File Sharing

Introduction

This section describes how to set general configuration rules for sharing files.

General Notes

The sharing policy is configured at Settings  Admin  Sharing.

If you don’t see the sharing section:

  • Check if you have installed an AdBlock browser plugin.

If so, disable the plugin and recheck.

ownCloud Sharing settings

From this section, ownCloud users can:

  • Share files with their ownCloud groups and other users on the same ownCloud server

  • Share files with ownCloud users on other ownCloud servers, for more details see Federated Cloud Sharing Configuration.

  • Create public link shares for people who are not ownCloud users.

You have control of a number of user permissions on file shares:

  • Allow users to share files

  • Allow users to create public link shares

    • Allow public uploads to public link shares

    • Enforce password protection on public link shares

    • Set default expiration date on public link shares

    • Allow users to send mail notification for shared files

    • Set the language used for public mail notification for shared files

    • Allow users to share file via social media

  • Set default expiration date for user shares

    • Set the number of days to expire after

    • Enforce as maximum expiration date

  • Set default expiration date for group shares

    • Set the number of days to expire after

    • Enforce as maximum expiration date

  • Set default expiration date for remote shares

    • Set the number of days to expire after

    • Enforce as maximum expiration date

  • Automatically accept new incoming local user shares

  • Allow resharing

  • Allow sharing with groups

  • Restrict users to only share with users in their groups

  • Restrict users to only share with groups they are a member of

  • Allow users to send mail notification for shared files to other users

  • Exclude groups from creating shares

  • Allow username autocompletion in share dialog

    • Restrict enumeration to group members

  • Default user and group share permissions

  • Extra field to display in autocomplete results

ownCloud includes a Share Link Password Policy app.

Settings Explained

Allow apps to use the Share API

Check this option to enable users to share files. If this is not checked, no users can create file shares.

Check this option to enable creating public link shares for people who are not ownCloud users via hyperlink.

Allow public uploads

Check this option to allow anyone to upload files to public link shares.

Check these options to force users to set a password on public link shares. Passwords can be enforced on any or all of read-only, read-write, read-write-delete and upload-only (File Drop) public link shares. This does not apply to local user and group shares.

Check this option to set a default expiration date on public link shares. Check Enforce as maximum expiration date to limit the maximum expiration date to be the default. Users can choose an earlier expiration date if they wish.

Allow users to send mail notification for shared files

Check this option to enable sending notifications from ownCloud. When clicked, the administrator can choose the language for public mail notifications for shared files.

Choose the language for public mail notifications for shared files in ownCloud.

What this means is, that email notifications will be sent in the language of the user that shared an item. By default the language is the share owner’s language.

However, it can be changed to any of the currently available languages. It is also possible to change this setting on the command-line by using the occ config:app:set command, as in this example:

sudo -u www-data ./occ \
    config:app:set \
    core \
    shareapi_public_notification_lang \
    --value '<language code>'
In the example above, the <language code> is an ISO 3166-1 alpha-2 two-letter country code, such as de, gb, us, es or others.
To use this functionality, your ownCloud server must be configured to send mail.

Allow users to share file via social media

Check this option to enable displaying of a set of links that allow for quickly sharing files and share links via Twitter, Facebook, Google+, Diaspora, and email.

ownCloud social media sharing links

Set default expiration date for user shares

Check this option to set a default expiration date when sharing with another user. The user can change or remove the default expiration date of a share.

Set the number of days to expire after

Set the default number of days that user shares will expire. The default value is 7 days.

Enforce as maximum expiration date

Check this option to limit the maximum expiration date to be the default. Users can choose an earlier expiration date if they wish.

Set default expiration date for group shares

Check this option to set a default expiration date when sharing with a group. The user can change or remove the default expiration date of a share.

Set the number of days to expire after

Set the default number of days that group shares will expire. The default value is 7 days.

Enforce as maximum expiration date

Check this option to limit the maximum expiration date to be the default. Users can choose an earlier expiration date if they wish.

Set default expiration date for remote shares

Check this option to set a default expiration date when sharing with a remote user. The user can change or remove the default expiration date of a share.

Set the number of days to expire after

Set the default number of days that remote shares will expire. The default value is 7 days.

Enforce as maximum expiration date

Check this option to limit the maximum expiration date to be the default. Users can choose an earlier expiration date if they wish.

Automatically accept new incoming local user shares

Disabling this option activates the "Pending Shares" feature. Users will be notified and have to accept new incoming user shares before they appear in the file list and are available for access giving them more control over their account. More information about pending shares can be found in the release notes.

