Write only folder (but not upload zone): flow or Group with ACL folder?

Dear community,

we are an international NGO, and we plan to introduce the Thunderbird filelink addon for Nextcloud to save space on our mailserver. Attachments/filelinks should always be available, therefore we cannot use the individual accounts (e.g. if somebody leaves our org, the filelinks at the recipient side would stop working).

To facilitate management, we think of using one generic user to hold all attachments/filelinks, so we don’t have to duplicate the amount of users (and also easily delete ancient attachments over time). We plan to use separate device passwords for each filelink setup in Thunderbird, and also protect this generic user with TOTP which we evidently don’t share.

However the app password would be available in users’ Thunderbird, and they could use it to access all email attachments through webdav (e.g. windows network drive mapping). which evidently is a big problem.

So we are looking for something like a “write only” + share only folder.

The filelink addon for Thunderbird basically works like this:

  1. login to a NC account with username + (app) password
  2. upload the attachment to a specified folder on NC
  3. share this file via link
  4. add this link to the email composer

So the “upload zone” shared link won’t work.

But can we achieve something similar like this?
User A: shares folder X to User B in “write only” mode, and allows sharing (e.g. via Flow, or group folders ACL)
User B: is the one we are using in the filelink Setup in Thunderbird. It can upload files to folder X, but cannot read files already uploaded (if the filenames would be visible, that would be fine. but the content shouldn’t be able to be read).

User A: is used by Admins to cleanup

Hi all,

I can answer my own question. In short: its not easily possible.

  1. Group folders: if you don’t give read permissions, you cannot upload (as the read permissions are on the folder, not on the file).

  2. workflow scripts. Admin shares a folder to userX. Admin has a flow-script to move any newly uploaded file to another folder to which userX doesn’t have access. However, for fine-grained control, we would still need to add an app-password for each staff, so I think we will just use multiple users instead. To globally manage filelink uploads of all staff (e.g. delete all uploads older than 5 years), its best to use a folder which was shared by the admin user.