Content
View differences
Updated by Wieland Lindenthal about 4 years ago
# Problem
When organisations structure work in projects they usually have files that belong to that project.
* Many of these files have a longer life cycle as work packages and are relevant to many work packages.
* Some files are relevant to the project but are not linked to any specific work package.
_**Example:** One task could be to sketch a draft and the next task could be to finalize the document. That would make two work packages for one document. After the document is finalized and the last work package is closed, you still want to know where the document is stored, no matter if the project simply continues or even gets archived._ document._
The challenge of this EPIC is to allow all project members access to that shared folder so that everybody has access to either read, write or share all files in that folder. Having the sharing synced It boosts productivity and acceptance in if the project team. No folder is automatically shared with any project member, so that no tedious manual sharing is necessary.
## Current work around
Currently some organizations organisations use the OpenProject module _Documents_ to share files with team members. However, that module lacks usability in many ways:
* Files uploaded to that module are not synced with a Desktop, as it lacks lacking WebDAV etc.
* This leads to the inconvenience that uploading of Uploading files needs to be done one by one instead of complete folders. one.
* Referencing those files from within work packages (as "inputs" or "outputs" of a task) with normal HTML links is a tedious and error prone process. It is not efficiently seriously supported.
Working with the _Documents_ module is OK, when you only want to share a couple of documents that you rarely update. Real work on those files is not practical.
## Solution
In OpenProject we allow project admins to choose or create choosing a folder in an external file storage such as _Nextcloud_ per project. _Nextcloud_. Project admins will be able to setup a specific folder on the file storage system. The OpenProject project menu will have a menu item called "File storage". Clicking that menu item the user leaves OpenProject and will directly open the shared folder in the web interface of the external file storage. The user leaves OpenProject.
### Without LDAP
Many smaller organizations organisations do not have an LDAP server that could get used for having users and groups in both systems, OpenProject and Nextcloud in sync. In this scenario the project admins need to manually ensure that all project members (users and groups) have the correct access privileges (read, write, share) on the shared folder.
### With LDAP (advanced setup)
#### LDAP setup
Larger organization organisation typically have an LDAP server that can sync users and groups to both systems, OpenProject and the external file storage, i.e. Nextcloud. OpenProject knows which users and groups are synced with LDAP (<mention class="mention" data-id="9177" data-type="user" data-text="@Oliver Günther">@Oliver Günther</mention> is that true?) and which are not. In the following we'll I will call those users and groups that are synced with LDAP "_LDAP principals_".
Every time memberships of a OpenProject project change a background job gets queued in OpenProject that does change, the following per project:
1. Add new sharings for new memberships
2. Remove sharings when memberships are removed
3. Update permissions for existing sharings
for every member set of _LDAP principals_ gets are transferred to the file storage instance, together with their permissions, as they are defined in through their roles in the project. What
#### New file sharing permissions per project
OpenProject's permissions per projects will get extended with:
* Read shared folders and files
## Write shared folders and files
* Re-share shared folders and files
* Delete shared folders
#### Managing sharings in the file storage with a central, artificial user "_OpenProject user"_
On the file storage's side there needs to be an artificial user that can act on behalf of OpenProject. We call that user the "_OpenProject_" user. The _OpenProject_ user will be the one re-sharing folders and files in the file storage with those LDAP principals as they are communicated with their privileges. To allow the _OpenProject user_ to re-share folders and files those need to be shared with the _OpenProject user_ in the first place. To achieve that, every time a project admin sets up a project folder, that folder needs to get directly shared with the _OpenProject user_.
During the setup up of the integration of OpenProject with the file storage instance the admin also has to setup the _OpenProject user_ manually and safe its identifier **(Todo: What is the identifier for sharing? A user ID? How does a admin obtain it? Or e-mail?)** in the file storage's settings in OpenProject\_.\_
#### Fixing/re-syncing sharing permissions per project
OpenProject and the file storage instance are two independent systems. Network communication between the two can fail for a multitude of reasons. Therefore it is crucial that failed request for sharing _LDAP principals_ can be triggered anew manually. Therefore a button in the project's _File storage_ settings can trigger a new sync request per storage.
## Out of scope
* Enforcing that all files linked from a work package also have to be located in the project's shared folder.
## Implementation chunks
* Folder selector in project's file storage settings
* OAuth for _OpenProject user_ with access token refreshing etc.
* Re-sync button for memberships and permissions in project settings
* Hook into membership changes in OpenProject to trigger re-syncing of memberships of _LDAP principals_ and their permissions on the shared folder.
* **... this list still needs to be completed.**
When organisations structure work in projects they usually have files that belong to that project.
* Many of these files have a longer life cycle as work packages and are relevant to many work packages.
* Some files are relevant to the project but are not linked to any specific work package.
_**Example:** One task could be to sketch a draft and the next task could be to finalize the document. That would make two work packages for one document. After the document is finalized and the last work package is closed, you still want to know where the document is stored, no matter if the project simply continues or even gets archived._
The challenge of this EPIC is to allow all project members access to that shared folder so that everybody has access to either read, write or share all files in that folder. Having the sharing synced
## Current work around
Currently some organizations
* Files uploaded to that module are not synced with a Desktop, as it lacks
* This leads to the inconvenience that uploading of
* Referencing those files from within work packages (as "inputs" or "outputs" of a task) with normal HTML links is a tedious and error prone process. It is not efficiently
Working with the _Documents_ module is OK, when you only want to share a couple of documents that you rarely update. Real work on those files is not practical.
## Solution
In OpenProject we allow project admins to choose or create
### Without LDAP
Many smaller organizations
### With LDAP (advanced setup)
#### LDAP setup
Larger organization
Every time memberships of a OpenProject project change a background job gets queued in OpenProject that does
1. Add new sharings for new memberships
2. Remove sharings when memberships are removed
3. Update permissions for existing sharings
for every member set of _LDAP principals_ gets
#### New file sharing permissions per project
OpenProject's permissions per projects will get extended with:
* Read shared folders and files
## Write shared folders and files
* Re-share shared folders and files
* Delete shared folders
#### Managing sharings in the file storage with a central, artificial user "_OpenProject user"_
On the file storage's side there needs to be an artificial user that can act on behalf of OpenProject. We call that user the "_OpenProject_" user. The _OpenProject_ user will be the one re-sharing folders and files in the file storage with those LDAP principals as they are communicated with their privileges. To allow the _OpenProject user_ to re-share folders and files those need to be shared with the _OpenProject user_ in the first place. To achieve that, every time a project admin sets up a project folder, that folder needs to get directly shared with the _OpenProject user_.
During the setup up of the integration of OpenProject with the file storage instance the admin also has to setup the _OpenProject user_ manually and safe its identifier **(Todo: What is the identifier for sharing? A user ID? How does a admin obtain it? Or e-mail?)** in the file storage's settings in OpenProject\_.\_
#### Fixing/re-syncing sharing permissions per project
OpenProject and the file storage instance are two independent systems. Network communication between the two can fail for a multitude of reasons. Therefore it is crucial that failed request for sharing _LDAP principals_ can be triggered anew manually. Therefore a button in the project's _File storage_ settings can trigger a new sync request per storage.
## Out of scope
* Enforcing that all files linked from a work package also have to be located in the project's shared folder.
## Implementation chunks
* Folder selector in project's file storage settings
* OAuth for _OpenProject user_ with access token refreshing etc.
* Re-sync button for memberships and permissions in project settings
* Hook into membership changes in OpenProject to trigger re-syncing of memberships of _LDAP principals_ and their permissions on the shared folder.
* **... this list still needs to be completed.**