File Sharing

Introduction

The sharing policy is configured on the Admin page in the "Sharing" section.

If you don’t see the sharing section, try disabling your AdBlock browser plugin.
It might also be related to another installed ad blocker in your browser.
If so, please disable the plugin and see if that resolves the situation.

ownCloud Sharing settings

From this section, ownCloud users can:

  • Share files with their ownCloud groups and other users on the same ownCloud server

  • Share files with ownCloud users on other ownCloud servers, for more details see Federated Cloud Sharing Configuration.

  • Create public link shares for people who are not ownCloud users.

You have control of a number of user permissions on file shares:

  • Allow users to share files

  • Allow users to create public link shares

    • Allow public uploads to public link shares

    • Enforce password protection on public link shares

    • Set default expiration date on public link shares

    • Allow users to send mail notification for shared files

    • Set the language used for public mail notification for shared files

    • Allow users to share file via social media

  • Automatically accept new incoming local user shares

  • Allow resharing

  • Default user and group share permissions

    • Restrict users to only share with users in their groups

    • Restrict users to only share with groups they are a member of

  • Allow email notifications of new public link shares

  • Exclude groups from creating shares

  • Allow username autocompletion in share dialog

    • Restrict enumeration to group members

    • Default user and group share permissions

  • Extra field to display in autocomplete results

ownCloud includes a Share Link Password Policy app.

Settings Explained

Allow apps to use the Share API

Check this option to enable users to share files. If this is not checked, no users can create file shares.

Check this option to enable creating public link shares for people who are not ownCloud users via hyperlink.

Allow public uploads

Check this option to allow anyone to upload files to public link shares.

Enforce password protection

Check this option to force users to set a password on all public link shares. This does not apply to local user and group shares.

Set default expiration date

Check this option to set a default expiration date on public link shares.

Allow users to send mail notification for shared files

Check this option to enable sending notifications from ownCloud. When clicked, the administrator can choose the language for public mail notifications for shared files.

Choose the language for public mail notifications for shared files in ownCloud.

What this means is that email notifications will be sent in the language of the user that shared an item. By default the language is the share owner’s language.

However, it can be changed to any of the currently available languages. It is also possible to change this setting on the command-line by using the occ config:app:set command, as in this example:

sudo -u www-data php occ \
    config:app:set core shareapi_public_notification_lang \
    --value '<language code>'
In the above example <language code> is an ISO 3166-1 alpha-2 two-letter country code, such as ru, gb, us, and au.
To use this functionality, your ownCloud server must be configured to send mail.

Allow users to share file via social media

Check this option to enable displaying of a set of links that allow for quickly sharing files and share links via Twitter, Facebook, Google+, Diaspora, and email.

ownCloud social media sharing links

Automatically accept new incoming local user shares

Disabling this option activates the "Pending Shares" feature. Users will be notified and have to accept new incoming user shares before they appear in the file list and are available for access giving them more control over their account. More information about pending shares can be found in the release notes.

Allow resharing

Check this option to enable users to re-share files shared with them.

Default user and group share permissions

Administrators can define the permissions for user/group shares that are set by default when users create new shares. As shares are created instantly after choosing the recipient, administrators can set the default to e.g. read-only to avoid creating shares with too many permissions unintentionally.

Restrict users to only share with users in their groups

When this option is enabled, users can only share with the users in the groups which they are a member of. They can still share with all groups of the instance but not with users that do not share a group. To restrict sharing with groups, the option "Restrict users to only share with groups they are member of" can be used.

This setting does not apply to the Federated Cloud sharing feature.
If Federated Cloud Sharing is enabled, users can still share items with any users on any instances (including the one they are on) via a remote share.

Restrict users to only share with groups they are a member of

When this option is enabled, users can only share with groups they are a member of. They can still share with all users of the instance but not with groups they are not a member of. To restrict sharing to users in groups the sharer is a member of the option "Restrict users to only share with users in their groups" can be used. More information about more granular sharing restrictions can be found in the release notes.

