Advanced permissions don't override Group Folder permissions

[dzidek23]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Create a Group Folder with permissions like below:
   

2. Apply Advanced permission and a subfolder within the Group Folder like this:

Expected behaviour

I would expect the TL (Group) to be granted DELETE on the subfolder as per the Advanced Permissions set by Admin (Group).

Actual behaviour

Users in the TL (Group) can't delete objects within the subfolder.
Once granting DELETE to TL (Group) on the Group Folder all is working as intended.

I'm submitting this as a bug as in my understanding the higher advanced settings set by Group Folder admin should take precedence over Group Folder settings.

Server configuration

Operating system:
Debian 11
Web server:
Apache2 2.4.56
Database:
MariaDB 10.5.18
PHP version:
8.1.18
Nextcloud version: (see Nextcloud admin page)
25.0.6
Group folders version:
13.1.3
Updated from an older Nextcloud/ownCloud or fresh install:
updated number of times
Are you using external storage, if yes which one: local/s3/smb/sftp/...
local
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/Saml/...
LDAP

[XueSheng-GIT]

I would say that this is the expected behaviour:
https://github.com/nextcloud/groupfolders#advanced-permissions

[...] Denied permissions configured for the group folder itself cannot be overwritten to "allow" permissions by the advanced permission rules.[...]

The real issue seems to be that you can set these advanced permissions, but you don't get any feedback that you cannot overwrite the groupfolder defaults. This is probably covered by #2366.

[dzidek23]

@XueSheng-GIT Thanks for that, this probably explains it all. However, on any object shared in Nextcloud the sharing user can grant permissions right up to their own permissions on that object.

Wouldn't it make sense if the "admin" of the Group Folder had similar possibilities?
It is not a demand but a polite request for a feature ;)

[Hafenkante87]

Hi there,

I'm facing nearly the same issue.

We have a groupfolder with several subfolders.
For the main folder everyone is granted full permissions.
In the subfolder we want to forbid all permission but reading access to a created group "Gym-Hark". The Admin for this group should be the only one with advanced permission. So I set up everything like you can see in Screenshot 1.

If I get it right "allow" should overwrite "denied" but in this case User A gets the message that he isn't allowed to create anything within the subfolder.

Do you have any idea what I'm doing wrong @XueSheng-GIT ? We are on NC 26.0.1 and Groupfolder 14.0.4
Do you need any further information or Screenshots?

Thanks for any support!

[dzidek23]

Hi @Hafenkante87,

In our scenario, we had to allow all permissions on the group folder (in NC administration area) and then deny specific permissions of the folder itself.

Group folders don't follow same rules as standard NC shares, where permissions are based on rights of the sharing user (or they do but it doesn't seem right).
You have to allow "everything" the user/group might need and then remove the permission on a subfolder (and subsequent with "inherit" setting).

This also allowed us to self-restrict access to some permissions not normally required. We remove all but read access from the Admin group (on the folders and subfolders) and when a change is needed this gets temporarily overridden.
We have a permanent archive with minimal chances for deleting files by mistake.

[Hafenkante87]

Thanks for your replay @dzidek23
I will try follow your steps and see if it egts us where we wanted.

In general I think it would be a more comfortable rule if user permissions overwrite group permissions instead of allow overwrites deny. It makes it way more easier to set up admins for specific subfolders.

[fschrempf]

As already mentioned above the main groupfolder permissions always define the maximum permissions a user can have in any subdirectory. ACL permissions can not be used to extend the main groupfolder permissions.

This is one of the flaws of the ACL permission system and you will find a few other issues related to this topic (e.g. #1212, #598).

To be honest the design of the ACL permissions is a PITA for the users. The problem is that it's not easy to change now and nobody steps up to redesign it.

[Hafenkante87]

Hi all,

I doublechecked all permissions and the ones in the mainfolder are "everything allowed". That's why a user was able to create the subfolder which permissions are shown in the screenshot above. And although the user set itself "everything allowed" he can't create or delete any files in the subfolder.

When I remove the permissions "Gym_Har" Anja is able to create folders, delete documents etc again. So it still seems to me that the group permission overwrites the user permission :(

[dzidek23]

@Hafenkante87
This is not the case in our setup.

In the group folder admin section, we have:

I guess you should have a single user or another 'Admin group' in the Advanced Permissions Field

And for the share - in the file view:

This allows a specific user (member of the group) to have full control but no other member from this group.

I'm showing you just a test share, but other folders are configured similarly .