Grant read permission to parent folders if access is granted to a nested folder

[vithusel]

Proposed change

Background

Im going to be making a solid attempt at making Group Folders ACL's behave more like Windows ACL's.

The current implementation of Group Folders doesn't carry logic to automatically pass read permissions up to the parent folder whilst denying any other folders along the route. Whilst most other enterprise products allow for read permission being set on a direct path to a sub-folder (Read overrides Deny in a straight path). So currently you won't be able to see any sub folders along the path to the folder you are trying to share.

Usage Scenario

• Two groups: users and admins, some admins are also in users.
• Folders: for_all - accessible to all, admins_only - only accessible to admins

Currently required permission setup

• grant users read to '/' so they can see 'for_all'
• grant admins all to '/'
• grant user all all to 'for_all'
• revoke users read to 'admins_only' so they cannot see it despite inherited access
• grant admins all to 'admins_only' so admins who are also users still can access it.

Permission setup with implicit read for parent folders

• grant admins all to '/'
• grant user all all to 'for_all'

Possible Implementation

I still need to study up the code a bit more as there might be a simplier or cleaner fix but i think adding this logic to the ACL Manager might be a good start (Once I've had a chance to have a better look and make sure it makes sense).

Code for ACL Manager

    public function getACLPermissionsForPath(string $path): int {
        $path = ltrim($path, '/');
        $rules = $this->getRelevantRulesForPath([$path]);

        // Check if the path contains the subfolder with "allow" permission
        if ($this->containsSubfolderWithAllowPermission($path, $rules)) {
            return $this->setPermissionsForPathAndParents($path, Constants::PERMISSION_READ);
        } else {
            // If not, restrict access to other subfolders
            return $this->setPermissionsForPathAndSubfolders($path, Constants::PERMISSION_NONE);
        }
    }

    private function containsSubfolderWithAllowPermission(string $path, array $rules): bool {
        // Check if any rule in the path allows access
        return array_reduce($rules, function ($carry, $rule) {
            return $carry || $rule->getPermissions() === Constants::PERMISSION_ALL;
        }, false);
    }

    private function setPermissionsForPathAndParents(string $path, int $permissions): int {
        // Set "read" permissions for the current path and its parents
        $relevantPaths = $this->getRelevantPaths($path);
        $rules = $this->getRules($relevantPaths);

        // Apply permissions up to the root
        return $this->calculatePermissionsForPath($rules, $permissions);
    }

    private function setPermissionsForPathAndSubfolders(string $path, int $permissions): int {
        // Set restricted permissions for the current path and its subfolders
        $rules = $this->getRules([$path]);

        return $this->calculatePermissionsForPath($rules, $permissions);
    }
}

Considering ACL Manager deals with calculating all folder permissions it seems like the logical place to implement this new logic. However this may require users to completely reconfigure all current setup permissions.

I've had a search but nested folder access seems to be a complicated subject. Would the Devs even approve a PR for a change like this? I'm prepared to also invest some money into getting this working with this logic as it'll save most of us a massive headache hosting our own servers as well as the enterprise users.

[Innky-Joe]

I am running Group folders by Robin Appelman AGPL-licensed 16.0.1 on NC V.28 and add advanced permission rule not showing, can anyone help me out?

Related resources Anything shared with the same group of people will show up here

[vithusel]

I am running Group folders by Robin Appelman AGPL-licensed 16.0.1 on NC V.28 and add advanced permission rule not showing, can anyone help me out?

Related resources Anything shared with the same group of people will show up here

Is advanced permissions ticked and provided to your user/group in settings/group folder

[max-nextcloud]

@vithusel Thanks a lot for your proposal. Especially the granting of read access for parent folders would be very useful to reduce the need for explicit ACLs I believe. I'll try and make the issue description and title more focused on that. Hope that's fine with you.