web icon indicating copy to clipboard operation
web copied to clipboard
verified publisher icon owncloud

External user support to collaborate on shared areas

Open labkode opened this issue 4 years ago • 3 comments

As a manager of my site I want users to collaborate together independently of their affiliation.

Scenario:

Our IdP can federate accounts from different management systems (LDAP for internal CERN accounts), Social logins (FB, Google, ...) and federated auth (EduGain).

Currently we only allow CERNBox users to share with other CERNBox users using the normal sharing. Users are left with public links to share with external users. However, this is not practical when collaboration spans among many users.

We need that users can login with lightweight accounts (social login, edugain) to OCIS BUT they are not granted a personal home space and storage quota. The only way for these users to modify data is through the "Shared with me" and project spaces (that belong to another user and account for the quota of the owner).

This feature requires work in areas than are beyond OCIS web:

  • Extend CS3APIs to differentiate the type of account
  • Adapt OCIS Web to disable "Your files" area and only show shared and project spaces.

labkode avatar Feb 04 '21 15:02 labkode

Hm, they would be granted access to the storage spaces that were shared with them ... Something related to a more dynamic storage registry that is able to answer the question "What storage spaces does userx have access to". With https://github.com/cs3org/cs3apis/pull/95 we could create a storage space with quota 0 ... and type guest. When executing GetHome we can then omit the storage space ...

To identify guests, the login page (or the desktop /mobile app) would take the email only. A discovery can locate the responsible IdP and ocis instance using a ./well-known mechanism. if no idp is known the ocis instance can serve as a fallback to tell the client which idp to use, eg the local one because guests need to be identified by an idp as well. ocis provides glauth to make guests accounts available via LDAP.

Hm I need to think on this to clarify ... sorry

butonic avatar Feb 04 '21 16:02 butonic

@labkode @butonic could you update this ticket according to how things have evolved around the Spaces concepting in Reva (which I think is what originally would make this possible)?

pascalwengerter avatar May 18 '21 13:05 pascalwengerter

relates to https://github.com/owncloud/web/pull/9159/commits/9c37d8cfa80a7fd3dafc50e14df8647ea1cf3680 and https://github.com/owncloud/web/issues/4707

tbsbdr avatar Jun 12 '23 12:06 tbsbdr

@kobergj isn't this basically supported with Light user? So could we close it? Or am I misunderstanding it and Light user is not enough?

LukasHirt avatar May 29 '25 12:05 LukasHirt

Yes. Exactly. Light users should do the trick for now 👍 Closing this.....

kobergj avatar May 30 '25 07:05 kobergj