How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Describe the bug
DeckShareProvider::getSharesByPath() / getSharedWith() (line 1027) passes the raw
share_with value from the oc_share row into CardMapper::findBoardId(int $id)
without casting. Because oc_share.share_with is a VARCHAR column, PHP 8.1+ strict
scalar typing refuses the implicit coercion and throws a TypeError.
The error is triggered whenever Nextcloud Office (richdocuments) opens a file that
lives inside — or is itself — a node attached to a Deck card. Office's WOPI access
check iterates every registered IShareProvider, including DeckShareProvider,
which finds the share_type = 12 row created by the card attachment and crashes
while trying to hydrate it.
The user-facing symptom in Nextcloud Office is:
"Dokument kann nicht gespeichert werden, bitte überprüfen Sie Ihre Berechtigungen"
("The document cannot be saved, please check your permissions").
Log entry:
Exception richdocuments
OCA\Deck\Db\CardMapper::findBoardId(): Argument #1 ($id) must be of type int,
string given, called in /var/www/html/custom_apps/deck/lib/Sharing/DeckShareProvider.php
on line 1027 in file '/var/www/html/custom_apps/deck/lib/Db/CardMapper.php' line 632
The error is independent of:
- whether the opening user is a member of the board containing the card,
- whether the attached node was reached via a normal share or via a groupfolder
(Team folder) with advanced-permissions ACL,
- whether the attached node is the file itself or a parent folder of it.
To Reproduce
Steps to reproduce the behavior:
- Create a Deck board and a card on it.
- Attach any folder from a Team folder (groupfolder) to the card — e.g. via
"Attach a file" → pick a groupfolder subfolder.
- Place an Office-editable document inside that folder (e.g.
test.docx).
- As any user with access to the file (board owner, board member, or a user who
only reaches the folder via the groupfolder's advanced permissions), open
test.docx in Nextcloud Office.
- Observe the "Dokument kann nicht gespeichert werden …" error in the Office UI
and the TypeError above in nextcloud.log under app: richdocuments.
Expected behavior
The document opens and can be edited/saved normally. DeckShareProvider should
cast the share_with value to int before passing it to
CardMapper::findBoardId() (or more defensively validate it and skip the row
with a warning if it is not numeric).
Client details:
- OS: Windows 11
- Browser: Edge
- Version: 145.0.3800.82
- Device: desktop
Server details
Web server: Apache
Database: Tested on MySQL
**PHP version:**Tested on 8.3.28
Nextcloud version: Tested on 33.0.0
Updated from an older Nextcloud/ownCloud or fresh install: updated from 32
Where did you install Nextcloud from: Docker image
List of activated apps:
deck, groupfolders, richdocuments, files_sharing
Nextcloud configuration:
Are you using an external user-backend, if yes which one: LDAP
Are you using encryption: no
Are you using an external storage, if yes which one: none
Deck configuration:
- Deck app location:
/var/www/html/custom_apps/deck
- Deck version: 1.17.1
Additional context
Minimal working hypothesis: around line 1027 of DeckShareProvider.php, the value
read from the share row ($data['share_with'] or equivalent) is passed unmodified
to CardMapper::findBoardId(int $id). Casting to int at the call site, e.g.
$boardId = $this->cardMapper->findBoardId((int)$data['share_with']);
resolves the TypeError in local testing. A more defensive fix would validate that
the value is numeric and continue/log a warning otherwise, so that stray or
corrupt share rows don't take down unrelated flows such as Office's WOPI access
check.
This combination (Deck + Team folders/groupfolders + Nextcloud Office) is very
common in real deployments; any folder attachment from a groupfolder essentially
makes every Office-editable file inside it unsaveable for affected users until
the attachment is removed.
How to use GitHub
Describe the bug
DeckShareProvider::getSharesByPath()/getSharedWith()(line 1027) passes the rawshare_withvalue from theoc_sharerow intoCardMapper::findBoardId(int $id)without casting. Because
oc_share.share_withis a VARCHAR column, PHP 8.1+ strictscalar typing refuses the implicit coercion and throws a TypeError.
The error is triggered whenever Nextcloud Office (richdocuments) opens a file that
lives inside — or is itself — a node attached to a Deck card. Office's WOPI access
check iterates every registered
IShareProvider, includingDeckShareProvider,which finds the
share_type = 12row created by the card attachment and crasheswhile trying to hydrate it.
The user-facing symptom in Nextcloud Office is:
"Dokument kann nicht gespeichert werden, bitte überprüfen Sie Ihre Berechtigungen"
("The document cannot be saved, please check your permissions").
Log entry:
The error is independent of:
(Team folder) with advanced-permissions ACL,
To Reproduce
Steps to reproduce the behavior:
"Attach a file" → pick a groupfolder subfolder.
test.docx).only reaches the folder via the groupfolder's advanced permissions), open
test.docxin Nextcloud Office.and the TypeError above in
nextcloud.logunderapp: richdocuments.Expected behavior
The document opens and can be edited/saved normally.
DeckShareProvidershouldcast the
share_withvalue tointbefore passing it toCardMapper::findBoardId()(or more defensively validate it and skip the rowwith a warning if it is not numeric).
Client details:
Server details
Web server: Apache
Database: Tested on MySQL
**PHP version:**Tested on 8.3.28
Nextcloud version: Tested on 33.0.0
Updated from an older Nextcloud/ownCloud or fresh install: updated from 32
Where did you install Nextcloud from: Docker image
List of activated apps:
deck, groupfolders, richdocuments, files_sharing
Nextcloud configuration:
Are you using an external user-backend, if yes which one: LDAP
Are you using encryption: no
Are you using an external storage, if yes which one: none
Deck configuration:
/var/www/html/custom_apps/deckAdditional context
Minimal working hypothesis: around line 1027 of
DeckShareProvider.php, the valueread from the share row (
$data['share_with']or equivalent) is passed unmodifiedto
CardMapper::findBoardId(int $id). Casting to int at the call site, e.g.resolves the TypeError in local testing. A more defensive fix would validate that
the value is numeric and
continue/log a warning otherwise, so that stray orcorrupt share rows don't take down unrelated flows such as Office's WOPI access
check.
This combination (Deck + Team folders/groupfolders + Nextcloud Office) is very
common in real deployments; any folder attachment from a groupfolder essentially
makes every Office-editable file inside it unsaveable for affected users until
the attachment is removed.