[Bug]: Changing the Share Link Token on a File Request does not lead to a database change

[noseshimself]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

see title: Changing the Share Link Token on a File Request does not lead to a database change

If you create a folder, add an "external link" and use ... -> "customize link" and change the "Share Link Token" you can create your own token without any problems.

Doing the same with a share link created using the "add a File Request" option in "New File" you are permitted to do this and save your changes but the token stays the same (which can be checked by a short look at the oc_shares table of your database.

Steps to reproduce

1. Create a "file request".
2. Verify it is working.
3. Use "customize link" and modify the Share Link token.
4. SAVE YOUR CHANGES.
5. Copy the link and test it in a browser session that is not logged in.
6. optionally: Check the database.
7. optionally: Take a look at "customize link" again and check which token is shown there.... In my case it was the new token although it can't be found in the database.

Expected behavior

I would expect to get an error when trying and failing or the operation to provid a new and working URL.

Nextcloud Server version

33

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.5

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": "1"
        },
        "overwritehost": "cloud.bnc.net",
        "overwriteprotocol": "https",
        "overwrite.cli.url": "https:\/\/cloud.bnc.net",
        "trusted_domains": [
            "localhost",
            "127.0.0.1:80",
            "lookup.nextcloud.com",
            "nextcloud",
            "cloud",
            "testcloud",
            "cloud.bnc.net",
            "testcloud.bnc.net",
            "nginx"
        ],
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "lookup_server": "https:\/\/lookup.nextcloud.com",
        "upgrade.disable-web": true,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "33.0.2.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": true,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 2,
        "log_rotate_size": 104857600,
        "defaultapp": "files",
        "share_folder": "\/Shared",
        "skeletondirectory": "\/var\/www\/local_skeleton",
        "default_phone_region": "DE",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": false,
                "verify_peer": true,
                "verify_peer_name": true
            }
        },
        "maintenance": false,
        "app_install_overwrite": {
            "0": "files_readmemd",
            "1": "snappymail",
            "2": "wopi",
            "3": "mail_roundcube",
            "4": "keeweb",
            "5": "metadata",
            "6": "occweb",
            "7": "passman",
            "8": "sharelisting",
            "9": "timesheet",
            "10": "done",
            "11": "riotchat",
            "12": "journeys",
            "13": "files_archive",
            "15": "groupfolder_tags",
            "16": "organization_folders",
            "17": "workspace",
            "18": "breezedark",
            "19": "talked",
            "20": "cfg_share_links",
            "21": "openotp_auth"
        },
        "memories.db.triggers.fcu": true,
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/go-vod-amd64",
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe"
    }
}

