Assigned card is not viewable without board-editing permissions

[markuman]

Describe the bug

When a board is shared with a user without "edit" permissions. The user cannot view card details of cards where he/she is the assignee.
When the assignee is removed, the user can view card details again.

To Reproduce
Steps to reproduce the behavior:

1. share a board without edit permission
2. test that the user can view all card details
3. assign one card to the user
4. the user cannot view card details of its card anymore

Expected behavior
The user should be able to still view card details when I is the assignee.

Screenshots

Client details:

• OS: Manjaro Linux
• Browser Firefox and Chromium
• Version Firefox 79, Chromium 84
• Device: Desktop

Server details

Operating system:

Docker Deployment

Web server:

Apache

Database:

Mariadb

PHP version:

7.4

Nextcloud version: (see Nextcloud admin page)

19.0.1

Where did you install Nextcloud from:

Dockerhub official Nextcloud image

Signing status:

No errors have been found.

List of activated apps:

./occ app:list
Enabled:
  - accessibility: 1.5.0
  - activity: 2.12.0
  - admin_audit: 1.9.0
  - analytics: 2.4.1
  - announcementcenter: 3.8.1
  - appointments: 1.6.8
  - apporder: 0.10.0
  - audioplayer: 2.11.2
  - audioplayer_editor: 0.2.2
  - bookmarks: 3.3.4
  - bruteforcesettings: 1.6.0
  - calendar: 2.0.3
  - cloud_federation_api: 1.2.0
  - comments: 1.9.0
  - contacts: 3.3.0
  - contactsinteraction: 1.0.0
  - cookbook: 0.7.6
  - cospend: 1.0.5
  - dav: 1.15.0
  - deck: 1.0.5
  - drawio: 0.9.7
  - encryption: 2.7.0
  - end_to_end_encryption: 1.5.2
  - facerecognition: 0.6.2
  - federatedfilesharing: 1.9.0
  - federation: 1.9.0
  - files: 1.14.0
  - files_accesscontrol: 1.9.0
  - files_automatedtagging: 1.9.0
  - files_external: 1.10.0
  - files_lock: 0.8.3
  - files_markdown: 2.3.0
  - files_mindmap: 0.0.22
  - files_pdfviewer: 1.8.0
  - files_photospheres: 1.19.1
  - files_rightclick: 0.16.0
  - files_sharing: 1.11.0
  - files_trashbin: 1.9.0
  - files_versions: 1.12.0
  - files_videoplayer: 1.8.0
  - gpxedit: 0.0.13
  - gpxmotion: 0.0.11
  - gpxpod: 4.2.2
  - logreader: 2.4.0
  - lookup_server_connector: 1.7.0
  - mail: 1.4.1
  - maps: 0.1.6
  - music: 0.16.0
  - news: 14.1.11
  - nextcloud_announcements: 1.8.0
  - notes: 3.6.2
  - notifications: 2.7.0
  - oauth2: 1.7.0
  - onlyoffice: 4.3.0
  - passman: 2.3.5
  - password_policy: 1.9.1
  - passwords: 2020.8.0
  - phonetrack: 0.6.4
  - photos: 1.1.0
  - polls: 1.4.3
  - previewgenerator: 2.3.0
  - privacy: 1.3.0
  - provisioning_api: 1.9.0
  - quicknotes: 0.6.0
  - recommendations: 0.7.0
  - serverinfo: 1.9.0
  - settings: 1.1.0
  - spreed: 9.0.3
  - systemtags: 1.9.0
  - tasks: 0.13.3
  - text: 3.0.1
  - theming: 1.10.0
  - theming_customcss: 1.6.0
  - twofactor_backupcodes: 1.8.0
  - twofactor_totp: 4.1.3
  - twofactor_u2f: 5.1.0
  - unsplash: 1.1.6
  - updatenotification: 1.9.0
  - viewer: 1.3.0
  - weather: 1.7.3
  - workflow_pdf_converter: 1.4.0
  - workflow_script: 1.4.0
  - workflowengine: 2.1.0

Nextcloud configuration:

{   
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0
        },
        "apps_paths": [
            {   
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {   
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "19.0.1.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "loglevel": 0,
        "maintenance": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "app.mail.transport": "php-mail",
        "app_install_overwrite": [
            "mail",
            "files_automatedtagging",
            "tasks",
            "weather",
            "passman",
            "documents",
            "gpxmotion",
            "gpxedit",
            "drawio",
            "ocr"
        ],
        "theme": "",
        "has_rebuilt_cache": true,
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": []
    }
}

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

no

[juliushaertl]

duplicate of #2033 will be fixed with the next release

[markuman]

@juliushaertl last release is two month ago and this bug is (imho) a very annoying one (system impaired).
a new minor release with this fix would be very very helpful.

[stefan-niedermann]

@markuman next release has already published beta 2, so i guess it shouldn't take that much time :)