on
I wish to have one group “fileusers” which ONLY has access to files /upload/download. no cal, talk, contacts, theme changes, email, etc… Is this possible? can the CSS theme construct be used to limit what these users can access?
Is this what you are searching for? :
| App-Id | guests |
| App-Name | Guests |
| Summary | Create guest accounts for easier collaboration |
| App can not be restricted to groups | |
| Categories | security |
| Website | GitHub - nextcloud/guests: 🙈 Create guest users which can only see files shared with them |
| Issue-Tracker | GitHub · Where software is built |
| Admin-Doc. | guests/README.md at master · nextcloud/guests · GitHub |
| Not-shipped (not included) App available in appstore | |
| Appstore | Guests - Apps - App Store - Nextcloud |
h.t.h.
Much and good luck,
ernolf
Thank you for your quick help!! I might be able to work with this. What I was really hoping for was a user that could have control of their own filespace. They would have their own files that they could organize as they need, and even upload files if needed, just no access to the other features.
I think that is not possible. But it would very nice to map (white list) user groups to apps. A little bit like in Guests app.
Maybe someone can write an issue.
Thank you all for trying to help!!
I need a files only storage location usable by “full users” that can access the bells and whistles, but MUST be only file transfer (no cals, weather, contacts….) for “filesonly” users. Nextcloud is unusable for me without this. I see people have been looking for this feature for years with no joy.
I came up with the following HACK. Yes, it is truly a quick hack, to give users in the “filesonly” group only access to the “files” app. Now I cannot say this will completely PREVENT limited users from accessing other features, but my users would not likely be seeking ways to get them, or would it be a real problem if they stumbled across them.
The two main caveats are that users cannot change their own passwords or log out of the system. I will set up something for passwords later, and am changing the automatic logout settings to a “low-ish” value. Of course any improvements or suggestions would be amazing!
1- Create a nextcloud group called filesonly with the display name filesonly. Any user in this group will have nothing but “files”.
2-Set the default app to “files” in the config/config.php file (for all):
'defaultadd' => 'files',
I also set the auto logout values, since the filesonly users can’t log out!
'remember_login_cookie_lifetime' => 60 * 30 * 3,
'session_lifetime' => 60 * 60 * 2,
'session_keepalive' => false,
'auto_logout' => true,
3-Get rid of the dashboard for all using OCC (from the command prompt):
sudo -u www-data php -f /app/code/occ app:disable dashboard
4-download the hidesidebars nextcloud app from:
https://github.com/pointcz/hidesidebars
download the “latest” ( I used V 2.2.5) hidesidebars.tar.gz file
5- tar -xvzf hidesidebars.tar.gz
6-mv hidesidebars <your nextcloud location>/apps/
7-chown – R www-data:www-data <your nextcloud location>/apps
8- cd <your nextcloud location>
9-edit apps/hidesidebars/appinfo/info.xml and change max-version to at least your version (mine is 30)
<nextcloud min-version="21" max-version="35"/>
10-edit apps/hidesidebars/js/script.js Insert right before the following statement:
if (getParameterByName('hide-sidebars') !== null) {
the following new stuff:
if ( "1" == "1" ) {
hideTopMenu();
hideLeftMenu();
}
11-Edit apps/hidesidebars/lib/Listener/HidesidebarScripts.php and replace the whole thing with:
<?php
declare(strict_types=1);
namespace OCA\Hidesidebars\Listener;
use OCA\Hidesidebars\AppInfo\Application;
use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
use OCP\EventDispatcher\Event;
use OCP\EventDispatcher\IEventListener;
use OCP\Util;
use OCP\IUser;
use OCP\IGroupManager;
use OCP\AppFramework\Http\DataResponse;
class HidesidebarScripts implements IEventListener
{
public function handle(Event $event): void
{
if (!$event instanceof BeforeTemplateRenderedEvent) {
return;
}
$userSession = \OC::$server->getUserSession();
if (!$userSession->isLoggedIn()) {
return;
}
$currentUser = $userSession->getUser();
if (!$currentUser instanceof IUser) {
return;
}
$groupManager = \OC::$server->getGroupManager();
$userGroups = $groupManager->getUserGroups($currentUser);
foreach ($userGroups as $group) {
if ( $group->getGID() == "filesonly" ){
Util::addScript(Application::APP_ID, 'script');
}
}
// Util::addScript(Application::APP_ID, 'script');
}
}
12- In nextcloud, as admin, add and activate the “hidesidebars” app – DO NOT download it.
13-Make users in the “filesonly” group!
If I understand correctly, you are only hiding the apps from the users. In the end it might be a bit like hiding the download when sharing and everyone can still download by adding /download to the shared link.
