Best way to set configs for nc+apps via api

Rick_Stinson · November 21, 2025, 7:52am

Hi,

i’m looking for the best practice way to set nextcloud core settings, an global configs for apps, like in the Nextcloud Admin Settings.

Eg: setup teamfolders, talk, etc

occ it self is not enough, because you dont get always parsable content.

Is OSP the best way, or should i use OCS witth an admin Account?

Thanks, Rick

christianlupus · November 21, 2025, 11:07am

Well, occ is just a CLI for managment. The apps can (but do not need to) provide functions and features there.

OSP is something I do not know. Do you mean OCP as the public PHP namespace?

OCS is a generic communication format between backend (aka PHP server) and some client.

As I do not know what you are after, I cannot give you good advice. Maybe you elaborate a bit?

Chris

Rick_Stinson · November 25, 2025, 7:54am

yes, sorry, i meant OCP (not OSP - typo).

we are planning some kind of restricted admin interface for nextcloud for our NC Customers.
With this Admin Interface the User should (beside other functions to their booked services) control NC Settings, and even (some) Apps Settings as seen in nextlcoud in “administration settings”.

We dont want to mirror everything in “administration settings”, just the settings/options that our customer really needs.

So far, we ware provisioning NC for customers with “occ”, but for deeper settings it isnt the right way.

christianlupus · November 25, 2025, 9:14am

Ok, now, this is a different story than I had understood at first. OK, got the rough idea.

The problem with direct OCS is that you cannot restrict: you hand out the credentials in some way to an admin account. So, the customer might use these and call other API endpoints (both OCS and normal) and still be an admin. You might not provide a GUI, true, but this is merely “security through obscurity”. So, you might want or not to go that route in general.

Using OCP means you would have to write PHP code as a new app for nextcloud. Not all apps will allow to tweak the internal settings by means of standardized interfaces. So, this would probably be a cat-and-mouse game with the devs that decide to change internal structures without prior notice.

So, I personally see no clear way to get this running the easy way. I see a few options left for you

Let them become real admin and support/train them well. The admin should know what he is doing and where he should keep his hands away.
Use a dedicated web app (can be a NC app or theoretical something outside but I’d advice for an app) that has a set of endpoints. These represent the possible/allowed requests by your customer-admins. You can then even filter down more (apart from the endpoint name) the possible requests. You then forward to OCS from your backend. You would have to implement both the backend stuff as well as a custom frontend for the customer-admins. Quite some work but should be rather flexible. Every change in the backend (updates of any involved app!!!) needs testing from your side!
If not too fine-grained control is needed, you could use a rewriting in your http server and a custom frontend that will only allow certain endpoints. Just a quick idea, no clue if this will topple over at some point.

Chris

Rick_Stinson · November 28, 2025, 11:05am

Thanks a lot for your time and explanation!