Simplify Advanced Permissions.

[pgassmann]

The way the Permissions in Group Folders with Advanced Permissions are implemented now is confusing to admins and users.

I see two main issues:

1. Two levels of permissions when "Advanced Permissions" is activated.

@icewind1991 :

Advanced permissions currently cannot allow permissions that are denied in the "normal" permissions.

To get the behaviour you have to allow the permissions to the group in the group settings and then deny them using advanced permissions on the root of the folder. You can then re-allow the permission for any child folder

This workaround has other undesired side effects. admins (configured to have full access in group permissions) that are also in a group that should only have read access (ACL Rule) are denied write in this group folder.

My proposal: When "Advanced Permissions" is activated, The "normal" permissions in the Group Folder settings should be the default ACL.

2. Issue: Add Additional Rights in Advanced Permissions.

It should be possible to grant additional permissions to users that are not in a group configured on the group folder.

@icewind1991:

If a user doesn't have read permissions on a folder there is no way for him to see and of the contents inside of it, and thus adding read permissions back in a subfolder is useless since the user will never be able to reach the subfolder in the first place

This would be a very useful feature to have. I expected, that I can add read permission on a subfolder and the recipient would then see the same path to that subfolder instead of having the subfolder now directly in his home folder.
My use case: Groupfolder for IT-Department, but i'd like to share the Accounting subfolder to another person without giving that person read access for the whole IT-Department groupfolder, but see that its IT-Department/Accounting
Other example:
Groupfolder Photos. Subfolders Switzerland/Youth Switzerland/Children and Germany/Youth, now a photographer should have access to the Youth Photos of Switzerland and Germany, but not to the Children Photos. If I share the Youth folder directly, he will have two "Youth" folders (or a conflict) in his Home-Folder.

Would this be possible to implement?

[putt1ck]

It should not be possible to use the ACL to add permissions for someone who has never been granted that permission on the group. Allowing this (a) breaks the security model of group folders being something with an element of central control and (b) can be dealt with by explicitly allowing a person or group the share permission

[fschrempf]

This would be a very useful feature to have. I expected, that I can add read permission on a subfolder and the recipient would then see the same path to that subfolder instead of having the subfolder now directly in his home folder.
My use case: Groupfolder for IT-Department, but i'd like to share the Accounting subfolder to another person without giving that person read access for the whole IT-Department groupfolder, but see that its IT-Department/Accounting

The obvious fix for this would be to use the sharing feature (independent of groupfolders) and have the files app display the path to the shared directory, so users can see the relation of the "Accounting" dir by looking at the full path ("IT-Department/Accounting").

[fschrempf]

This workaround has other undesired side effects. admins (configured to have full access in group permissions) that are also in a group that should only have read access (ACL Rule) are denied write in this group folder.

It sounds like this is the problem also described in #1212. A potential fix is in #1654.

[gvansanden]

Is it correct that I cannot give serveral groups read on the main folder and then use advanced ACL's to add write on some subfolders to some of those groups? The GUI let's me do that, but it does not work.

[CarlSchwan]

This workaround has other undesired side effects. admins (configured to have full access in group permissions) that are also in a group that should only have read access (ACL Rule) are denied write in this group folder.

It sounds like this is the problem also described in #1212. A potential fix is in #1654.

I will try to review the potential fix tomorrow :)

[fschrempf]

Is it correct that I cannot give serveral groups read on the main folder and then use advanced ACL's to add write on some subfolders to some of those groups? The GUI let's me do that, but it does not work.

I think this should work, if you grant maximum permissions (e.g. write) in the "normal" group folder permissions. Then restrict the permissions to "read" using ACL on the root folder. Then grant write permissions for the subfolder and group you like.

This is what is described in the quote from @icewind1991 above and I successfully used this workflow.