Simplify Advanced Permissions. #655
Comments
pierreozoux
added
the
feature: acl
|
It should not be possible to use the ACL to add permissions for someone who has never been granted that permission on the group. Allowing this (a) breaks the security model of group folders being something with an element of central control and (b) can be dealt with by explicitly allowing a person or group the share permission |
The obvious fix for this would be to use the sharing feature (independent of groupfolders) and have the files app display the path to the shared directory, so users can see the relation of the "Accounting" dir by looking at the full path ("IT-Department/Accounting"). |
It sounds like this is the problem also described in #1212. A potential fix is in #1654. |
|
Is it correct that I cannot give serveral groups read on the main folder and then use advanced ACL's to add write on some subfolders to some of those groups? The GUI let's me do that, but it does not work. |
I will try to review the potential fix tomorrow :) |
I think this should work, if you grant maximum permissions (e.g. write) in the "normal" group folder permissions. Then restrict the permissions to "read" using ACL on the root folder. Then grant write permissions for the subfolder and group you like. This is what is described in the quote from @icewind1991 above and I successfully used this workflow. |
I hit that exact same issue today. I gave "group1" only read rights in the group folders settings and gave "group1" write rights via ACL on some sub-folders. It didn't work. I sprinkled the php code with debug logs trying to find out why it doesn't work. It took me the whole day until I stumbled across this issue. If adding permissions via ACLs that aren't allowed on group folder level should not work by design than it should also not be possible configure it this way via the GUI. It would have saved me a day. |
|
The way the Permissions in Group Folders with Advanced Permissions are implemented now is confusing to admins and users.
I see two main issues:
@icewind1991 :
This workaround has other undesired side effects. admins (configured to have full access in group permissions) that are also in a group that should only have read access (ACL Rule) are denied write in this group folder.
My proposal: When "Advanced Permissions" is activated, The "normal" permissions in the Group Folder settings should be the default ACL.
It should be possible to grant additional permissions to users that are not in a group configured on the group folder.
@icewind1991:
This would be a very useful feature to have. I expected, that I can add read permission on a subfolder and the recipient would then see the same path to that subfolder instead of having the subfolder now directly in his home folder.
My use case: Groupfolder for IT-Department, but i'd like to share the Accounting subfolder to another person without giving that person read access for the whole IT-Department groupfolder, but see that its IT-Department/Accounting
Other example:
Groupfolder Photos. Subfolders Switzerland/Youth Switzerland/Children and Germany/Youth, now a photographer should have access to the Youth Photos of Switzerland and Germany, but not to the Children Photos. If I share the Youth folder directly, he will have two "Youth" folders (or a conflict) in his Home-Folder.
Would this be possible to implement?
The text was updated successfully, but these errors were encountered: