Access Permissions

CloudFile implements a different Permission handling like other systems.

Normally a parent Directory with prohibited access will also prevent me from accessing subdirectories.
Because the default permission handlings are handled from left to right.

Example
The path
/main/sub/directory/
will checked like this:

  1. Did I have access to /, if not prevent complete access
  2. Did I have access to /main, if not prevent complete access
  3. Did I have access to /main/sub, if not prevent complete access
  4. Did I have access to /main/sub/directory, if not prevent complete access

If all this is true, I could access this directory.

The CloudFile switch this processing. I will check the path from right to left.
So you could have access to files inside a subdirectory, within a directory you couldn't access at all.
This makes it easier to configure permissions for you.

Example
The path
/main/sub/directory/
will checked like this:

  1. If there is a permission configuration for /main/sub/directory/. If yes, apply the rule. (deny or grant access)
  2. If there is a permission configuration for /main/sub/. If yes, apply the rule. (deny or grant)
  3. If there is a permission configuration for /main/. If yes, apply the rule. (deny or grant)
  4. If there is a permission configuration for /. If yes, apply the rule. (deny or grant)

You will get the question, how you could access /main/sub if the access to / is denied
I solved this in a way you don't need to have denied access in mind if you create configurations.

Example
If the filesystem looks like: 

a
 ab
 ac
  acd
   acda
  ace
b
 ba

And you prohibit the access of /a , allow the access to /a/ac/acd and allow /b for the user .
Then the user will see the following filesystem: 

a
 ac
  acd
    acda
b
 ba

And no /a/ab or /a/ac/acd.
Also the user won't see any other content of the directories below /a/ac/acd.

The system will manage the directories to makes it possible to navigate from the root to the directory the user could access. But nothing else is visible.

You could try this best if you setup the “filesystem” provider and try it in local filesystem.

I decide to implement the permission system in this way, because this system makes it easier to allow only single directories and prohibit access to all other directories.
Also it isn't more work if you want to allow almost all directories and only prevent access to single directories.