Allow resharing

Check this option to enable users to re-share files shared with them.

Allow sharing with groups

Check this option to enable users to share with groups.

Default user and group share permissions

Administrators can define the permissions for user/group shares that are set by default when users create new shares. As shares are created instantly after choosing the recipient, administrators can set the default to e.g. read-only to avoid creating shares with too many permissions unintentionally.

Restrict users to only share with users in their groups

Check this option to confine sharing within group memberships.

This setting does not apply to the Federated Cloud sharing feature. If Federated Cloud Sharing is enabled, users can still share items with any users on any instances (including the one they are on) via a remote share.

Restrict users to only share with groups they are a member of

When this option is enabled, users can only share with groups they are a member of. They can still share with all users of the instance but not with groups they are not a member of. To restrict sharing to users in groups the sharer is a member of, the option Restrict users to only share with users in their groups can be used. More information about granular sharing restrictions can be found in the release notes.

Allow users to send mail notification for shared files to other users

Check this option to enable users to send an email notification to every ownCloud user that the file is shared with.

Exclude groups from sharing

Check this option to prevent members of specific groups from creating any file shares. When you check this, you will get a dropdown list of all your groups to choose from. Members of excluded groups can still receive shares, but not create any.

Allow username autocompletion in share dialog

Check this option to enable auto-completion of ownCloud usernames.

Restrict enumeration to group members

Check this option to restrict auto-completion of ownCloud usernames to only those users who are members of the same group(s) that the user is in.

Extra field to display in autocomplete results

The autocomplete dropdowns in ownCloud usually show the display name of other users when it is set. If it’s not set, they show the user ID / login name, as display names are not unique you can run into situations where you cannot distinguish the proposed users. This option enables to add mail addresses or user ID’s to make them distinguishable.

Blacklist Groups From Receiving Shares

Sometimes it is necessary or desirable to block groups from receiving shares. For example, if a group has a significant number of users (> 5,000) or if it is a system group, it can be advisable to block it from receiving shares. In these cases, ownCloud administrators can blacklist one or more groups so that they cannot receive shares.

To blacklist one or more groups via the Web UI, under Settings  Admin  Sharing, add one or more groups to the Files Sharing list. As you type the group’s name, if it exists, it will appear in the drop-down list where you can select it.

Blacklisting groups

Transferring Files to Another User

You may transfer files from one user to another with occ. The command transfers either all or a limited set of files from one user to another. It also transfers the outgoing shares and metadata info associated with those files (shares, tags, and comments, etc). Incoming shares are not moved, as the sharing user holds the ownership of the respective files. This is useful when you have to transfer a user’s files to another user before you delete them.

Trashbin contents are not transferred.

Here is an example of how to transfer all files from one user to another.

sudo -u www-data ./occ files:transfer-ownership \
  <source-user> \
  <destination-user>

Here is an example of how to transfer a limited group a single folder from one user to another. In it, folder/to/move, and any file and folder inside it will be moved to <destination-user>.

sudo -u www-data ./occ files:transfer-ownership \
  --path="folder/to/move" \
  <source-user> \
  <destination-user>

When using this command keep two things in mind:

  1. The directory provided to the --path switch must exist inside data/<source-user>/files.

  2. The directory (and its contents) won’t be moved as is between the users. It will be moved inside the destination user’s files directory, and placed in a directory which follows the format: transferred from <source-user> on <timestamp>. Using the example above, it will be stored under: data/<destination-user>/files/transferred from <source-user> on 20170426_124510/

See the occ command reference, for a complete list of occ commands.
If an exception occurred during the transfer ownership command or the command terminated prematurely, it is advised to run following command for the source and target user: 
sudo -u www-data ./occ files:troubleshoot-transfer-ownership --uid <uid>`

Creating Persistent File Shares

When a user is deleted, their files are also deleted. As you can imagine, this is a problem if they created file shares that need to be preserved, because these disappear as well. In ownCloud, files are tied to their owners. This means, whatever happens to the file owner also happens to the files.

One solution to get around this issueis, to create persistent shares for your users. You can retain ownership of them, or you could create a special user for the purpose of establishing permanent file shares. Simply create a shared folder in the usual way, and share it with the users or groups who need to use it. Set the appropriate permissions on it and the share is independent which users come and go, the file shares will remain. Because all files added to the share or edited in it are automatically owned by the owner of the share regardless of who adds or edits them.

Create Shares Programmatically

If you need to create new shares using command-line scripts, there are two available option.

occ files_external:create

This command provides for the creation of both personal (for a specific user) and general shares. The command’s configuration options can be provided either as individual arguments or collectively, as a JSON object. For more information about the command, refer to the occ files-external documentation.

