As I didn’t find any documentation for the Groupfolder app, I have to ask this silly question here:
Using mainly Windows OS, I’m wondering what the difference between the permissions “Write” and “Delete” is? In case of Windows OS, when you give a user/group the “Write” permission, the user is allowed to create, change and delete files.
If I give users just the “Write” permission in Nextcloud’s Groupfolders section: are they really only allowed to create new files and change existing ones but not to delete them?
It’s important to understand, as I have a specific issue with the root folder of my structure. On this top level folder, we assigned neither Write, nor Share, nor Delete permissions for our users (to avoid that the delete the whole structure). When I uninstall the Windows Nextcloud Client (due to … reasons) and try to delete the (no longer) synchronized folders in Windows Explorer, I am not allowed to do so. I can delete the subfolders, but not the Root folder.
I think my initial question can help understanding/fixing the issue.
User rights on desktop and inside of the Nextcloud application are completely different things and there are (mind of) not related.
file permissions on your (Windows) client file system don’t reflect server-side permissions. I also noticed Nextcloud folder has special access right - likely this is to provide special functionality like show “Nextcloud” as a drive in file explorer and maybe to allow VFS (files on demand) - but this is not related to how you setup permissions in your group folder app. At the end - user has full power on his desktop and the server has no way to enforce permissions on file system level on the desktop. e.g. if the user has admin rights he could take over all files he can access on the desktop - but server permissions would remain untouched and he would be unable to upload files to a server-side folder where he only has read rights
@wwe : Ok, interesting to hear If the server-side permissions are not (let’s say) replicated to Windows clients, respectively their NTFS permissions, I do not have any idea why the root folder (on their Windows machines) cannot be deleted by users and by me (using my admin account). I think the only way to get rid of the folder was to take ownership and break the inheritance. I don’t think it’s the way it’s supposed to be?!
For testing purposes I created another Groupfolder “TEST-Portal” on the top level. Then I created additional Groupfolders within this “TEST-Portal” folder.
The Nextcloud client syncs those folders (+included files) flawlessly to my Windows client.
Then, I exit the Nextcloud client. For my understanding, I should be able now, to remove the “TEST-Portal” folder and its included subfolders. However, I can only delete the subfolders. If I try to delete the top level folder “TEST-Portal”, I’m promted to use admin privileges (whyever). If I enter my local admin credentials, it’s denied:
I’m sorry, but you are wrong. My tests showed, that the server permissions do influence the folder permissions on a Windows client!
To avoid that our users delete the root folder, we use this (yellow marked) setting:
If I give our users the “Write” permission for the root folder, I can delete the folder on the Windows machine (after exiting the Nextcloud client, of course).
→ the server/Groupfolder permissions are the reason why we cannot remove the root folder on our clients
Giving our users the “Write” permission allows them to delete the root folder… so that’s not an option at all.
you should review the “security” tab and check who is the owner and who has rights to delete folders (in Windows an Admin always has ways to take ownership of files and folders). But the question is why? if you have folder structure you sync to the client what would be the point to delete a portion of it only locally? what would be your expectation for the next steps? if you restart the client should it recreate the folder? try to remove the folder on the server? leave with the different state?
Maybe if you don’t want to see a folder locally you should remove it from sync? (only possible if VFS is disabled)
In some cases (e.g. if there are any issues) it’s the best to stop/exit the client and to remove the local folder - or even to do the first-run-wizard. Afterwards you restart the client and the files get freshly synchronized from the server to the client.
Another example: a user changes the department and therefore loses the permission for accessing Nextcloud at all. Then I have to uninstall the client and to remove the folder on his/her Windows machine.
However, the topic of this threat is not “why I want to remove the folder”. The question is “why is it so difficult to do delete the Nextcloud folder?”. Or why do server permissions affect the folder permissions on a Windows client (which was new to you obviously as well)?
