New core setting : shareapi_only_share_with_group_members_exclude_gro… #38173
Conversation
|
Hey, thanks for the pull request. After a quick glance, it seems to look good, but before diving into it further:
|
smarinier
force-pushed
the
feature/37677/exclude-some-groups-from-sharing-with-users
branch
from
645b896
to
4a8a75b
Compare
smarinier
force-pushed
the
feature/37677/exclude-some-groups-from-sharing-with-users
branch
from
2749cd1
to
ae29849
Compare
Hi @artonge 🙂 I edited the first comment to answer you 🙂 I think we have achieved our goals ? If this Pull Request it's okay for you. Do you think it's possible to backport it to the stable25 ? |
apps/settings/l10n/en_GB.json
Outdated
| } |
There was a problem hiding this comment.
Please revert the change, same with apps/settings/l10n/fr.json
|
You will have to be really careful with the wording, because it was not clear to me at all before seeing the screencasts. I thought this was about allowing some users to share with everyone (not be restricted). But this is the other way around, it’s about restricting even more. |
| <p id="selectShareWithGroupMembersExcludeGroups" class="indent <?php if (!$_['onlyShareWithGroupMembers'] || $_['shareAPIEnabled'] === 'no') { | ||
| p('hidden'); | ||
| } ?>"> | ||
| <em><?php p($l->t('Exclude some groups from sharing with users in their group')); ?></em> |
There was a problem hiding this comment.
People in these groups are still allowed to share stuff, so the wording is unclear I think.
lib/private/Share20/Manager.php
Outdated
| $excludeGroups = $this->config->getAppValue('core', 'shareapi_only_share_with_group_members_exclude_group_list', ''); | ||
| $decodedExcludeGroups = json_decode($excludeGroups, true); | ||
| return $decodedExcludeGroups ?? []; |
There was a problem hiding this comment.
This logic appears at least 5 times in this PR, may be the time for adding a getAppValueArray method in IConfig.
There was a problem hiding this comment.
There is no getAppValueBool, getAppValueInt, aso... I think it would be disturbing to have only this very specific method in an interface. But i think you're right, if you consider all the getAppValue(...) == 'yes', there is a need on getting settings. But maybe it should be handled in a dedicated PR ?
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Hi @come-nc 🙂 In fact, we wish to add an additional option to the Sharing settings available for the instance admins (Settings > Administration > Sharing). One of the current available option is "Restrict users to only share with users from their groups" If the box for this setting is checked, we would like to add a selection field + text below this setting:
We believe this concept would be beneficial to the administration of Nextcloud. In this example, the organization could check the setting "Restrict users to only share with users in their groups" and use a “Guest” group in their LDAP to group all their external users. This LDAP Guest group would then be created in Nextcloud, meaning all the guests would be able to see each other, even though they are not from the same companies. This represents a loss of privacy. And this is only one example among many others. One more, the issue linked to this PR has been reviewed @nimishavijay and it was she who proposed the wording in this issue : #37677 . |
|
I updated the screenshot where we can see I added the DSI and RH groups in the first comment |
The wording is quite tricky with this one, agreed there. Alternative wording:
@jancborchardt or @szaimen for help? The use case is quite specific but it seems to make sense to me. Another idea for managing permissions for groups is from the user management page, by having a settings for each group. This proposal seems like a quick fix. |
nickvergessen
added
the
pending documentation
Then again this is not true, they will be able to share with each other but only if they are both members of another group.
I understand this example and can see cases where you even have some kind of What about using "ignore" rather than "exclude" in the wording? "Ignore these groups for the sharing restriction" or something. And by the way, wording can be fixed later but the variable name also needs to be clear so that we understand the code when we read it. |
There was a problem hiding this comment.
Further wording adjustment, based on @nimishavijay’s suggestion. Note we want to switch over from the word "users" to either "people" or "accounts", whichever fits better. (In this case it’s "accounts" as it’s technical.)
Limit accounts to share only within their groups
Members of selected groups will be restricted to share only with people in the same group
[ Select groups ]
Does that explain it well?
