src/libsync/discoveryphase.h
++++ b/src/libsync/discoveryphase.h
+@@ -107,7 +107,6 @@ struct LocalInfo
+ bool isVirtualFile = false;
+ bool isSymLink = false;
+ bool isMetadataMissing = false;
+- bool isPermissionsInvalid = false;
+ [[nodiscard]] bool isValid() const { return !name.isNull(); }
+ };
+
+diff --git a/src/libsync/owncloudpropagator.cpp b/src/libsync/owncloudpropagator.cpp
+index fba85c5..10eedaf 100644
+--- a/src/libsync/owncloudpropagator.cpp
++++ b/src/libsync/owncloudpropagator.cpp
+@@ -1472,12 +1472,18 @@ void PropagateDirectory::slotSubJobsFinished(SyncFileItem::Status status)
+ try {
+ if (const auto fileName = propagator()->fullLocalPath(_item->_file); FileSystem::fileExists(fileName)) {
+ FileSystem::setFolderPermissions(fileName, FileSystem::FolderPermissions::ReadOnly);
++ qCDebug(lcDirectory) << fileName << "permissions changed: old permissions" << static_cast<int>(std::filesystem::status(fileName.toStdWString()).permissions());
++ std::filesystem::permissions(fileName.toStdWString(), std::filesystem::perms::owner_write | std::filesystem::perms::group_write | std::filesystem::perms::others_write, std::filesystem::perm_options::remove);
+ Q_EMIT propagator()->touchedFile(fileName);
++ qCDebug(lcDirectory) << fileName << "applied new permissions" << static_cast<int>(std::filesystem::status(fileName.toStdWString()).permissions());
+ }
+ if (!_item->_renameTarget.isEmpty() && FileSystem::fileExists(propagator()->fullLocalPath(_item->_renameTarget))) {
+ const auto fileName = propagator()->fullLocalPath(_item->_renameTarget);
+ FileSystem::setFolderPermissions(fileName, FileSystem::FolderPermissions::ReadOnly);
++ qCDebug(lcDirectory) << fileName << "permissions changed: old permissions" << static_cast<int>(std::filesystem::status(fileName.toStdWString()).permissions());
++ std::filesystem::permissions(fileName.toStdWString(), std::filesystem::perms::owner_write | std::filesystem::perms::group_write | std::filesystem::perms::others_write, std::filesystem::perm_options::remove);
+ Q_EMIT propagator()->touchedFile(fileName);
++ qCDebug(lcDirectory) << fileName << "applied new permissions" << static_cast<int>(std::filesystem::status(fileName.toStdWString()).permissions());
+ }
+ }
+ catch (const std::filesystem::filesystem_error &e)
+@@ -1504,6 +1510,7 @@ void PropagateDirectory::slotSubJobsFinished(SyncFileItem::Status status)
+ {
+ qCDebug(lcDirectory) << fileName << "permissions changed: old permissions" << static_cast<int>(std::filesystem::status(fileName.toStdWString()).permissions());
+ FileSystem::setFolderPermissions(fileName, FileSystem::FolderPermissions::ReadWrite);
++ std::filesystem::permissions(fileName.toStdWString(), std::filesystem::perms::owner_write, std::filesystem::perm_options::add);
+ Q_EMIT propagator()->touchedFile(fileName);
+ qCDebug(lcDirectory) << fileName << "applied new permissions" << static_cast<int>(std::filesystem::status(fileName.toStdWString()).permissions());
+ };
+diff --git a/src/libsync/syncengine.cpp b/src/libsync/syncengine.cpp
+index e24ce8a..8237905 100644
+--- a/src/libsync/syncengine.cpp
++++ b/src/libsync/syncengine.cpp
+@@ -362,10 +362,6 @@ void OCC::SyncEngine::slotItemDiscovered(const OCC::SyncFileItemPtr &item)
+ const bool isReadOnly = !item->_remotePerm.isNull() && !item->_remotePerm.hasPermission(RemotePermissions::CanWrite);
+ modificationHappened = FileSystem::setFileReadOnlyWeak(filePath, isReadOnly);
+ }
+- if (item->isPermissionsInvalid) {
+- const auto isReadOnly = !item->_remotePerm.isNull() && !item->_remotePerm.hasPermission(RemotePermissions::CanWrite);
+- FileSystem::setFileReadOnly(filePath, isReadOnly);
+- }
+
+ modificationHappened |= item->_size != prev._fileSize;
+
+diff --git a/src/libsync/syncfileitem.h b/src/libsync/syncfileitem.h
+index 154d13a..041e48d 100644
+--- a/src/libsync/syncfileitem.h
++++ b/src/libsync/syncfileitem.h
+@@ -344,8 +344,6 @@ public:
+ bool _isLivePhoto = false;
+ QString _livePhotoFile;
+
+- bool isPermissionsInvalid = false;
+-
+ QString _discoveryResult;
+
+ /// if true, requests the file to be permanently deleted instead of moved to the trashbin
projects / nextcloud-desktop.git / commitdiff