Grant read permission to parent folders if access is granted to a nested folder #2588
Description
Proposed change
Background
Im going to be making a solid attempt at making Group Folders ACL's behave more like Windows ACL's.
The current implementation of Group Folders doesn't carry logic to automatically pass read permissions up to the parent folder whilst denying any other folders along the route. Whilst most other enterprise products allow for read permission being set on a direct path to a sub-folder (Read overrides Deny in a straight path). So currently you won't be able to see any sub folders along the path to the folder you are trying to share.
Usage Scenario
- Two groups:
usersandadmins, some admins are also in users. - Folders:
for_all- accessible to all,admins_only- only accessible to admins
Currently required permission setup
- grant users
readto '/' so they can see 'for_all' - grant admins
allto '/' - grant user all
allto 'for_all' - revoke users
readto 'admins_only' so they cannot see it despite inherited access - grant admins
allto 'admins_only' so admins who are alsousersstill can access it.
Permission setup with implicit read for parent folders
- grant admins
allto '/' - grant user all
allto 'for_all'
Possible Implementation
I still need to study up the code a bit more as there might be a simplier or cleaner fix but i think adding this logic to the ACL Manager might be a good start (Once I've had a chance to have a better look and make sure it makes sense).
Code for ACL Manager
public function getACLPermissionsForPath(string $path): int {
$path = ltrim($path, '/');
$rules = $this->getRelevantRulesForPath([$path]);
// Check if the path contains the subfolder with "allow" permission
if ($this->containsSubfolderWithAllowPermission($path, $rules)) {
return $this->setPermissionsForPathAndParents($path, Constants::PERMISSION_READ);
} else {
// If not, restrict access to other subfolders
return $this->setPermissionsForPathAndSubfolders($path, Constants::PERMISSION_NONE);
}
}
private function containsSubfolderWithAllowPermission(string $path, array $rules): bool {
// Check if any rule in the path allows access
return array_reduce($rules, function ($carry, $rule) {
return $carry || $rule->getPermissions() === Constants::PERMISSION_ALL;
}, false);
}
private function setPermissionsForPathAndParents(string $path, int $permissions): int {
// Set "read" permissions for the current path and its parents
$relevantPaths = $this->getRelevantPaths($path);
$rules = $this->getRules($relevantPaths);
// Apply permissions up to the root
return $this->calculatePermissionsForPath($rules, $permissions);
}
private function setPermissionsForPathAndSubfolders(string $path, int $permissions): int {
// Set restricted permissions for the current path and its subfolders
$rules = $this->getRules([$path]);
return $this->calculatePermissionsForPath($rules, $permissions);
}
}Considering ACL Manager deals with calculating all folder permissions it seems like the logical place to implement this new logic. However this may require users to completely reconfigure all current setup permissions.
I've had a search but nested folder access seems to be a complicated subject. Would the Devs even approve a PR for a change like this? I'm prepared to also invest some money into getting this working with this logic as it'll save most of us a massive headache hosting our own servers as well as the enterprise users.