Prevent Download from Public Link and only Allow Drop file

Dear All,

we are using Latest Nextcloud.
seek your help on below Query:

Set global policy to Prevent Download file or Data from Public Link and only allow File Drop feature.

this is due to Security issue where no one should allow to share Public Link to outside and get data downloaded.

Any help on this please.

Thank You so much.

I think it makes less sense. The user can copy data to another cloud or share with email. Sharing is a central nextcloud feature. For only upload/download use better tools like “Jirafeau” or “FileShelter”.

But perhaps you can limit nextcloud to 0 KB, use group-folder and special access. Sorry, not tested.

Thank you so much, i am sorry i did not get how we can achieve by group folder. As requested. When we enable “Allow user to share via Link” option, unfortunately by default anyone can share date to outside and download. So download is by default intact with this option. However I am looking only to enable “ Allow public upload” where non nextcloud user will get only link to upload and there is no download option .

Ok. Perhaps the admin can share a folder (read-only) with the internal users and also share the folder with file-drop (upload-only). Now your users can upload with public share, read with internal share but not re-share. Also i think you must set quota for all users (not admin) to 0 KB.

I use different public shares (upload-only, read-only, read-and-write) with short urls so i must not login for different nextcloud actions on this folder. :wink:

Thank you so much for your quick revert.
unfortunately i am not very familiar with all interface. how to control and restrict other users not to use “Allow user to share via Link” feature, because if i enable this, anyone can create public Link and share with anyone to download internal Data from outside, which i want to block.

i wish there was option to enable this feature for certain user or group :slight_smile:

could you please help me to acheive this by your method

Found for you:

“Exclude groups from sharing”

“Check Exclude groups from sharing to prevent members of specific groups from creating any file shares in those groups. When you check this, you’ll get a dropdown list of all your groups to choose from. Members of excluded groups can still receive shares, but not create any.”

Thank you so much, but this will stop them sharing internally as well ? correct me if i am wrong

Sorry, not tested.

If yes put all data in group folder and then the other user can access without additional share.

What you can do is URL filtering in front of your Nextcloud. Here, I have a pfSense firewall and its HAProxy on the first line. They do the SSL work, so HAProxy can do URL filtering if needed.

What you can do is to filter out requests for URLs starting with /s/. These are the URLs for public download. Should you wish to use one for an upload only folder, you just need to whitelist that URL and every other one will be blocker.

But again, what would prevent your users from downloading a local copy of the file and sending it to Dropbox or attaching it to an e-mail ?

Thank you so much but i see \s\ is for upload also.
If we filter this out, upload also will block. Could you please explain how to get this achieve.
For your last query, external drive and other email gateway is being monitor and filtered out by Websense Data protection where we can not integrate nextcloud with Websense.
You given option may be working but i request your help in detail.

Thank you so much.

Do you deny all other websites? If not it makes no sense. Every http request is also an uplad. Do you deny all webmailer and all private domains?

we filter category based, like social media, public mailing site, personnel network storage and backup" and many more etc.

my object is only to allow public link share for certain users not to everyone so that no one can share their internal data with outside people.

unfortunately there is no ACL as well in nextcloud for this.

problem is, how to force users not to share data to download from outside… however if they want to send link to upload from outside, that is OK.

I think you must teach your users.

Sorry i do not know a possibility to differ between internal and external users. Perhaps you can open an issue at

Hi again,

Sorry for the long delay… I have been more than busy these last months…

So in a reverse proxy like HAProxy, you create filtering rules like these ones :
–/s/known_upload_link_no1 ; ALLOWED
–/s/known_upload_link_no2 ; ALLOWED
–/s/approved_download_link_A ; ALLOWED
–/s/* ; DENY

That way, what you need will go through and everything else will be dropped.

You have the files accesscontrol app (, where you can prevent certain things based on IP ranges.

Or if you have one exposed Nextcloud setup to public, where you set very strict default so nobody can share data but receive them and then shared the stuff internally via federated sharing. Perhaps this can help if the internal Nextcloud is less limited (but without external access at all).

For the sharing app, there are several options to restrict certain types of sharing, you could check the code and try to implement a solution that only allows the file drop.