Rights management in owncloud 10: Subdirectories

10

#1

Steps to reproduce

  1. Create directory Company1
  2. Create subdirectory Sub1
  3. Create subdirectory Sub2
  4. Create User1
  5. Set rights for Company to read and For Sub1 to write
    (User should be able to read from Sub1 and Sub2, but only write in Sub1)

Expected behaviour

There should be one folder "Company" and a subfolder "Sub1" for User 1. He should be able to read "Company" and to write in "Sub1"

Actual behaviour

Two folders appear for User1. One of "Company" and one of "Sub1". The original directory structure is not maintained.

Server configuration

Operating system: Raspbian (Server), Windows (client)

Web server: raspbian

Database:MySQL

PHP version: 7 (?)

ownCloud version: 10.0.3

Updated from an older ownCloud or fresh install: fresh

Where did you install ownCloud from: sd card

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local

Are you using encryption: yno

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

Client configuration

**Browser: Chrome / Firefox

**Operating system: Windows 10

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

Feature request: Rights management in owncloud 10: Subdirectories Server 10
#2

I don't quite understand your issue here. Could you be more specific?

also, where did you install ownCloud from - meaning from the repository or a tar ball


#3

I installed from repository.

I try to make it more visible.

My order structure (admin):
Company
* Sub1
* Sub2

The order structure of User 1:
Company
* Sub1
* Sub2

Sub1

He has reading rights in Company and writing rights in Sub1. In his order structure, he sees Sub1 as a single folder and Sub1 as Subfolder in "Company".
As I gave User1 reading rights for some folders and writing rights in a lot of subfolder, he sees a lot of folders.


#4

Did you make this structure on the command line or in the owncloud web UI?


#5

The structure was "made" by syncing the folder from my computer with the windows app. Then I set the rights in the owncloud web UI.


#6

It works as designed.

You can't assign different permissions in a recursive way for folders containing several sub folders.


#7

Thank you!

What do you mean by "in a recursive way" ? I the rights work as I defined them and wanted them, it is just that they are displayed in a confusing was in the owncloud UI of user1


#8

in recursive way means that you define rights for the top folder and they are passed on to the sub folders.

like if you want to copy something on linux and the folder has folders in it, you have to type cp -R for recursive copy.

What you want is that the user can read whats in the company folder, but writes only in his sub folder 1, right?

Like if you have a big company and every department should get the general news, but only change data in their department folders.

In ownCloud you can do this, and you have done it, but it just looks differently. The user has 2 shares. One for reading and one for writing. in the reading share he can not edit files. in the writing share he can upload and change the data.


#9

Thank you! But is there no way to make it look better? I mean it destroys the whole folder structure to have a view like this. To me it is more a thing of visualization than of user right management.


#10

I understand what you want it to look like, but I don't think it's possible with the way owncloud works.

I know it from windows, you can assign different permissions in folders and subfolders.

But isn't it almost easier for the users? They know as soon as they click on the company folder that they can only read, and if they want to write or upload something for their department they know they don't have to go through the company folder, they directly go to their departments folder


#11

It is not easier for users, but much more difficult.

  1. A lot of space is needed in windows, as folders are "doubled" when they are subfolders with writing rights
  2. The structure / overview gets really confusing and complicated by time.

Shoud I start a feature request at least for the app in windows? Most of my user are working with windows


#12

Sure, you can start a feature request.

But to your 1. Point - You have created the structure in Windows and made permissions in ownCloud. So why would your Structure change just because you see the folders different in ownCloud?


#13

My folder structure does not change, but the one of the "user" I am sharing the data with. The structure in the owncloud web UI is also okay. Just the one that my "user" see is bloated


#14

What I recommend in such cases is to either build the right structure wit a function user and share from there or share each subfolder seperately (flat structur to your user) and let the user build the structure himself as every share can be moved and renamed freely.


#15

@hodyroff: How can they build the structure themself? They cannot move a subdirectory (write) in a parent-directory (read) as they do not have the right to do so. (I checked it by logging in the webUI with the username)

It also does not make sense to "build the right structure" as the structure is made by some logic system, which should not be destroyed or else I loose the overview. The admin should be able to build the structure in a way he wants.


#16

They can do their own tree, just trying to give you ideas for worarounds while I agree with you that we want to eventually break inheritance.
Another option as said is to have another user who builds the strucutre (again, must be a flat structure) and then shares the full parent folder with the user. This would work if there are maybe 3 groups of users who shall see the same stuff, if its really many different once only option I see currently is to share with a flat structure and let the users worry about it, or maybe somewhat brave ... build that structure in SMB and then use WND integration (enterprise feature, but you can try it out for 30 days via marketplace.owncloud.com and contact me about it, if it works and you need more) to mount it into ownCloud ... kind of weird ... but again ... workarounds :wink:


#17

I have the same problem. But I'm not shure @hodyroff understand really what @godlich means.

In the Owncloud Web Interface I first created a folder "Topic1", than a subfolder "Topic1.1" and a second subfolder "Topic1.2" (both under "Topic1"). I can see this structure in the Owncloud Web Interface as well I can see this on my Windows client after synchronization. All is fine for me.

Now I shared "Topic1" with my buddy Matthias, but I didn't give him the right to change anything within "Topic1". He can see now "Topic1" in the Web Interface and in Windows File Explorer. Now I shared the subfolder "Topic1.1" with Matthias and gave him change rights for this subfolder. Now the structure he can see looks strange. He can see (in Web Interface as well as in Windows File Explorer) now at root level "Topic1" and "Topic1.1" and in addition he can see "Topic1.1" within "Topic1". So he can see the real existent structure (folder with subfolder) and additionally the subfolder at root level or in other words: he can see the same folder twice. In my opinion this is not a feature, it is just confusing everybody.

Best regards
Joe


#18

Hello Joe, I fear I understand the issue. We just have not found a proper technical solution for it yet. Thats why I stated:
Stay as flat as possible. Follow potential workarounds descript above.
Rights inheritance is currently a design concept. Likely we will discuss this in the week of May 14th in Nuremberg, Germany. If you like to join, let me know! Or I hope to see you at the upcoming ownCloud Conference in September: https://owncloud.org/owncloud-conference-2018/


#19

Another possible workaround: Search/Full Text Search ... and another one which I use most often: Private Link ... just that I like to see that you land in the one of the two with the most rights. Right now you would land in the first one the system finds.