groupfolders icon indicating copy to clipboard operation
groupfolders copied to clipboard

Published 20 hours ago โ€ข verified publisher icon nextcloud

Have a virtual group "all" for the advanced permissions

Open schiessle opened this issue 1 year ago โ€ข 4 comments

When using group folders it happens to me regularly I want to remove from everyone the write permissions, e.g. that they can't accidentally break my documents.

What I'm doing at the moment:

  1. I remove for every group with access to the group folder the "write" and "delete" permissions
  2. I add for myself all permissions again

This has some obvious shortcomings:

  1. If the admin give later additional groups access to the folder they are not covered and can edit my documents
  2. If a lot of groups have access to the folder it is quite some work to remove the rights from each group

Proposed solution:

The "advanced permissions" drop-down has a virtual group called "all users". This way I can modify the access rights for everyone with one click.

schiessle avatar Jan 23 '24 10:01 schiessle

I've never used it, but you might find the apps Everyone Group or Auto Groups useful as an alternative.

anoymouserver avatar Jan 23 '24 18:01 anoymouserver

@schiessle can you elaborate on shortcoming 1? I don't really understand the problem. As for 2 we could improve the way you can change permissions, e.g. bulk changing by clicking on a column or shift-drag selection.

provokateurin avatar Sep 17 '24 19:09 provokateurin

@provokateurin Thanks for looking into the issue!

The shortcoming is simple. You have a large instance, many users and groups. You have a shared group folder, let's say a company wide folder for all company related files. Now you want to allow only a single person or group access to a subfolder. At the moment. You have to do the following:

  1. Deny all groups access to the subfolder which also means that you need to know all groups with access to the group folder. This is already a impossible assumption, but if you know all groups this can be already a huge list of advanced permissions you have to create one by one
  2. Than you have to grant the specific group/persons access rights again
  3. Whenever a new group is introduced after you configured the advanced permissions they will have access to the subfolder. You and everyone else who manages advanced permissions would always need to remember all folders they configured this way, get to know that a new group was introduced and adjust the advanced permissions, hopefully really fast so that people don't get access to files they shouldn't access -> error prone and simply not possible.

This would be solved if the advanced permissions would know a virtual group "all users", where In can set the permissions for all users without knowing anything about user and group structure on the system and without having to worry that something changes to the user/group structure.

I hope this makes it clear.

schiessle avatar Sep 19 '24 07:09 schiessle

Ok I understand now, but I don't know if this is something we can fix this way. We will need to take a closer look later when we actually try to implement this.

provokateurin avatar Sep 19 '24 08:09 provokateurin