Allow users to send mail notification for shared files

Check this option to enable users to send an email notification to every ownCloud user that the file is shared with.

Exclude groups from sharing

Check this option to prevent members of specific groups from creating any file shares in those groups. When you check this, you’ll get a dropdown list of all your groups to choose from. Members of excluded groups can still receive shares, but not create any.

Allow username autocompletion in share dialog

Check this option to enable auto-completion of ownCloud usernames.

Restrict enumeration to group members

Check this option to restrict auto-completion of ownCloud usernames to only those users who are members of the same group(s) that the user is in.

Extra field to display in autocomplete results

The autocomplete dropdowns in ownCloud usually show the display name of other users when it is set. If it’s not set, they show the user ID / login name, as display names are not unique you can run into situations where you can’t distinguish the proposed users. This option enables to add mail addresses or user ID’s to make them distinguishable.

Blacklist Groups From Receiving Shares

Sometimes it’s necessary or desirable to block groups from receiving shares. For example, if a group has a significant number of users (> 5,000) or if it’s a system group, then it can be advisable to block it from receiving shares. In these cases, ownCloud administrators can blacklist one or more groups, so that they do not receive shares.

To blacklist one or more groups, via the Web UI, under "Admin → Settings → Sharing", add one or more groups to the "Files Sharing" list. As you type the group’s name, if it exists, it will appear in the drop down list, where you can select it.

Blacklisting groups

Transferring Files to Another User

You may transfer files from one user to another with occ. The command transfers either all or a limited set of files from one user to another. It also transfers the shares and metadata info associated with those files (shares, tags, and comments, etc). This is useful when you have to transfer a user’s files to another user before you delete them.

Trashbin contents are not transferred.

Here is an example of how to transfer all files from one user to another.

occ files:transfer-ownership <source-user> <destination-user>

Here is an example of how to transfer a limited group a single folder from one user to another. In it, folder/to/move, and any file and folder inside it will be moved to <destination-user>.

sudo -u www-data php occ files:transfer-ownership --path="folder/to/move" <source-user> <destination-user>

When using this command keep two things in mind:

  1. The directory provided to the --path switch must exist inside data/<source-user>/files.

  2. The directory (and its contents) won’t be moved as is between the users. It’ll be moved inside the destination user’s files directory, and placed in a directory which follows the format: transferred from <source-user> on <timestamp>. Using the example above, it will be stored under: data/<destination-user>/files/transferred from <source-user> on 20170426_124510/

See the occ command, for a complete occ command reference.)

Creating Persistent File Shares

When a user is deleted, their files are also deleted. As you can imagine, this is a problem if they created file shares that need to be preserved, because these disappear as well. In ownCloud files are tied to their owners, so whatever happens to the file owner also happens to the files.

One solution is to create persistent shares for your users. You can retain ownership of them, or you could create a special user for the purpose of establishing permanent file shares. Simply create a shared folder in the usual way, and share it with the users or groups who need to use it. Set the appropriate permissions on it, and then no matter which users come and go, the file shares will remain. Because all files added to the share, or edited in it, automatically become owned by the owner of the share regardless of who adds or edits them.

Create Shares Programmatically

If you need to create new shares using command-line scripts, there are two available option.

occ files_external:create

This command provides for the creation of both personal (for a specific user) and general shares. The command’s configuration options can be provided either as individual arguments or collectively, as a JSON object. For more information about the command, refer to the the occ files-external documentation.

