Possibility of assigning "restricted" tags for non-admins

LimaTom · April 2, 2025, 7:22am

Dear Nextcloud Community,

I hope you are all doing well. I am new here and hope you can help me with a small problem. Using the WebDAV API, I have already automated some tasks, such as creating users and folders, including assigning folder permissions and tags.

Now, I am facing the challenge of allowing a user who is not part of the admin group to assign tags that are marked as “not visible.” Unfortunately, I have not been able to figure out how to achieve this. However, I do know that this is not currently possible via the Web GUI but should be achievable via the WebDAV API.

I also found this article, but unfortunately, I do not have full access to it since I am not part of the respective community:
https://portal.nextcloud.com/article/Collaboration/Managing-tags-by-group

My question to you is whether anyone has done something like this before and could help me grant such a “permission” via the WebDAV API. Perhaps I am using the wrong or a non-existent endpoint. Since I could not find much documentation, I am pretty much in the dark and just guessed.

Here is a simple script (with PROPPATCH and curl) I came up with, which might work in principle if I use the correct parameters:

<?php
$nextcloudUrl = 'https://your-nextcloud-url.com';
$username = 'admin-username';
$password = 'admin-password';

$userId = 'username';
$tagId = 1; // Example ID

$endpoint = $nextcloudUrl . '/remote.php/dav/systemtags/' . $tagId . '/assign';

$xmlBody = '<?xml version="1.0"?>
<d:propertyupdate xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns">
    <d:set>
        <d:prop>
            <oc:assign>
                <oc:user>' . $userId . '</oc:user>
            </oc:assign>
        </d:prop>
    </d:set>
</d:propertyupdate>';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PROPPATCH");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/xml"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, $xmlBody);

$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($httpCode == 207) {
    echo "Permission successfully granted.";
} else {
    echo "Error: HTTP Code $httpCode, Response: $response";
}
?>

Does anyone have an idea how to make this work? I appreciate any tips.

Best regards, tom

XueSheng-NC · April 2, 2025, 10:33am

You could double check with the examples provided at: Is there a way to add tags per client API?

Otherwise, occ could be an option:

github.com/nextcloud/server

Extend occ (tags) with commands to add and remove tags to/from files

offen 07:15PM - 06 Jun 22 UTC

noseshimself

enhancement 0. Needs triage feature: tags feature: occ

**Is your feature request related to a problem? Please describe.** I'm always f…rustrated when trying to deal with flags from a shell script. It's a major pain to deal with several curl lines when all I need would be an **Describe the solution you'd like** `occ tag:file:add file tag[,tag]` and `occ tag:file:remove file tag[,tag]` **Describe alternatives you've considered** It can be done with curl (and yes, I've read [https://help.nextcloud.com/t/is-there-a-way-to-add-tags-per-client-api/68849](https://help.nextcloud.com/t/is-there-a-way-to-add-tags-per-client-api/68849)) but that seems to be a bit over the top just because an administrator tries to clean up after a user. **Additional context** Add any other context or screenshots about the feature request here.

LimaTom · April 2, 2025, 12:07pm

Hello XueSheng-NC,

thank you for your response. Setting or removing tags on files and/or folders via the WebDAV API is not a problem. I have already implemented this. To do so, you need to know the folder or file ID as well as the corresponding tag ID. With this information, you can use the endpoint:

/remote.php/dav/systemtags-relations/files/$folderId/$tagId

This works perfectly for an admin account with all existing tags. However, for a non-admin user, it only works with tags that have been created as “public.”

“Administrative” tags that are set as “invisible” or “restricted” can, by default, only be assigned or removed by users who belong to the “admin group.”

From the documentation link (managing-tags-by-group) above, I understand that for “restricted” tags, I can grant a kind of “can-assign” permission to a specific group of users. However, I am unsure how exactly this can be done or which endpoint should be used for this purpose. But since I know that it could work, I definitely want to implement it.

LimaTom · April 10, 2025, 12:39pm

Does nobody have an idea?