FS-like permissions for files stored on oCIS

walt · December 19, 2024, 7:16am

Is there any way to set FS-like permissions on files stored on oCIS? For example, make a file read-only for everyone, for a particular group, for a particular user, etc. Or, for example, “lock” a file like we can on MacOS to avoid accidental overwrites.

hodyroff · December 19, 2024, 11:30pm

Keep in mind that ownCloud Infinite Scale has versioning and a trashbin, therfor accidents aren’t so much our challenge. Of course in a Space you can have edit rights or read only … for a single file however you might need to treat that differently in its own space and point to it with a link or so …

walt · December 20, 2024, 7:44am

Versioning and the trash bin go a long way toward addressing the issue, but we’ve found that many users are still most comfortable working with files in a more traditional way where they can lock files to avoid unintentional deletion or overwriting and set permissions so they know who has control. Spaces also provide quite a lot of control for all files which are stored there, but don’t offer anything that’s controlled per-file.

kobergj · December 23, 2024, 9:56am

Permissions can only be set per space or per share. You could give a user view permission on a space and write permission (through a share) on a subfolder. There is also a (experimental) feature called ‘denials’ which allows denying an otherwise authorized user access to a folder/file.
This is as close as ocis can get to file permissions. Real File Permissions are currently not planned.

walt · December 23, 2024, 3:00pm

Thanks. Denials actually sounds like it would support a lot of what’s immediately needed. What’s the anticipated timeline on this becoming a production feature?

kobergj · December 23, 2024, 3:25pm

As far as I’m aware the feature is basically done. It just has a major flaw: Search service doesn’t understand denials. Hence searching for files will show them in the search results even if access is denied. (Still the user can’t access these files, but sees their metadata like name).
However fixing this bug is not completely trivial. It got postponed in the past because there was no real interest in the feature. That’s why it isn’t planned at the moment.

walt · December 23, 2024, 4:14pm

Cool. Is this something we can enable in 6.6.x or 7.x.x to test? I don’t think the search issue is going to be a problem for us.

kobergj · December 27, 2024, 8:26am

Sure. The envvar is called FRONTEND_ENABLE_DENIALS. After enabling you should see the corresponding action in the webui