No, this is not what the new option does. So if you are in groups A, B and C. |
|
Hm ok, in that case I am questioning the use-case of this feature. If the main case as described in the issue is to prevent guests from sharing among each other, it should not be so generic, and just be called:
(Possibly with a good default set) Also cc @AndyScherzinger @schiessle regarding Files planning as this seems yet another complex feature addition for sharing. |
|
For us to act on this within our plannings we would need to fully understand the use case and agree on having it added. |
|
I think the guest group is one example. |
|
Hello, Thank you for all the feedback! Here are our answers on the different questions raised: Regarding the wordingRegarding the wording, our proposal lacked clarity. Wee think the proposal of @come-nc is more relevant:
About the use caseAbout the use case: many companies using Nextcloud can be notable providers for various customers (like consulting firms ). If a company uses its Nextcloud with different customers, they should not be able to see each other for privacy reasons (especially in the field of shares). However, for management or access rights reasons, it can be convenient for administrators of a Nextcloud platform to define "functional" or "management" groups. These groups gather users and allow to manipulate several of them at once. However, these "functional" or "management" groups are not intended for users to see each other. This can sometimes be prohibitive to the use of the Nextcloud service. Concrete examples:
Even if these example cases might not seem common at first , there remains an existing use case which needs to be addressed to allow a more flexible use of Nextcloud, adapted to different contexts, and as secure and confidential as possible. Regarding Nimisha's proposalRegarding Nimisha's proposal: I hope that my answer and my different arguments will be clear enough, I will answer your questions if there are any misunderstandings. |
|
Hi! Do you need more information regarding my last message to understand this PR? |
|
Thank you for the clarification @dorianne-arawa! :) That now makes more sense. @AndyScherzinger @schiessle what do you think about the explanation in #38173 (comment) ? |
|
Hi @jancborchardt , @come-nc and @artonge, I think we've taken in account all the discussion concerning the wording, and other remarks. Do you think you could have a look on this ? Thanks a lot |
Nextcloud bot could not build as far as I can see. Do you want to build assets manually ? |
Please do, and also squash your commits |
I will build assets this morning. What is the good practice for this command ? Squash all "Merge branch" commits ? Squash all feature commits ? |
This is only to have a cleaner git history. You can try: git reset --soft HEAD~3
git commitWhere 3 must be replaced by the number of commits you want to squash. In your case, probably 18. |
I don't think it's a better solution to use the However, I have to get to It's very strange, because, when I use the I can't get our first commit I get commits that don't belong to us, for example : |
zak39
force-pushed
the
feature/37677/exclude-some-groups-from-sharing-with-users
branch
from
eabe8d2
to
936cd96
Compare
|
@artonge it's okay now 👍 |
|
Thank you a lot @skjnldsv for your help 🙏 |
|
@zak39 Node CI is still failing. |
zak39
force-pushed
the
feature/37677/exclude-some-groups-from-sharing-with-users
branch
3 times, most recently
from
d9e3713
to
46ba22e
Compare
zak39
force-pushed
the
feature/37677/exclude-some-groups-from-sharing-with-users
branch
3 times, most recently
from
1ea9062
to
4cbe596
Compare
| @@ -63,6 +63,7 @@ | |||
| $excludedGroups = $this->config->getAppValue('core', 'shareapi_exclude_groups_list', ''); | |||
| $linksExcludedGroups = $this->config->getAppValue('core', 'shareapi_allow_links_exclude_groups', ''); | |||
| $excludedPasswordGroups = $this->config->getAppValue('core', 'shareapi_enforce_links_password_excluded_groups', ''); | |||
| $onlyShareWithGroupMembersExcludeGroupList = $this->config->getAppValue('core', 'shareapi_only_share_with_group_members_exclude_group_list', ''); | |||
Check notice
Code scanning / Psalm
DeprecatedMethod Note
|
@zak39 Have you properly rebased? Looks like there is some merge conflicts left. |
It's strange ! I rebased correctly yesterday. I try rebase again now to see. |
Signed-off-by: Baptiste Fotia <[email protected]>
I added our context in the unit tests following the advice of Louis. Link : nextcloud#43186 (comment) Signed-off-by: Baptiste Fotia <[email protected]>
Signed-off-by: Baptiste Fotia <[email protected]>
Signed-off-by: Baptiste Fotia <[email protected]>
zak39
force-pushed
the
feature/37677/exclude-some-groups-from-sharing-with-users
branch
from
4cbe596
to
2f64411
Compare
|
Drone CI is waiting as this is a PR from a fork, but it is green in this PR: #43186 |
|
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
|
Oooh good, thanks @artonge 🙏 Let's keep our an appointment or it's not necessary ? |
…up_list (issue #37677)
Summary
This implements new settings 'shareapi_only_share_with_group_members_exclude_group_list' wich complements the actual boolean setting 'shareapi_only_share_with_group_members'. Indeed the admin may need to isolate some specific groups (eg admin groups) from this consideration of "we can share each others".
Screenshots
Here is the list of users with their groups.
In the demonstration, I log in with the alice's account and she is in the "DSI" and "Groupe A" groups.
Before
From the Settings > Sharing page.
I checked "Restrict users to only share with users in their groups" in the checkbox.
As "alice", I would like to share my "Project-A" folder.
alice-search-users-before.webm
After
But, I would like, as "alice", to list the users who are in the same group as me to share my folder... Except for some groups where I wouldn't want to list those users.
So, from the Settings > Sharing page.
I checked "Restrict users to only share with users in their groups" in the checkbox... and a search bar appears.
I enter the groups I don't want to see in the shares.
In the example, I enter the "DSI" and "RH" groups.
As "alice", I would like to share my "Project-A" folder.
alice-search-users-after.webm
And now, I cannot see the user "john" because he is in the DSI group. And yet, we are in the same group.
TODO
*apps/dav/lib/DAV/GroupPrincipalBackend.php
Checklist