Issues with Guests Workflow – example Photography #1439
Description
How to use GitHub
- Please use the 👍 reaction to show that you are interested into the same feature.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Feature request
The Guests App is making great progress, and I was encouraged to try (again) if a workflow for guests sharing in a read-only context would be feasible now. For ease of understanding I have selected a common use case “photography” that needs role based access control (RBAC) with watermark protected photos for commenting and selection (tagging) by the guest.
Tests have been made using a managed Nextcloud Hub 10 (31.0.8) and a 2nd Web-hosted Nexcloud Hub 31.0.9 instances, where for both I do not have (effective) access to CLI. Guests App were version 3.5.2 and later 4.6.0, with no difference related to this workflow discovered.
The biggest concern from previous test mid 2024 using NC 29.03 (focussing on group folders) was lack of privacy, where “guests” could see other confidential information, which seems to be solved now.
nextcloud/groupfolders#3038
The objective for this post is 2-ways: I wanted to share my experience about the current investigation to hopefully trigger some acceptance about the needed RBAC requirements and to receive feedback of how I could improve the workflow based on existing NC versions, if possible at all.
Use Case Photography
The use case is simple as that photos are to be shared with guests/customers under controlled and secure environment with acceptable UX for non IT-savvy users.
Typically as for many use cases there is a life cycle of access right:
- Starting from guest sharing in read-only mode – no download, but commenting, tagging
- ... to full NC user joining teams and access to apps
Levels in between may depend on relation and trust accomplished.
My proposed role based access control (RBAC) target photography workflow
- The guest account is used, as we need to limit access to internals but interact with guests for commenting and tagging. To my best knowledge commenting and tagging is not possible if “Share link” used. Therefore we are focusing on guest accounts with restricting access to apps.
- Photos with watermark protection are being prepared and upload to a NC directory for sharing.
- Some descriptive text shall be added e.g. as Readme.md to explain next steps relevant for the project.
- Admin sets guests account app whitelist usage limited to file sharing + what is needed to accomplish this workflow (comments, activity ... we are not sure about the dependencies of the app whitelist; maybe a dependency table could help). Also disabling 1strunwizard and dashboard from this list did not have the expected effects.
https://github.com/nextcloud/guests/blob/main/README.md#guest-specific-behavior-and-configuration - The Folder is shared using guest account sharing (read only) and download disabled; during further testing I had to enable download and sync otherwise the files/photos would not have been rendered.
- When guest logs in they shall directly see the gallery of photos and on top the latest sharing info with Readme.md below as instructions.
- Guest then shall comment and tag selected photos as needed.
- We get notified about the guest activity and can interact with the guest.
- After finalization of the project the resulting photos can be delivered in target quality without watermark protection via enabled download button. Auditing of download action would be highly appreciated.
Knowing that this is a very basic use case description I wanted to take this as granted before we are getting too far on these details and concentrate on the main issues observed.
I am aware of the need to provide detailed tickets for each topic, but wanted to propose a complete workflow context for discussion, which is just an example and not limited to photography.
Other use cases with very similar RBAC requirements are:
- Legal services, law and consulting firms
- Financial and banking related services
- Enterprise IT, Software Development, and Product Design
- Healthcare and Clinical Research
- Media Production, Journalism, and Marketing
Some Background on Collaboration Lifecycle
Scientific Research on Collaboration Lifecycle
There is substantial scientific and technical literature supporting the need for adaptive access rights in online team collaboration, especially in fields like photography where the client relationship evolves in distinct phases. The dynamic adaptation of permissions, such as moving from view-only to interactive and then to download or editing rights-aligns with both theoretical models and practical studies in collaborative systems and access control frameworks.
Studies in virtual and cloud-based team collaboration emphasize the importance of matching access rights to the current lifecycle phase of a project. Effective collaboration systems allow team leaders or content owners to adjust which users can view, comment on, download, or edit materials depending on evolving trust, compliance, and deliverable staging. For example, in photography: https://www.sciencedirect.com/science/article/abs/pii/S1053482205000033
- Initial engagement often requires tightly restricted, watermark-protected access with only commenting/tagging to build interest and protect copyright.
- Once a working relationship is formed, the system may permit more feedback and selection operations but still restrict downloads or high-res access.
- In later stages, delivery rights (like download of final images) match contractual agreements or mutual trust.
- Experienced, trusted collaborators might receive limited edit or further asset-management rights according to their professional role.
Technical Models: RBAC, ABAC, and Adaptive Access
Most research and technical best practice documents recommend frameworks such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) to formalize these stages:
- RBAC assigns permissions based on roles such as "prospective customer," "current client," "designer", or "photographer." The exact privileges (view-only, comment, download, edit) are mapped to each role and change as the relationship (or project phase) changes.
