Folder structure permission default allow traverse when file access granted on sub-folder


In “Common Documents”, let’s say I create the following folder structure:

  • FolderA
    • FolderA1
    • FolderA2

If I set FolderA to “Deny All”, then allow access to a file in a sub-folder under FolderA, to a different user, eg. robert.sales, the only way to access the file is via link.

I strongly believe the right behavior should be ( or at least there should be an option to allow this behavior ( default in windows SMB ACL )), to make OnlyOffice allow robert.sales to view the folder sctructure, without showing him the other files/folders with default deny access. eg:

I create a sales.xlsx in FolderA/FolderA1, then add full access to robert.sales:
robert.sales will not see FolderA/FolderA2 nor the documents inside FolderA.
BUT he will see FolderA/FolderA1/sales.xlsx and be able to edit it.

A description of the feature in Windows filesystem/ACLs:
“The Traverse Folder permission is used to allow or deny permission to move through a restricted folder in order to reach the files or folders that are beneath the restricted folder in the hierarchy”

Everyone I know, who are evaluating OO Workspace ATM, had the same question.

Workspace Community 12.5, Docs 7.4

Also, as a complement, in “Common”, default access setting for Everyone should be “Deny access”, or “Everyone” should be removed from the default access list.

I believe, changing Everyone’s default access to “Deny access” is a better approach to avoid breaking things

Hi @msilveira

Community server has the following hierarchy of files:
Folder permissions hierarchy

I will convey your wishes to my colleagues, and I will update this thread when we have something to share.

Hey @msilveira

We have a bug where the user cannot see a file in a folder to which they don’t have access (as you mentioned).

If we apply a filter by type “Documents” - the hidden document will be displayed.
Additionally, if you grant individual permissions to the user for that file, they will be able to find it in the “Shared with me” section by its name.

Unfortunately, there are no plans to change the logic in the community server at the moment.