Use ownCloud to publish documents for multiple users


#1

Hey all,

We would like to use ownCloud as more of a document publishing repository. I have no problem with using WebDAV (though I am used to a web service API in tools such as DocuWare), except I cannot figure out if ownCloud can do what we need to do.

We would like to have folders set up for out sales people, one per person. Access rights would be determined by various hierarchical rules, like having a sales manager be able to see all the folders of the salespeople under her. A salesperson without any direct reports would only be able to see his own folder, etc. I think ownCloud can set up permissions in this way, but am not sure, so that is the first question:

1. Can ownCloud support complex, multi-level permissions to control file visibility within each user’s root folder?

If so, that is only part of what we need. We would also want to have an uber-user set up so that documents could be placed anywhere in the various user folders without having to use those user’s password credentials (I don’t want to reinvent login credential storage for obvious reasons). In summary, we need to be able to add files to any folder from an over-arching user account, bringing me to question two:

2. Can we set up a user that can see everyone’s files and perform uploads and downloads via WebDAV (or some other means)?

We’d also like all of this to work via HTTPS, utilizing something like the Windows MSXML2.ServerXMLHTTP COM object, as that is how we access many other web services from Visual Foxpro to do tasks such as shipment tracking, Google Geocoding, and consuming DocuWare web services. I have already figured out how to do file uploads and downloads via entry point:

https://{server}/owncloud/remote.php/webdav/

and the remote file structure is then based on whomever I log in as. But, as question 2 indicates, what if I want to log in as the uber-user and be able to upload and download files from any user’s area? I can use the alternate entry point:

https://{server}/owncloud/remote.php/dav/files/{username}/

as listed in the documentation, but when I try to access files from that entry point via straight HTTP requests I run into:

This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.

I have read a couple threads on that response, and it would seem one cannot us the user-specific entry point via straight HTTP requests. That brings me to a final question:

3. If there is a way to assign hierarchical permissions and also a way to create an uber-account with access to everyone’s file areas, what can I use from there to create folder structures and upload/download files across all user account?

I see a lot of talk about curl, but don’t really know how I would use that from Visual Foxpro (which is still our primary development tool). That’s why I’d like to use standard HTTP requests where possible, because I know I can get that to work.

Can anyone answer these three questions, even if the answer is simply, “Can’t get there from here.”? I appreciate any and all insight anyone can offer!

Thanks,
Joe Kaufman


#2

In general I’d say it isn’t possible. Each ownCloud user has its own private space, and nobody can access to it except the owner (from an ownCloud’s perspective).

The closest you can get could be:

  1. Setup an ownCloud account to act as a service account that will hold all the files. This can be any account.
  2. Set the storage quota for the rest of the users to 0 so they can’t upload files in their storages. You might want to fiddle with FS permissions outside of ownCloud so they can’t create folders in their space (be careful with this, as it isn’t officially supported). However, you might want to let them create folders so they can organize the shared files as they want.
  3. The service account can share any file in its space to any user or group with specific permissions.

Note that there are several problems:

  • Each share is treated separately without any hierarchy. Each shared file or folder will appear in the target user’s account.
  • In particular, if you share a folder and, in addition, share a file which is in that folder, the target user’s account will have access to that folder with the permissions set by that share, and also will have access to the file with, maybe, a different set of permissions. Let’s say that if several shares overlaps for a particular user, ownCloud won’t do anything.

While there is no uber-account, you might want to try the impersonate app.


#3

Thanks for taking the time to respond! The idea of a separate account to act as an umbrella over everything and then set up sharing – seems like that could work. Might be more trouble than it is worth, though. In DocuWare we can set up filtered result lists to distribute documents and control permissions, the only problem is that people have to connect via VPN to see the DocuWare server (currently). I have some options to mull over! Thanks!

Joe Kaufman