Allow ACL Permissions don't overwrite Deny permission

[emilianocapasso]

I have a problem with the granular permissions:

Using this configuration:

and adding these permission in a subfolder:

from the other side (the test group) I'm see this permissions instead

[Chartman123]

I think that it's intended that Deny overrules Allow. But I also miss the possibility to stop the inheriting of permissions without having to deny them. It would be nice to be able to just not give the permissions without having to deny them.

[BoxedBrain]

Any update on this? Having the same issue.

[icewind1991]

Advanced permissions currently cannot allow permissions that are denied in the "normal" permissions.

To get the behaviour you have to allow the permissions to the group in the group settings and then deny them using advanced permissions on the root of the folder. You can then re-allow the permission for any child folder

[emilianocapasso]

looks like it works in this way, not sure if it's intended or it's just a workaround

[miketranagfa]

Advanced permissions currently cannot allow permissions that are denied in the "normal" permissions.

To get the behaviour you have to allow the permissions to the group in the group settings and then deny them using advanced permissions on the root of the folder. You can then re-allow the permission for any child folder

I tried this but it's not working.

In the "Settings > Group folder" setup I added the groups with read access. Then I went to the root folder and clicked on the share icon. I disabled read access for a group using advanced permission rules and then further down the tree, I enabled the read permission, but the users in the group could not see that folder.

[icewind1991]

If a user doesn't have read permissions on a folder there is no way for him to see and of the contents inside of it, and thus adding read permissions back in a subfolder is useless since the user will never be able to reach the subfolder in the first place

[miketranagfa]

OK that's fine if that's the way it is. I just tried to do what you described in your previous post and it didn't work.

[ghost]

@miketranagfa I think you're right. It doesn't work the way @icewind1991 describes it. I just tried to do the same and the problem is just as described.

Even if the user has full access in the "normal" permission settings, it is not possible to overwrite a "deny" further up the directory tree with an "allow" further down in the tree of the "advanced permissions".

[anjoze]

Same problem with me

[pgassmann]

@icewind1991:

If a user doesn't have read permissions on a folder there is no way for him to see and of the contents inside of it, and thus adding read permissions back in a subfolder is useless since the user will never be able to reach the subfolder in the first place

This would be a very useful feature to have. I expected, that I can add read permission on a subfolder and the recipient would then see the same path to that subfolder instead of having the subfolder now directly in his home folder.
My use case: Groupfolder for IT-Department, but i'd like to share the Accounting subfolder to another person without giving that person read access for the whole IT-Department groupfolder, but see that its IT-Department/Accounting
Other example:
Groupfolder Photos. Subfolders Switzerland/Youth Switzerland/Children and Germany/Youth, now a photographer should have access to the Youth Photos of Switzerland and Germany, but not to the Children Photos. If I share the Youth folder directly, he will have two "Youth" folders (or a conflict) in his Home-Folder.

Would this be possible to implement? Or add an option to "Share with original Path".

[emilianocapasso]

agree with @pgassmann, this behaviour cause our clients (and internal team) with different levels of access a lot of problems.

[wiswedel]

@icewind1991:

If a user doesn't have read permissions on a folder there is no way for him to see and of the contents inside of it, and thus adding read permissions back in a subfolder is useless since the user will never be able to reach the subfolder in the first place

This would be a very useful feature to have. I expected, that I can add read permission on a subfolder and the recipient would then see the same path to that subfolder instead of having the subfolder now directly in his home folder.
My use case: Groupfolder for IT-Department, but i'd like to share the Accounting subfolder to another person without giving that person read access for the whole IT-Department groupfolder, but see that its IT-Department/Accounting
Other example:
Groupfolder Photos. Subfolders Switzerland/Youth Switzerland/Children and Germany/Youth, now a photographer should have access to the Youth Photos of Switzerland and Germany, but not to the Children Photos. If I share the Youth folder directly, he will have two "Youth" folders (or a conflict) in his Home-Folder.

Would this be possible to implement? Or add an option to "Share with original Path".

@pgassmann
What you describe is something different than the original topic of this issue. Could you please open a new issue for your request?

[pgassmann]

@wiswedel @fri-sch @emilianocapasso I created a new Issue with my thoughts on how I would like it to function. #655

[rmeissn]

I just ran into the same problem and had to find this issue in order to understand the behaviour and how to achieve what I desired.

I vote for overwriting a "deny" further up the directory tree with an "allow" further down in the tree of the "advanced permissions".

My scenario is:
We shared a folder with a group and denied delete rights on it.
Further down the tree of this shared folder is a folder for specific members of the group (subgroup). These subgroup members shall be able to freely use this folder (down in the tree), thus also delete files and folders inside of it.
I had to use the workaround

@icewind1991
Advanced permissions currently cannot allow permissions that are denied in the "normal" permissions.

To get the behaviour you have to allow the permissions to the group in the group settings and then deny them using advanced permissions on the root of the folder. You can then re-allow the permission for any child folder

to achieve my desired behaviour. This use case won't interfere with what #655 is about (read permission).

[olaldiko]

Same issue here. We created a subfolder that denied access to the group allowed in the parent folder, but that had allowed permissions for some users that were also part of the denied group. The folder disappeared for those users.
I upload an example of the permissions defined for the folder. The root folder has full permissions for the consortium group, and my user is part of the consortium group. Changing the order of the rule does not help:

[pierreozoux]

@olaldiko looks like a different issue, please open a new one.

About the original issue, Ill close as a wontfix.

It is a design decision that deny restriction is higher. We wont fix it in the foreseable future.

If you come up with a ux idea on how to address this, feel free to open a new issue.