Implement getting/setting of "Advanced Permissions" (ACL) via OCS API

[davidchristopherbuchanan]

We use the groupfolder plugin.

As it looks for me, there is no no way to access the Advanced Permissions (ACL) feature for folder by remotecontrol.
I would expect it in OCS API. But i cannot find it.

Can you implement it?

This is my use case:
I program in a small team a software to generate template structures in nextcloud for similar workgroups on different locations. They have all the same workflow.
E.g. if a new work group starts, they shall have a predefined folder structure. Some people are admins, some have only read only status. ACL seems the right tool for us to allow to share files within groups as well as other groups. A manually configured setup works fine for us.
We made a webfrontent, to allow the management to create this structure by a simple button.

In Backgroup, Users are created and synchronized by LDAP feature. With OCS REST API it works great to make folders automatically. But we could not find a way to set the ACL rights for subfolders in groupfolders automatically.

To impement it, we use KOTLIN as programming language. Our project is opensouce. It is named feather and feather frontend and is published in gitlab.

[crazy-daddy]

Took me a while, too - but you can set the ACLs via Webdav PROPs!

[jngrb]

Took me a while, too - but you can set the ACLs via Webdav PROPs!

I am aware of this. But the only client I found to support it, is the "monkey patch" in the UI/JS code of the groupfolder app - see code. I haven't found a way to use these special NC ACL props in other WebDAV clients.

For my project, I would like to use Sardine or another Kotlin-compatible lib. If there is another solution for a scripting language suitable for tooling (python etc.), I could use it as a reference. Using JS/NodeJS or writing the client myself with xml templates is unfortunately not an option for me.

[fschrempf]

The README says there is an API call for setting permissions:

POST apps/groupfolders/folders/$folderId/groups/$groupId: Set the permissions a group has in a folder

But I can't see how this is supposed to be used to set permissions for subfolders. Is this what you are looking for?

@icewind1991 Is it currently possible to use the API to set permissions for subfolders?

[jngrb]

But I can't see how this is supposed to be used to set permissions for subfolders. Is this what you are looking for?

Yes, we are looking for setting the Advanced Permissions (ACL) for subfolders with remote requests. That's not possible with the groupfolders' API so far. I'd love to just send a JSON object encoding all ACLs I want to set to some API endpoint. Using (non-standard) WebDAV or the CLI is very cumbersome to implement.

My idea would be to be able to send the following as POST to apps/groupfolders/folders/$folderId/groups/$groupId/acl:

{
  "path/to/subfolder": [
    { "group": "name1", mask: x, permissions: y },
    { "group": "name2", mask: x, permissions: y }
  ],
  "path/to/another/subfolder": [
    { "user": "name", mask: x, permissions: y }
  ]
}

Alternatively, the API could be a POST to some apps/groupfolders/folders/$folderId/groups/$groupId/path/to/subfolder with the corresponding substructure (i.e. only the array) as request body.

[fschrempf]

Another request for proper ACL support in the API from #885:

We are surprised that the apps/groupfolders/folders/$folderId endpoint does not return the groupfolder's ACL but only a boolean while the apps/groupfolders/folders endpoint does return the acl details for all the folders. This does not appear to be logical.

[kwisatz]

@fschrempf I saw you added a 1. to develop as a tag to this ticket. Does this give this feature an ETA?

We're working on group folders support for https://github.com/tentwentyfour/nextcloud-link and were wondering whether we should wait a little longer for ACLs to be supported via your API or go the WebDAV work-around route?

[fschrempf]

@fschrempf I saw you added a 1. to develop as a tag to this ticket. Does this give this feature an ETA?

No, unfortunately this only means that this is "on the roadmap", but we can't provide any ETA as we depend on someone to step up and implement this.

We're working on group folders support for https://github.com/tentwentyfour/nextcloud-link and were wondering whether we should wait a little longer for ACLs to be supported via your API or go the WebDAV work-around route?

As it seems that nobody is working on this, waiting for it is probably useless. I would recommend to use WebDAV or even better: create a PR for the groupfolders app to add the missing endpoints for getting/setting ACLs.

[kwisatz]

As it seems that nobody is working on this, waiting for it is probably useless. I would recommend to use WebDAV or even better: create a PR for the groupfolders app to add the missing endpoints for getting/setting ACLs.

We were actually considering the latter, but a little guidance would be appreciated. We have looked at how the occ command has been implemented using the RuleManager, but it seems that in the handlers that exist for the API (in lib/controllers if we're not mistaken) the RuleManager has not been used to far.

We're also unsure where the API routes get mapped to their handlers. The Nextcloud tutorials speak of a route mapping inside AppInfo which isn't present in this case.

[fschrempf]

We were actually considering the latter, but a little guidance would be appreciated. We have looked at how the occ command has been implemented using the RuleManager, but it seems that in the handlers that exist for the API (in lib/controllers if we're not mistaken) the RuleManager has not been used to far.

That's great. I can't provide much help as I'm not familiar with the codebase myself, but @juliushaertl or @icewind1991 should be able to get you started.

After having a quick look, I think that appinfo/routes.php lists the endpoints and the FolderController class implements the handlers. As the API doesn't include any rule handling so far, there's no usage of RuleManager.

Please also note that the groupfolders app doesn't use the latest OCS interface for creating the API endpoints and therefore the endpoints also use non-standard/deprecated URLs. See #997 and #1019.

[kwisatz]

After having a quick look, I think that appinfo/routes.php lists the endpoints and the FolderController class implements the handlers. As the API doesn't include any rule handling so far, there's no usage of RuleManager.

Oh jeez, I have been looking in the wrong place

[lattam]

Hello,
I was looking around the source files to see if I could implement this extension. I found this strange line in Command/ACL.php

'/dummy/files/' . $folder['mount_point'],

I'm not sure if I understand the purpose of dummy prefix. It doesn't even seem to have any effect when removed. Maybe
@icewind1991 could help?

Thank you!

[dschulten]

FWIW, the README that people are discussing above is https://github.com/nextcloud/groupfolders#api

[natopwns]

Took me a while, too - but you can set the ACLs via Webdav PROPs!

@crazy-daddy Do you have an example code snippet for doing that? I'm working on a Python script that needs this exact feature.

[joshtrichards]

Existing API route (not for subfolders, however) is here for anyone looking to dig into this and maybe implement something:

groupfolders/lib/Controller/FolderController.php

Lines 215 to 228 in 91c7662

	/**
	* @RequireGroupFolderAdmin
	*/
	#[NoAdminRequired]
	#[ApiRoute(verb: 'POST', url: '/folders/{id}/groups/{group}', requirements: ['group' => '.+'])]
	public function setPermissions(int $id, string $group, int $permissions): DataResponse {
	$response = $this->checkFolderExists($id);
	if ($response) {
	return $response;
	}
	$this->manager->setGroupPermissions($id, $group, $permissions);
	return new DataResponse(['success' => true]);
	}

[provokateurin]

As @joshtrichards mentioned this is possible since #3182 which was just merged this week and is not available in any release. I am also going to add OpenAPI documentation for it, but it first needs further cleanups and fixes. I will probably also slightly change the current API to make everything smoother and have a stable API once released.

[provokateurin]

Gonna close this as a duplicate of #3208, there is nothing specific about this API that needs to be done except for generally exposing the REST API and making it usable.

[provokateurin]

Sorry, I missed that the ACL settings are only exposed via WebDAV and not via the REST API so far.