Personal Share

sudo -u www-data ./occ files_external:create \
    /my_share_name windows_network_drive \
    password::logincredentials \
    --config={host=127.0.0.1, share='home', root='$user', domain='owncloud.local'} \
    --user someuser

or

sudo -u www-data ./occ files_external:create \
    /my_share_name windows_network_drive \
    password::logincredentials \
    --config host=127.0.0.1 \
    --config share='home' \
    --config root='$user' \
    --config domain='somedomain.local' \
    --user someuser

General Share

sudo -u www-data ./occ files_external:create \
    /my_share_name windows_network_drive \
    password::logincredentials \
    --config={host=127.0.0.1, share='home', root='$user', domain='owncloud.local'}

or

sudo -u www-data ./occ files_external:create \
    /my_share_name windows_network_drive \
    password::logincredentials \
    --config host=127.0.0.1 \
    --config share='home' \
    --config root='$user' \
    --config domain='somedomain.local'

occ files_external:import

You can create general and personal shares passing the configuration details via JSON files, using the occ files_external:import command.

General Share

sudo -u www-data ./occ files_external:import \
    /import.json

Personal Share

sudo -u www-data ./occ files_external:import \
    /import.json --user someuser

In the two examples above, here is a sample JSON file, showing all of the available configuration options that the command supports.

{
    "mount_point": "\/my_share_name",
    "storage": "OCA\\windows_network_drive\\lib\\WND",
    "authentication_type": "password::logincredentials",
    "configuration": {
        "host": "127.0.0.1",
        "share": "home",
        "root": "$user",
        "domain": "owncloud.local"
    },
    "options": {
        "enable_sharing": false
    },
    "applicable_users": [],
    "applicable_groups": []
}

Share Permissions

Permissions Masks

Permission Value web UI Value

READ

1

UPDATE

2

can update

CREATE

4

can create

DELETE

8

can delete

SHARE

16

can reshare

File Operations Shorthand for the Later Table

Operation Description

download

Download/read/get a file or display a folder’s contents.

upload

A new file can be uploaded/created (file target does not exist).

upload_overwrite

A file can overwrite an existing one.

rename

Rename file to new name, all within the shared folder.

move_in

Move a file from outside the shared folder into the shared folder.

move_in_overwrite

Move a file from outside the shared folder and overwrite a file inside the shared folder.

SabreDAV automatically deletes the target file first before moving, so requires DELETE permission too.

move_in_subdir

Move a file already in the shared folder into a subdirectory within the shared folder.

move_in_subdir_overwrite

Move a file already in the shared folder into a subdirectory within the shared folder and overwrite an existing file there.

move_out

Move a file to outside of the shared folder.

move_out_subdir

Move a file out of a subdirectory of the shared folder into the shared folder.

copy_in

Copy a file from outside the shared folder into the shared folder.

copy_in_overwrite

Copy a file from outside the shared folder and overwrite a file inside the shared folder.

SabreDAV automatically deletes the target file first before copying, so requires DELETE permission too.

delete

Delete a file inside the shared folder.

mkdir

Create a folder inside the shared folder.

rmdir

Delete folder inside the shared folder

The following lists what operations are allowed for the different permission combinations (share permission is omitted as it is not relevant to file operations):

Operation(s) Permission Combinations

READ (aka read-only)

  • download

READ +
CREATE

  • download

  • upload

  • move_in

  • copy_in

  • mkdir

READ +
UPDATE

  • download

  • upload_overwrite

  • rename

READ +
DELETE

  • download

  • move_out

  • delete

  • rmdir

READ +
CREATE +
UPDATE

  • download

  • upload

  • upload_overwrite

  • rename

  • move_in

  • copy_in

  • mkdir

READ +
CREATE +
DELETE

  • download

  • upload

  • move_in

  • move_in_overwrite

  • move_in_subdir

  • move_in_subdir_overwrite

  • move_out

  • move_out_subdir

  • copy_in

  • copy_in_overwrite

  • delete

  • mkdir

  • rmdir

READ +
UPDATE +
DELETE

  • download

  • upload_overwrite

  • rename

  • move_out

  • delete

  • rmdir

READ +
CREATE +
UPDATE +
DELETE (all permissions)

  • download

  • upload

  • upload_overwrite

  • rename

  • move_in

  • move_in_overwrite

  • move_in_subdir

  • move_in_subdir_overwrite

  • move_out

  • move_out_subdir

  • copy_in

  • copy_in_overwrite

  • delete

  • mkdir

  • rmdir