List of activated Apps

Enabled:
  - activity: 6.0.0
  - admin_audit: 1.23.0
  - announcementbanner: 2.4.2
  - announcementcenter: 7.3.0
  - app_api: 33.0.0
  - assistant: 3.4.0
  - bookmarks: 16.1.4
  - bookshelfs: 0.1.1
  - bruteforcesettings: 6.0.0
  - calendar: 6.2.3
  - call_summary_bot: 3.3.0
  - certificate24: 0.4.0
  - checksum: 2.1.1
  - circles: 33.0.0
  - cloud_federation_api: 1.17.0
  - collectives: 4.3.0
  - comments: 1.23.0
  - contacts: 8.4.5
  - contactsinteraction: 1.14.1
  - context_chat: 5.3.1
  - contractmanager: 0.4.4
  - cookbook: 0.11.6
  - cospend: 4.0.0
  - dashboard: 7.13.0
  - dav: 1.36.0
  - deck: 1.17.1
  - done: 1.7.0
  - drawio: 4.2.3
  - event_update_notification: 2.8.0
  - federatedfilesharing: 1.23.0
  - federation: 1.23.0
  - files: 2.5.0
  - files_accesscontrol: 4.0.0
  - files_archive: 1.2.8
  - files_automatedtagging: 4.0.0
  - files_autorename: 2.4.0
  - files_bpm: 1.7.3
  - files_downloadlimit: 5.1.0
  - files_external: 1.25.1
  - files_fulltextsearch_metadata: 0.1.1
  - files_lock: 33.0.2
  - files_pdfviewer: 6.0.0
  - files_readmemd: 3.0.2
  - files_reminders: 1.6.0
  - files_sharing: 1.25.2
  - files_trashbin: 1.23.0
  - files_versions: 1.26.0
  - files_zip: 2.3.0
  - firstrunwizard: 6.0.0
  - forms: 5.2.7
  - formvox: 1.1.4
  - gpxpod: 8.2.1
  - groupfolder_tags: 1.0.3
  - groupfolders: 21.0.7
  - groupquota: 0.2.4
  - impersonate: 4.0.0
  - integration_onedrive: 3.5.1
  - integration_openproject: 3.0.0
  - integration_openstreetmap: 4.1.0
  - intravox: 1.3.0
  - intros: 1.2.1
  - journeys: 0.23.2
  - keeweb: 0.6.22
  - logcleaner: 1.4.4
  - logreader: 6.0.0
  - lookup_server_connector: 1.21.0
  - mail: 5.7.14
  - mail_roundcube: 1.2.2
  - memories: 8.0.1
  - metadata: 0.23.0
  - music: 3.0.0
  - nextcloud_announcements: 5.0.0
  - notes: 5.0.0
  - notifications: 6.0.0
  - notify_push: 1.3.1
  - oauth2: 1.21.0
  - occweb: 0.2.3
  - organization_folders: 1.1.1
  - ownershiptransfer: 1.4.0
  - passman: 2.4.12
  - password_policy: 5.0.0
  - passwords: 2026.5.20
  - permissions_overwrite: 0.1.16
  - phonetrack: 1.2.0
  - photos: 6.0.0
  - picker: 1.0.14
  - privacy: 5.0.0
  - profile: 1.2.0
  - provisioning_api: 1.23.0
  - recognize: 11.0.1
  - recommendations: 6.0.0
  - related_resources: 4.0.0
  - richdocuments: 10.1.3
  - richdocumentscode: 25.4.904
  - scores: 0.9.17
  - secrets: 3.0.3
  - serverinfo: 5.0.0
  - settings: 1.16.0
  - sharebymail: 1.23.0
  - sharelisting: 1.3.0
  - sharereview: 2.1.0
  - side_menu: 5.3.0
  - snappymail: 2.38.2
  - spreed: 23.0.4
  - support: 5.0.0
  - survey_client: 5.0.0
  - suspicious_login: 11.0.0
  - systemtags: 1.23.0
  - tables: 2.1.0
  - tasks: 0.17.1
  - text: 7.0.0
  - theming: 2.8.0
  - time_archive: 1.0.2
  - timemanager: 0.3.23
  - timesheet: 1.1.6
  - timetracker: 0.0.86
  - twofactor_admin: 4.11.1
  - twofactor_backupcodes: 1.22.0
  - twofactor_email: 2.8.8
  - twofactor_gateway: 3.2.0
  - twofactor_nextcloud_notification: 7.0.0
  - twofactor_totp: 15.0.0
  - twofactor_webauthn: 2.6.0
  - unroundedcorners: 1.1.5
  - updatenotification: 1.23.0
  - user_migration: 10.2.0
  - user_status: 1.13.0
  - viewer: 6.0.0
  - weather_status: 1.13.0
  - webapppassword: 26.2.1
  - webhook_listeners: 1.5.0
  - weekplanner: 1.8.1
  - whiteboard: 1.5.7
  - workflowengine: 2.15.0
  - workspace: 4.4.0

Nextcloud Signing status

(a gazillion .git/objects missing in various custom_apps but nothing about core)

Nextcloud Logs

Additional info

This problem only applies to file requests. If you are just using identically configured external shares (which don't trigger requesting uploaders' names) everything is working as expected.