Personal Share

sudo -u www-data php occ files_external:create /my_share_name windows_network_drive \
    password::logincredentials \
    --config={host=127.0.0.1, share='home', root='$user', domain='owncloud.local'} \
    --user someuser
sudo -u www-data php occ files_external:create /my_share_name windows_network_drive \
    password::logincredentials \
    --config host=127.0.0.1 \
    --config share='home' \
    --config root='$user' \
    --config domain='somedomain.local' \
    --user someuser

General Share

sudo -u www-data php occ files_external:create /my_share_name windows_network_drive \
    password::logincredentials \
    --config={host=127.0.0.1, share='home', root='$user', domain='owncloud.local'}
sudo -u www-data php occ files_external:create /my_share_name windows_network_drive \
    password::logincredentials \
    --config host=127.0.0.1 \
    --config share='home' \
    --config root='$user' \
    --config domain='somedomain.local'

occ files_external:import

You can create general and personal shares passing the configuration details via JSON files, using the occ files_external:import command.

General Share

sudo -u www-data php occ files_external:import /import.json

Personal Share

sudo -u www-data php occ files_external:import /import.json --user someuser

In the two examples above, here is a sample JSON file, showing all of the available configuration options that the command supports.

{
    "mount_point": "\/my_share_name",
    "storage": "OCA\\windows_network_drive\\lib\\WND",
    "authentication_type": "password::logincredentials",
    "configuration": {
        "host": "127.0.0.1",
        "share": "home",
        "root": "$user",
        "domain": "owncloud.local"
    },
    "options": {
        "enable_sharing": false
    },
    "applicable_users": [],
    "applicable_groups": []
}

Share Permissions

Permissions Masks

READ

1

UPDATE

2 ("can update" in web UI)

CREATE

4 ("can create" in web UI)

DELETE

8 ("can delete" in web UI)

SHARE

16 ("can reshare" in web UI)

File Operations Shorthand for the Later Table

Operation Description

download

download/read/get a file or display a folder contents

upload

a new file can be uploaded/created (file target does not exist)

upload_overwrite

a file can overwrite an existing one

rename

rename file to new name, all within the shared folder

move_in

move a file from outside the shared folder into the shared folder

move_in_overwrite

move a file from outside the shared folder and overwrite a file inside the shared folder.

SabreDAV automatically deletes the target file first before moving, so requires DELETE permission too.

move_in_subdir

move a file already in the shared folder into a subdir within the shared folder

move_in_subdir_overwrite

move a file already in the shared folder into a subdir within the shared folder and overwrite an existing file there

move_out

move a file to outside of the shared folder

move_out_subdir

move a file out of a subdir of the shared folder into the shared folder

copy_in

copy a file from outside the shared folder into the shared folder

copy_in_overwrite

copy a file from outside the shared folder and overwrite a file inside the shared folder

SabreDAV automatically deletes the target file first before copying, so requires DELETE permission too.

delete

delete a file inside the shared folder

mkdir

create folder inside the shared folder

rmdir

delete folder inside the shared folder

The following lists what operations are allowed for the different permission combinations (share permission is omitted as it is not relevant to file operations):

Operation(s) Permission Combinations

READ (aka read-only)

  • download

READ + CREATE

  • download

  • upload

  • move_in

  • copy_in

  • mkdir

READ + UPDATE

  • download

  • upload_overwrite

  • rename

READ + DELETE

  • download

  • move_out

  • delete

  • rmdir

READ + CREATE + UPDATE

  • download

  • upload

  • upload_overwrite

  • rename

  • move_in

  • copy_in

  • mkdir

READ + CREATE + DELETE

  • download

  • upload

  • move_in

  • move_in_overwrite

  • move_in_subdir

  • move_in_subdir_overwrite

  • move_out

  • move_out_subdir

  • copy_in

  • copy_in_overwrite

  • delete

  • mkdir

  • rmdir

READ + UPDATE + DELETE

  • download

  • upload_overwrite

  • rename

  • move_out

  • delete

  • rmdir

READ + CREATE + UPDATE + DELETE (all permissions)

  • download

  • upload

  • upload_overwrite

  • rename

  • move_in

  • move_in_overwrite

  • move_in_subdir

  • move_in_subdir_overwrite

  • move_out

  • move_out_subdir

  • copy_in

  • copy_in_overwrite

  • delete

  • mkdir

  • rmdir