Incorrect(?) folder permission for user in two groups

grsjst · 6 January 2023 10:53

Hello,

I am administrating an OnlyOffice installation via the cloud portal (onlyoffice.eu) for a non-profit association (OnlyOffice Version 12.1.1.16)

I have a user that is member of two groups (“g1” and “g2”) and a folder that provides read-access to members of “g1”, and write-access to members of “g2”. Because she is a member of “g2”, I expected my user to have write access to the folder. However, it turns out she only has read access. I believe this is an error/bug

thanks,
Joost

Alexandre · 7 January 2023 12:59

Hello @grsjst
Thank you for your description. We are checking the situation.

Alexandre · 9 January 2023 10:39

Hello @grsjst
We have checked mentioned situation. The described scenario is expected behavior, Read Only access rights have the higher priority than Full Access access rights. We have a description here:
https://helpcenter.onlyoffice.com/userguides/groups-tipstricks-documents-folder-permissions.aspx

grsjst · 13 January 2023 09:45

Dear Alexandre

Thanks much for the response, and the pointer. The observed behavior is indeed documented. However, other permission frameworks (e.g. Unix) implement a different logic (i.e. they take the union of access rights, and use apply the most permissive). This allows dealing with access rights in a hierarchical manner, which many consider useful.

For example, a user (a director) that is member the group “Board of Directors” is also a member of the group “Members”. The “Board of Directors” have edit rights to a folder, while “Members” are allowed to view it. In the current setup, my user (a director) is treated as a “Member” (i.e. she doesn’t have edit rights), which I find counter intuitive. I do know I can override the access on an individual basis, but I’d like to have this work generally.

thanks,
Joost

Alexandre · 16 January 2023 08:10

I understand your suggestion and noted it. Probably we will rework this logic of work in the future.
Sorry for inconvenience.

grsjst · 17 January 2023 11:41

Thank much Alexandre.

Any indication you can give of when this can land in the production version?

Thanks,

j

Alexandre · 18 January 2023 12:58

Hello @grsjst
I will update this thread when we have something to share. We must discuss your suggestion internally first.
Update: we have been speaking internally and we decided to keep current behavior as is. We believe that current behavior is better in cases when file\folder owner can provide permissive access by mistake.
Anyway, we noted your suggestion. If we change current behavior, we will get back to your suggestion to discuss it again.
Sorry for inconvenience.