ONLYOFFICE Docs v7.3 released: enhanced forms, SmartArt, new security settings, Watch Window, and more
ONLYOFFICE Docs v7.3 released

Incorrect(?) folder permission for user in two groups

Docs
#1

Hello,

I am administrating an OnlyOffice installation via the cloud portal (onlyoffice.eu) for a non-profit association (OnlyOffice Version 12.1.1.16)

I have a user that is member of two groups (“g1” and “g2”) and a folder that provides read-access to members of “g1”, and write-access to members of “g2”. Because she is a member of “g2”, I expected my user to have write access to the folder. However, it turns out she only has read access. I believe this is an error/bug

thanks,
Joost

#3

Hello @grsjst
Thank you for your description. We are checking the situation.

#4

Hello @grsjst
We have checked mentioned situation. The described scenario is expected behavior, Read Only access rights have the higher priority than Full Access access rights. We have a description here:
https://helpcenter.onlyoffice.com/userguides/groups-tipstricks-documents-folder-permissions.aspx

#5

Dear Alexandre

Thanks much for the response, and the pointer. The observed behavior is indeed documented. However, other permission frameworks (e.g. Unix) implement a different logic (i.e. they take the union of access rights, and use apply the most permissive). This allows dealing with access rights in a hierarchical manner, which many consider useful.

For example, a user (a director) that is member the group “Board of Directors” is also a member of the group “Members”. The “Board of Directors” have edit rights to a folder, while “Members” are allowed to view it. In the current setup, my user (a director) is treated as a “Member” (i.e. she doesn’t have edit rights), which I find counter intuitive. I do know I can override the access on an individual basis, but I’d like to have this work generally.

thanks,
Joost

#6

I understand your suggestion and noted it. Probably we will rework this logic of work in the future.
Sorry for inconvenience.

#7

Thank much Alexandre.

Any indication you can give of when this can land in the production version?

Thanks,

j

#8

Hello @grsjst
I will update this thread when we have something to share. We must discuss your suggestion internally first.
Update: we have been speaking internally and we decided to keep current behavior as is. We believe that current behavior is better in cases when file\folder owner can provide permissive access by mistake.
Anyway, we noted your suggestion. If we change current behavior, we will get back to your suggestion to discuss it again.
Sorry for inconvenience.