On all the serve remotes, it would be good to be able to control the permission levels of users based on the realm. I have remotes (specifically webdav in my use case but FTP itself could benefit) that i’d like to hand to a few people but the issue currently is they will have access to not only access the data but delete it. My proposal is the default is the normal read/write but based on a few flags and the realm in the passwd files we can control the methods allowed to be executed.
Something like (default is always ALL)
–realms=READREALM:GET,PROPFIND,HEAD;WRITEREALM:ALL
This could be simplified also to just read write instead of defining the actual methods like:
–realms=READREALM:RO,WRITEREALM:RW
If we didn’t want to use realm to control this, then we could also just flag the users like this but this is a bit cumbersome as you’d have to marry those user names to the password file when rclone is started. Using the realm, it would become dynamic.
–ro_users=user1,user2 --rw_users=user3,user4
Without this, I’m currently forced to run multiple rclone instances on different ports specifying the ‘read-only’ flag is the remote itself and directing the different users to the different ports.
Ah yes. I was looking at my nginx password files rather than rclone which is using basic. That tosses realm out unless rclone is moved to digest and we’d be stuck with a more cumbersome approach of:
–ro_users=user1,user2 --rw_users=user3,user4
which would then need to match the users in the basic password file. Any thoughts on moving to digest? Nothing like scope creep.
Unless multiple password files are defined by realm.
–htpasswd=READREALM:/my/.passwordread;WRITEREALM:/my/.passwordwrite;
–realms=READREALM:RO,WRITEREALM:RW
Funny I was just looking at that. It is. It is quite capable of this as a work around.Still would be nice to have rclone have basic control of RO and RW functions especially in a DAVS/FTP serve.
I should have said " I think it is". Im not 100% sure yet if it will work by restricting certain methods by login. I might be able to proxy to different ports based on the user though which will at least give the users a front-end on the same port but still requires two rclones to proxy to (one read and one read/write).
Might have to ask this there. I’d be happy with at least a single port with two backend rclones. Would be better to be able to simply restrict users by method though. We’ll see.
Can you write up a new issue on github and I’ll take a look at it over the holiday season! I’m not 100% sure that it will easy to implement but it deserves more investigation.
Do you think the permissions should be finer diced than just read-only and full?
I was looking at my nginx password files rather than rclone which is using basic. That tosses realm out unless rclone is moved to digest and we’d be stuck with a more cumbersome approach of: