IntraVox uses Nextcloud's native GroupFolder permissions for authorization. This means that access control is managed entirely through Nextcloud's existing permission system - no separate permission configuration is needed in IntraVox.
+------------------------------------------------------------------+
| Nextcloud Server |
| +--------------------------------------------------------------+ |
| | GroupFolders App | |
| | +----------------------------------------------------------+ |
| | | IntraVox GroupFolder | |
| | | +--------------------+ +--------------------+ | |
| | | | Group Permissions | | ACL Rules | | |
| | | | (Base Access) | | (Fine-grained) | | |
| | | +--------------------+ +--------------------+ | |
| | +----------------------------------------------------------+ |
| +--------------------------------------------------------------+ |
| | |
| v |
| +--------------------------------------------------------------+ |
| | IntraVox App | |
| | PermissionService reads permissions | |
| | and enforces them on all operations | |
| +--------------------------------------------------------------+ |
+------------------------------------------------------------------+
IntraVox respects the standard Nextcloud permission bits:
| Permission | Bit | Description |
|---|---|---|
| Read | 1 | View pages and content |
| Update | 2 | Edit existing pages |
| Create | 4 | Create new pages |
| Delete | 8 | Delete pages |
| Share | 16 | Required for RSS feed access (public endpoints require Read + Share) |
When a group is added to the IntraVox GroupFolder, all members of that group receive the configured base permissions. This is the first layer of access control.
Example:
- Group "Employees" has Read permission on IntraVox folder
- Group "Editors" has Read + Write + Create permission
- Group "Admins" has All permissions
If the GroupFolders ACL feature is enabled, administrators can set more specific permissions on subfolders. ACL rules override base permissions for specific paths.
Example:
/en/departments/hr- HR group has full access, others read-only/en/departments/sales- Sales group has full access, others read-only
Permissions are inherited from parent to child folders:
- A child folder cannot have more permissions than its parent
- ACL rules on parent folders affect all children
- More specific rules (deeper paths) override less specific rules
- Go to Nextcloud Admin → GroupFolders
- Create a folder named "IntraVox"
- Add groups that should have access
For each group, set the appropriate permission level:
| Group | Recommended Permissions | Created automatically? |
|---|---|---|
| IntraVox Users | Read, Share | Yes |
| IntraVox Editors | Read, Write, Create | Yes |
| IntraVox Admins | All | Yes |
| Custom groups (e.g. Department Managers) | Read, Write, Create, Delete, Share | No — add manually |
Why Share? The RSS feed is a public endpoint (no user session). GroupFolders requires both Read and Share permissions for folders to be visible in public requests. Without Share, user feeds will be empty.
For fine-grained control:
- Enable "Advanced Permissions" on the GroupFolder
- Navigate to subfolders in Nextcloud Files
- Click the share icon and configure ACL rules
IntraVox/
├── en/
│ ├── departments/
│ │ ├── hr/ → HR group: full access, Others: read
│ │ ├── sales/ → Sales group: full access, Others: read
│ │ ├── marketing/ → Marketing group: full access, Others: read
│ │ └── it/ → IT group: full access, Others: read
│ └── news/ → Editors group: full access, Others: read
└── nl/
└── (same structure)
IntraVox checks permissions at multiple levels:
Every API call validates permissions before executing:
GET /api/page- Requires Read permissionPUT /api/page- Requires Write permissionPOST /api/page- Requires Create permissionDELETE /api/page- Requires Delete permission
The frontend adapts based on permissions:
- Edit buttons only shown if user has Write permission
- Create page options only shown if user has Create permission
- Delete options only shown if user has Delete permission
Navigation items are filtered based on page permissions - users only see pages they can access.
- Check if user is member of a group with access to the IntraVox GroupFolder
- Check ACL rules on the specific folder path
- Verify the page file exists in the expected location
- Verify the user's group has Write permission on the GroupFolder
- Check if ACL rules restrict Write access on that path
- Check parent folder permissions (child cannot exceed parent)
- Check that the user's group has Share permission on the GroupFolder (base level)
- If using ACL: verify Share permission on the language folder (
en/,nl/, etc.) and all parent folders - Verify that "Allow users to share via link and emails" is enabled in Nextcloud Admin → Sharing
- See RSS_FEED.md for the full setup guide
This should not happen if permissions are configured correctly. Check:
- Navigation file permissions vs page file permissions
- Cache issues - try clearing Nextcloud cache
The PermissionService class handles all permission logic:
// Check if user can read a path
$canRead = $permissionService->canRead('en/departments/hr');
// Check if user can write to a path
$canWrite = $permissionService->canWrite('en/departments/hr');
// Get full permissions object for API response
$permissions = $permissionService->getPermissionsObject('en/departments/hr');
// Returns: { canRead: true, canWrite: false, canCreate: false, ... }The service:
- Gets base permissions from GroupFolder group membership
- Queries ACL rules from the database
- Applies rules from least specific to most specific path
- Returns the effective permission bitmask
- Use Groups - Always assign permissions to groups, not individual users
- Principle of Least Privilege - Start with read-only and add permissions as needed
- Document Your Structure - Keep a record of which groups have access to what
- Test Thoroughly - After setting up permissions, test with users from each group
- Regular Audits - Periodically review group memberships and ACL rules
- RSS Feed requires Share - The RSS feed is a public endpoint. GroupFolders requires both Read and Share permissions for folders to be visible in public (unauthenticated) requests. If users report empty feeds, check that their group has Share permission on the relevant folders.