[Bug]: Share links: password check box is always checked in "Customize link" UI

[passibe15]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Note: I am not sure when this appeared, but I am fairly certain this happened after upgrading from NC 31 to 32.

In the "Customize link" UI the password checkbox is always checked (and the empty password field is always visible), even if a password is not set and not required when accessing the share link. See this screenshot:

When unchecking the box and clicking on "Update share" there are no errors, neither in nextcloud's debug log nor in the browser console. But after re-opening the "Customize link" UI, the box is checked (again) and the password field is visible (again).

This seems to be independent of the browser used (tested with Safari 26.0.1 and Chrome 141.0.7390.55, both on macOS).

"Always ask for a password" and "Enforce password protection" are both disabled. Enabling and then disabling them did not help.

Steps to reproduce

1. Create a share link
2. Click the three dots
3. Click "Customize link"
4. Notice the checked password box even though no password was set
5. Uncheck password box
6. Click "Update share"
7. Click the three dots
8. Click "Customize link"
9. Notice the checked password box even though no password was set
10. Repeat steps 2 to 9 if you want to go insane
11. Optional: Verify that the share link can still be accessed as intended, i.e. without being asked for a password

Expected behavior

Checkbox is only checked if a password was set.

Nextcloud Server version

32

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.4

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 31 to 32)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "maintenance": false,
        "trusted_domains": [
            "cloud.example.org",
            "cloud.foo.com"
        ],
        "overwrite.cli.url": "https:\/\/cloud.example.org\/",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "30, 60",
        "log_type": "file",
        "loglevel": 2,
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "logtimezone": "Europe\/Berlin",
        "dbtype": "mysql",
        "version": "32.0.0.13",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0
        },
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "simpleSignUpLink.shown": false,
        "lost_password_link": "disabled",
        "maintenance_window_start": 3,
        "theme": "",
        "default_language": "de",
        "default_locale": "de_DE",
        "default_phone_region": "DE",
        "default_timezone": "Europe\/Berlin",
        "knowledgebaseenabled": false,
        "defaultapp": "files",
        "quota_include_external_storage": true,
        "enable_previews": true,
        "preview_max_x": 1024,
        "preview_max_y": 1024,
        "jpeg_quality": 60,
        "preview_max_scale_factor": 1,
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "files.chunked_upload.max_size": 94371840,
        "enabledPreviewProviders": [
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\Imaginary"
        ],
        "preview_imaginary_url": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

not relevant

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No error is logged.

Additional info

I am curious as to how something like this is not caught during testing.

[thomaselsaesser]

we have the same Problem with ubunut 22.04
nextcloud 31.0.9.0
php8.4-fpm
rest same config as obove

[provokateurin]

CC @nfebe

[ferfebles]

Same problem when upgrading to Nextcloud 31.0.10

[passibe15]

r2evans
Not only is it always checked, but no password is ever set whether checked or not. This means all shares are public with no security at all. This was the case in 31 and now in 32.0.1 (docker image).

I can't confirm this for 32.0.1. Password protection works as intended, this bug is purely visual.
Something else must be wrong on your end.

[passibe15]

r2evans
This bug is not purely visual for me, I cannot set a password for new external shares.

It appears to me that External Shares in general have seen an uptick of bugs in the last few months.

#53886 (closed as stale)
#54398 (allegedly fixed by #55073)
#54537 (allegedly fixed by #54538)
#56027 (still open)
Having password-less external shares is a security risk that I think needs to be addressed quickly, and related problems have been reported as early as July. I suggest reviewing the changes that occurred in the month or so leading up to those bugs could provide insight to an inadvertent oversight that is the root of the problems.

Ok sure, but maybe (re)open another issue then and actually describe in some detail what you are experiencing?
As I've said, the bug this issue is about is purely visual.