Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend permission assignment possibilities #763

Closed
wants to merge 10 commits into from

Conversation

nenadalm
Copy link
Contributor

@nenadalm nenadalm commented Feb 14, 2020

this pr includes #761

new featues:

  • it is now possible to stop inheritance of advanced permission (there is "inherit" checkbox for that)
  • it is possible to deny permissions to everyone by default, permission has to be granted using advanced permissions in that case (there is new "Default policy" select for this in settings)
  • until now, there were admins that could manage permissions on files they had access to. There are new superadmins (currently it's only users in admin group - but multiselect can be added same way as for admins) that have read access to the whole group folder (recursively) so that if all permissions are denied by default, they can still manage them.

existing issues this will might solve:

please check if this pr solves Your problems. We are evaluating if it solves ours. In case functionality is ok, it might be wise to do some performance optimizations - might look into it later if it works as expected.

Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
@janpekar
Copy link

It solves problems for me. Creating nested groupfolders is no longer required.
I can create group folder and set Advanced permission for group, that has access which is not "inheritable" so subfolders hasn't that permission. For this to work is necessary "Allow access" feature because global group permissions set for group folder allow access for all members of that groups.

- inherited acls cannot be removed
- if non inherited acl is removed, inherited acl takes it's place if any


Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>

# Conflicts:
#	src/client.js
#	src/components/SharingSidebarView.vue
#	src/model/Rule.js
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
…ced permissions are enabled

Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
Signed-off-by: Miloslav Nenadal <nenadalm@gmail.com>
@nenadalm nenadalm changed the title [wip] Extend permission assignment possibilities Extend permission assignment possibilities Feb 18, 2020
@nenadalm nenadalm requested a review from juliusknorr February 18, 2020 13:14
@juliusknorr juliusknorr added 3. to review Items that need to be reviewed enhancement labels Feb 18, 2020
@juliusknorr
Copy link
Member

it is possible to deny permissions to everyone by default, permission has to be granted using advanced permissions in that case (there is new "Default policy" select for this in settings)

I was wondering if we should do this on a per group level (similar to how the read/write/delete default permissions are set). We also should think about if we need to handle the root folder differently here, since otherwise you always need to add an ACL for the root itself first to make sure it shows up in the users home.

until now, there were admins that could manage permissions on files they had access to. There are new superadmins (currently it's only users in admin group - but multiselect can be added same way as for admins) that have read access to the whole group folder (recursively) so that if all permissions are denied by default, they can still manage them.

I'm not entirely sure if the current code properly prevents users to adjust ACLs if they have limited access to a path due to other ACL limitations. Splitting users who can manage ACL and admin users adds a new level of complexity here, so for now I'd like to stick with the approach that there is no limitation for users who can manage ACLs and give those full read access to avoid unexpected behavior here.

@nenadalm
Copy link
Contributor Author

nenadalm commented Mar 2, 2020

it is possible to deny permissions to everyone by default, permission has to be granted using advanced permissions in that case (there is new "Default policy" select for this in settings)

I was wondering if we should do this on a per group level

We need to deny access by default and since it's just different way of doing it, I don't mind. Should I change that?

In case of using different policy for different groups I think my mind would blow up when trying to set permissions, but I have no intentions on doing so :)

We also should think about if we need to handle the root folder differently here, since otherwise you always need to add an ACL for the root itself first to make sure it shows up in the users home.

Since it's consistent with other folders, I think it's fine.

Maybe if users have some permissions on sub folders/files then these users should have read access to root as well? If so, should this work also for other folders other than root? Say there is file /root/f1/f2/file and somebody adds read access to file to user? Should user have automatically read access on f2, f1 and root? I would prefer if root wasn't special folder - less things to keep in mind.

I'd like to stick with the approach that there is no limitation for users who can manage ACLs and give those full read access to avoid unexpected behavior here.

ok. I'll change that.

cc @janpekar

@jeltevdw
Copy link

What is the status of this pull request? It seems to be a very useful function.

@pierreozoux pierreozoux added the feature: acl Items related to the groupfolders ACL or "Advanced Permissions" label Mar 14, 2021
@Prometheorum
Copy link

Does this pull request still have a chance to be merged? This PR would allow much easier managment of group folders with high member count and complex permission structures.

@fschrempf
Copy link
Contributor

I don't think this PR has the potential to be merged in its current state. This doesn't mean that it doesn't add value. But rather than applying a pile of changes to cover multiple different issues, we probably want to work out the single points that need to be improved or fixed in the according issues and find solutions for each one separately.

We need to find solutions that don't add too much complexity and don't introduce too many (best: none) new user options that affect the overall behavior. Better fix the default behavior for all users instead.

One of the main points of this PR seem to be the issues mentioned in the description above. Let's discuss these topics there.

@fschrempf
Copy link
Contributor

I'm closing this due to the reasons mentioned above and invite everyone involved to discuss the solutions in the linked issues, create new issues if required and come up with PRs that solve one problem at a time.

@fschrempf fschrempf closed this Nov 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3. to review Items that need to be reviewed enhancement feature: acl Items related to the groupfolders ACL or "Advanced Permissions"
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants