Server: (readonly) subfolder permissions

I am also missing the funtionality of readonly content. There should be a possibility to have only write permissions if the user is inside a specifig group. Other users should have only readonly permissions. Maybe it could be implemented with a more advanced tag functionality?

So right now, Nextcloud does understand and respect such permissions when they are set in, for example, a Windows Network Drive which is mounted in Nextcloud.

But it isn't a feature in general, for two reasons:

• the flat sharing model is easier to understand and common to most file sync & share solutions
• having to check for permissions in all subfolders would incur a significant performance hit

So between decreasing usability and performance vs gaining this feature for the more advanced users, you can probably imagine this hasn't been super high priority. Obviously, if a volunteer wants to work on it or a customer wants to pay for it, it can be done (as anything) but it currently isn't on the road map.

WRT the request from @reneglauser you can certainly share something with two groups, one which has write and one which has only read permissions. But having a user in both groups means that user has write permissions.

Dear Jos, thank you for the clarification.

I understand that a flat sharing model is simpler to understand, but as soon as multiple teams with different responsibilities need to access the same folder structure, it's really hard/impossible to share with different permissions without duplicating/messing up the folder structure.

I read about the samba "hack" but according to the person using it, it has serious performance issues. So I didn't follow it up or try it out.

I've already contacted your colleague Fabian concerning the possibility for a paid implementation, but still waiting for an answer. The minimum requirement for us would be a simple read-only "once per subfolder" permission change in a read/write share. It needs to work with the offline/sync clients, and in the future, encrypted folders of course :). Can the existing (private/hidden) tag and file access control logic be used? It seems the fastest way to this feature.

I still think this feature is an absolute must as soon as multiple teams with different responsibilities want to work in one folder structure.

@chaos-prevails you're right that this is a must-have when you want to maintain one folder structure and have to prevent people from making changes.

Usually, though, you don't per-se have to work in one folder structure and you don't distrust your employees (why did you hire them if you don't trust them?). But if in your use case this is needed, we'll have to see how we can help you.

WRT performance issues on WND, it does incur a performance hit but if it is very serious that would be bad. Either case, Fabian should be able to find a way to help. If it seems to get lost, let me know - gatch me on my first name at the Nc server, just like fabian ;-)

As described by the referenced issue (#7220) an exclusion of sub(sub)-folders would also be awesome instead of just readonly :-)

I think such feature is very welcome in comanies :-)

@Ninos then I suggest to contact one of our sales representatives 👍

We have no requests from (potential) customers right now so I don't see this happen.

@jospoortvliet I've installed and managed NC for lots of NGOs & also for two small companies and all these organisations asked for that feature. They were forced to enable complete folder-access instead of removing some subfolders for some customers.
So if you're searching for money, I cannot send you relevant customer requests (NGOs mostly have no money), but I'm sure if some small companies and NGOs are asking for such a feature, there's potential usage of it in big companies.

@jospoortvliet Fabian wrote me in an email last year in September that the effort would easily exceed 100 man days. That equivalents to 3-4 months and 15.000 -20.000EUR, I guess. Just to put a figure on it.
But what does this implementation comprise? Subfolder permissions like you find in local file systems?

As I already wrote, I think a vast majority of use cases might be covered by simple read-only subfolders within a read-write share. Plus, there is the file access control already preventing access to subfolders which could be used as a starting point.
While I still have to find use-cases for some of the file access control features (e.g. how many companies really need to prevent access to a certain subfolder from a certain IP range? That distinction might already be there on the user-level), read-only subfolder need is much more common (e.g. different departments within a org/company needing access to one folder structure).

No questions, 15-20.000EUR is too high for small companies or NGOs. But what would be your estimate for a simple read-only subfolder feature within read-write folders (e.g. administered within the file access control)?

BTW: my IT budget for 2018 has one line saying "read-only subfolders in nextcloud". Whether I can spend it this year is just a question of Nextcloud starting a bounty describing the feature in detail and putting a price tag on it.

@chaos-prevails I wonder, considering you ask read-only, why is a mounting a Windows Network Drive not suitable? Nextcloud respects the access rights in it, and admins can just change the rights in the underlying WND.

WRT what this need - the main issue is that it would require querying deep in the virtual file system for every folder access, something we don't need right now. That would need some serious performance work or it becomes dog slow. That is why it would take so much time. If there was a bunch of customers that asked for it we'd still be able to do it I suppose, but I can imagine it is too much for one customer.

We're quite busy, though one of our main limitations right now is how hard it is to find good sales people. Help us find one, we just might do this feature for free out of gratitude 🥇 at least share perhaps our sales job on linked-in!

We have discussed this feature some times, so I suspect it comes some day, but having customers ask for it helps of course. And wrt the NGO's - we really LIKE working with charitable organizations, we consider ourselves a company-that-does-good, and you know - it is karma. So we give good discounts just so we can help! Always worth a conversation, really.

@jospoortvliet because it complicates things. I would either need to join the NC server to our domain, or put all files onto a windows file server. I frown from the first, and dislike the second.
It's just that I see the file access control can deny access to sub-folders of a share, so I thought adapting that feature for read-only access might not be too much work.

I do my best advocating nextcloud. The world's data is very quickly transferred into proprietary technologies. There is a strong movement towards encryption, and re-owning your data, especially in the NGO world! :)

based on source code of file access control, I've created a simple file edit control that allows you to deny modifications instead of blocking all access.
https://github.com/linhtinh11/files_editcontrol
both file access control & file edit control can be used together to get full controls.

@linhtinh11 would be awesome also to get some functionality for removing subfolder access (read permissions) in that app :-)

@linhtinh11 would be awesome also to get also some functionality for removing subfolder access (read permissions) in that app :-)

@Ninos you can combine both file access control & file edit control to get it.

@linhtinh11 creative solution!

See linhtinh11's solution