Hi,
I have some questions for which I did not find answers in the web client and the documentation:
- Is there a way (without sharing) to customize subtree element rights? Technically, can a subfolder or file have different rights?
- Can we somehow nest spaces or have “shortcuts” to another space file?
- When sharing a folder, is there a way to get some context about the space and parent folders where the shared element belongs?
For instance, if we share a folder “Documentation” from two different spaces, we end up with 2 shares named “Documentation” without an evident clue which space is sharing. In addition, if we mount /shares WebDAV endpoint via rclone on Windows, we will only see one folder.
The ideal would be showing the tree structure from the root without showing files/folders that the user has no read access to: Myspace/Subfolder/Documentation/
Thank you
1 Like
Is there a way (without sharing) to customize subtree element rights? Technically, can a subfolder or file have different rights?
I’m not involved in oCIS development, but reading Sharing NG · Issue #6993 · owncloud/ocis · GitHub makes me think that the upcoming “Sharing NG” would make this possible. Please someone correct me if I’m wrong.
The ideal would be showing the tree structure from the root without showing files/folders that the user has no read access to: Myspace/Subfolder/Documentation/
Yes, this is something that I would also like to achieve. The directory tree should always look the same for each space user (except for items that the user has no read permissions for, which should be hidden).
1 Like
Is there a way (without sharing) to customize subtree element rights? Technically, can a subfolder or file have different rights?
In general there are no folder permissions in ocis. That means (besides sharing) a subfolder will always have the same permissions as its parent. There is however a concept of denials. That means you can deny access for a user to a specific folder. But it is not possible to have write access to a parent and only read access to its child. (Except when sharing of course)
Can we somehow nest spaces or have “shortcuts” to another space file?
Currently not planned. There is the concept of internal links. Those hold no permissions and can therefore only be opened by users who have access to the file/folder anyways. Maybe this feature could be used to achieve something similar
When sharing a folder, is there a way to get some context about the space and parent folders where the shared element belongs?
This is not possible. When sharing a file details of the space (name, description, image, …) must NOT be leaked to the share recipient. This user does (in general) not have access to the space and can therefore see no space information. Shares do however contain the id of the original space, which could be used to differentiate shares.
The ideal would be showing the tree structure from the root without showing files/folders that the user has no read access to: Myspace/Subfolder/Documentation/
Currently not possible due to the way is storing its data internally. Might come in the future with possible posix support feature.
1 Like
There is however a concept of denials.
Can we somehow test this?
Thanks
There is an envvar FRONTEND_OCS_ENABLE_DENIALS. Set this to true then you can deny access for specific users to folders via the web ui.
This envvar can also be found in the frontend docu: Frontend Service Configuration
Please keep in mind that this is an experimental feature for now!
@Toumassa Actually, there is a major bug with denials. Even if access to a resource is denied, a search will still show it in the search results. Therefore search service should be deactivated to avoid information disclosure.
There is a ticket for this in our github repo: Denial of access to a resource. User can find denied resource · Issue #6288 · owncloud/ocis · GitHub But this feature doesn’t have much supporters so it is stale for a while. Making some noise in the ticket would very much help to justify fixing it 
2 Likes
I will definetly check this to see if this helps implementing our usecase and then make some noise in the ticket
In my opinion, precise management of rights is an important feature to have, and it can be partially implemented through the use of denials.
My company can even financially contribute to implementing a full-featured tree rights management system in a space.
I use dockerized version of OCIS
ownCloud Web UI 8.0.1
Infinite Scale 5.0.0 Community
I’ve set FRONTEND_OCS_ENABLE_DENIALS to true, i also manually set in ocis.yml to be sure
frontend:
ocs:
enable_denials: true
However can’t see any new option on the web page
Am i doing something wrong?
Mmmh. For me setting the envvar is enough. Select a folder and click on a space member to deny access for it.
Thanks, it works. Yeah also noticed the research bug.
I will reconfirm our interest for this feature on github
Can we use this feature via API?
Yes. Internally this is just a share with specific permissions (64).