It is quite incomprehensible that Nextcloud does not offer the files-only app restricted to groups. Perhaps this is because Nextcloud wants to be more than just a file service.
For your requirements, you actually only need something like Tiny File Manager . With a few adjustments, it could fulfil your purposes. It’s faster than Nextcloud anyway, as it doesn’t use any databases, for example. Of course, you will have to do without certain Nextcloud mechanisms such as synchronisation, WebDAV, etc.
It is EXACTLY security through obscurity.
My original app was an old owncloud version that was easier to hack (with my skills). It was primarily a dropbox for select professionals to communicate some files. Looking at nextcloud it has a lot of features that I can use, however, I don’t want limited users seeing/being distracted by other features. They are very unlikely to be looking for other features, and if they were to find out about the calendar somehow, it wouldn’t be the end of the world.
That said, this is lightyears from what I need, it is just what I can live with. Every “feature” someone has access to is a potential security hole. It would be a huge selling point for nextcloud to have:
1-A file storage ONLY feature. And
2-An official and convenient way to place files from the operating system into a users directory.
Both of these seem to be actively discouraged by the owncloud/nextcloud developers (I have received several “that’s not what [the software] is for” replies when discussing this. I am not at all complaining - I am HUGELY thankful for the contributors that developed this wonderful package, their vision about it and the assistance that they have generously given me. The current complexity of the software and it’s code are, however, beyond what I can learn/dive into.
Thank you for the other software suggestion, in reality all the others I looked at lack the ease of use/flexibility/professionalism I need, plus I would love to use many of the features of nextcloud.
Most Nextcloud apps have a “Limit to groups” option. It’s in the app entry for enabled app.
Is that not what you want?
Thanks for the suggestion! It has a very limited amount of apps it can limit, as far as I can tell.
It’s really not so nice that Nextcloud doesn’t offer the option of restriction.
But I may have another idea. Nextcloud is free and you can also work collaboratively via different Nextclouds. Perhaps you could create a second Nextcloud https://files.server.tld alongside https://cloud.server.tld and only install the necessary apps there during installation and also uninstall or deactivate any apps you don’t need. This should then go in the direction of files-only. Your additional Nextcloud needs 600 MB of space for installation. I use e.g. free webspaces for addidtional test Nextclouds.
To minimise the workload for you, you can use SQLite instead of MariaDB for a small number of users or if they do not work parallel.
In the end, the entire Nextcloud is basically a normal PHP website with a SQLite-file as a SQLite database.
Another advantage is that your normal Nextcloud is not affected by this. And there are no additional costs either.
But if people are only supposed to get Nextcloud files anyway, you can of course ask yourself why they don’t just set up an account with a free professional Nextcloud hoster and use that.
They can get e.g. 20 GB for free at Cloud Storage - Shadow Drive
Nextcloud Name: https://drive.shadow.tech
Most apps support it. Some specially designated apps are excluded from the feature. Those are apps for things like lower level filesystem and authentication matters.
Most of the apps you listed do not fall into that category.
I will definitely retry this then. Thank you!
Interesting! I was originally thinking of setting up a different server, but didn’t think about about a separate named instance on the same server. I think that might be the federation app. I am definitely giving that a try!
Using outside severs I can’t control / move stuff in defeats the point…
Federation is a standard app/function from Nextcloud. You can federate to users on other Nextcloud hosters but also only between users on your Nextcloud servers. However, it is the user who shares their data over Nextclouds and not the entire Nextcloud. With Federation the data is then transported between the Nextcloud servers and not absolutely from Nextcloud server to client and back to the other Nextcloud server. It is therefore also very practical if you want to quickly transfer data from one Nextcloud to another Nextcloud via Nextcloud functions as a normal user.
Configuring Federation Sharing
Federation and decentralization: at the core of Nextcloud Hub (Youtube)
In the end, the user himself has control over the data. Users could also manage their Nextcloud account with other Nextcloud hosters and share the content with you on a federated basis.
Please note that the two instances must be able to reach each other via the WebDAV protocol. This can be problematic behind a reverse proxy, for example.
This could be something! I will absolutely look into this. It might even be able to kill two stones with one bird. The big point of the limited users is to mostly give them, but sometimes get from them, files from the main system which they can access quickly, but have in one organizable location for perhaps years. I have been doing this by moving the files to their directories, then running OCC to update the database. These users neither need nor want to memorize pathways to get there or have to worry about extraneous settings/features/etc. I am willing to bet there might be a way to interact with this federated interface to “legitimately” upload files behind the scenes without a lot of pointy clicky stuff. Thanks!