- Adaptive or Contextual Access Control takes one step further, allowing rules to adjust in real time based on user behavior, workflow context, or dynamic project attributes—for example, enabling downloads only after billing confirmation or restricting access when abnormal usage is detected.
- Scientific reviews agree that this lifecycle-adaptive model reduces risks (like content leakage), streamlines collaboration, and improves user satisfaction.
Cloud Platforms and Implementation Evidence
Cloud collaboration platforms supporting creative industries often implement such lifecycle-based and adaptive access control, providing: - Fine-grained permission settings for each phase (view/comment/tag, download, edit).
- Automated transitions between phases (e.g., post-contract, at final delivery).
- Audit trails and flexible user management to match compliance and client-experience needs
| Lifecycle Phase | Common Rights | Example Access Control Model |
| Acquisition/Prospect | View-only, comment, tag | RBAC/Adaptive |
| Initial Feedback | View, comment, select (tag) | RBAC/Adaptive |
| Contract Delivery | Download, comment, tag | RBAC/Adaptive |
| Professional/Designer | (Optionally) Edit, annotate | RBAC/ABAC/Adaptive |
Research confirms that successful collaboration requires rights to be precisely adapted for each lifecycle stage, backed by frameworks like RBAC and adaptive access models. These models are actively studied and implemented in both academic research and modern cloud service design.
Some related links:
https://help.nextcloud.com/t/implementing-rbac-for-permissions/85178
nextcloud/server#55769
https://help.nextcloud.com/t/limit-certain-groups-to-files-only/214665
https://www.sciencedirect.com/science/article/abs/pii/S0167404808001375
Issues and Proposals
Issue1: When guest users log in first time they get Nexcloud introduction presented, which is confusing because they will not have access to all this, what is mentioned there. The Nexcloud introduction is presented even if “firstrunwizard” app is deselected from guest apps whitelist.
Wanted: Switch to disable „Nextcloud intro“ for guest accounts, same as for “Share link”.
Issue2: After guest login and Nextcloud intro (only 1st login) the “Dashboard” is shown and guest can modify and select features they have access to according to the enabled apps for guests. The sharing user or admin cannot configure nor disable the behavior of the dashboard visibility for guest users, since the dashboard seems always whitelisted. The dashboard is presented even if “dashboard” app is deselected from guest apps whitelist.
https://github.com/nextcloud/guests/blob/main/README.md#guest-specific-behavior-and-configuration
#438
UX issue: In the presented case I do not see any benefit for having to tell guests that files shared are in another app and that they have to click on files app icon to see the photos shared with them.
Wanted: Sharing user or admin shall be able to effectively configure a 1st view app to be presented. In this photography case it would be the “files app” and not the dashboard app.
The wanted target behaviour is the same as for „Share link“ which bypasses both Nextcloud intro and dashboard.
Issue3: Guest user must then click on “files” app icon. Then the Nextcloud introduction is shown again (NC 31.0.9) – bug? Afterwards the shared directory is shown in list mode rather its content in grid mode. Since only one directory is shared as root directory with this guest, in our use case creating the guest account, it does not make sense to present this as a folder rather than showing the shared content.
Wanted: Add switch "Show files in grid mode" - same as for "Share link"; cf. screenshot below.
Issue4: We need to control the “download” of protected files/photos if enabled or not. Currently download and sync needs to be enabled that photos and Readme.md get rendered.
Wanted: Render photos and readme.md in case “download” is disabled - same as for "Share link"
Issue5: In the presented use case and to effectively communicate with the user a selection/tagging feature is required, even in read-only mode. To my best knowledge this is currently not possible and a show stopper in this presented use case using the guests app.
When editing is granted Guests users are able to add and edit system tags. In read-only sharing this should not be possible.
Wanted: Tagging support for guests in read-only sharing to assign pre-defined system tags
#1052
Issue 6: Although comments are feasible to be issued from guests in read-only mode file sharing, the comment icon is neither shown in list nor in grid view for guest users. So guest cannot easily identify which photos they have commented already.
Wanted: Make comments icon visible in list and grid modes for guest users.
Here is a screen shot how the commented files is presented to the sharing user in list mode. In gallery mode the comment icons are missing also for the sharing user.
Other related UX improvements
UX Issue 1: Commenting takes three clicks.
- Open details
- Select activity tab (sharing is default tab)
- Entering comment
Wanted: Commenting should be instantly accessible as hover or right one click action in list and gallery modes similar to add tags.
UX Issue 2: Commented Icons and tags in gallery mode not shown.
Wanted: overlay icons for commented and tagged files/photos in gallery mode e.g. using different colors for the different tags.