Nextcloud File System?

[PeteKersker]

This is not a bug or an issue as such. It's more of a potential enhancement.
I've installed Pico CMS for Nextcloud and started setting up some sites (private and public) for my installation:

• Pico for Nextcloud 1.0.21
• Nextcloud 25.06
• Ubuntu 22.04

My installation does not meet the required specs for Pico because I use S3 for my Nextcloud primary storage. I worked around this limitation by setting up an "External Storage" folder on my local Nextcloud Data directory (not on S3) and I have test sites up and running. I do need to "trick" the system to install new themes, etc., but I can work with that.

Throughout this whole process I've been reading the discussions here and trying different things. I find myself asking the following question:

Can we simply have Pico respect the Nextcloud filesystem security?

It seems the benefits would be:

1. Preserving Security (Nextcloud and Pico)
2. Allowing Flexibility (Pages and Resources could be specific to Users, Groups, and/or Circles. Sites could even have "secure" pages.)
3. Keeping it Simple (Users could work with the file security are used to with Nextcloud. The program itself could simply run file access though a "filter" that only brings back the files that Nextcloud would allow for that user.)

The "staging area" for Themes, Plugins, and Templates could even be placed in the Nextcloud Filesystem (Administrator Folder Structure), making it easier for Admins to install what what would work for their sites.

I'm not a PHP programmer, but I do have a programming background and I've been looking for a place to start learning. I'd be willing to jump in and start learning with this one if you think it is feasible and even worthwhile pursuing.

Thanks for considering this. I'll look forward to your thoughts.

[PhrozenByte]

I'm afraid this is not possible.

1. Pico (https://picocms.org) is no part of Nextcloud, but a completely separate CMS. This app is an integration of Pico as sovereign CMS in Nextcloud. Thus Pico doesn't and won't ever use Nextcloud's filesystem, but requires local paths. That's why you can't use remote storages.

2. For a website to work we must publish website assets like CSS stylesheets and JavaScript files. Nextcloud provides no suitable solution for this, simply because Nextcloud isn't meant to do something like that. That's why the assets_public folder exists. There's no real alternative to having some public folder somewhere, because routing every HTTP request through PHP can easily bring your webserver to its knees.

3. Requiring FTP access to add new plugins and themes is intentional and due to security considerations: With custom plugins you can execute arbitrary code on the webserver. The same is more or less true for themes, it's just slightly harder. We follow a "better safe than sorry" mentality here.

By the way, even though one would assume that something like "share this with …" exists, Nextcloud provides no API for sharing contents with users, groups, circles, email, public link, etc. Every app developer has to implement this individually. We can already share websites with users and groups (the latter only in the current dev version), but making this generic and allowing one to share with e.g. circles too is a lot of work. Help is appreciated, but this task shouldn't be underestimated.

[PeteKersker]

Wow! That's a lot to process.

Thank you for taking the time to get me up to speed on your approach and limiting factors. I understand the complexity of what you are doing much better now. Thank you for doing this work for us!

With all this in mind, then, this project is probably not the best place for me to start learning PHP and the Nextcloud system. Maybe I will look for a more straightforward app (like tasks, calendar, contacts?) to try to help, or simply fiddle with an app idea of my own. I probably would be more of a hindrance than a help with this project.

That being said, I will move forward with using PicoCMS on Nextcloud for my small (20-50 user) installation. I expect to use it for a couple simple, brochure-level public sites along with at least one internal help-system style internal site. I'll look forward to trying out the dev version with group security when it hits production.

Thanks again for the quick, clear, and understandable explanation. Thank you also for your work on this product. It provides a valuable function in the Nextcloud system. Blessings.