Documents & Folders ringfencing

Documents and folders are ringfenced by their institution and level such that a user can see inside an institution meg-docs page can only see the Documents and folders that they’re allowed to see.

Access Hierarchy

  1. For Documents without a folder:

    1. Group level Document can be accessed inside the institution group

    2. Institution level Document can be accessed only in the institution

  2. For Documents inside a Institution level folder:

    1. Group level Document Can be accessed via folder inside the institution or via All Documents inside the institution group.

    2. Institution level Document can be accessed only in the institution

  3. For Documents inside a Group level folder:

    1. Group level Document can be accessed inside the institution group.

    2. Institution level Document can be accessed only in the institution.

  4. For Folders with Parent folder level as Group:

    1. Group level Folder can be accessed inside the institution group normally.

    2. Institution level Folder can be accessed only in the institution.

  5. For Folders with Parent folder level as Institution:

    1. Group level Folder can be accessed inside the institution group alongside it’s Document but the parent folder won’t be.

    2. Institution level Folder can be accessed only in the institution normally.

Accessible Institutions (Group-Level Folders)

Group-level folders have an optional accessible_institutions field that restricts which institutions within the group can access the folder.

  • Unrestricted (default): When accessible_institutions is empty, the folder is accessible to all institutions in the group — this is the standard group-level behaviour.

  • Restricted: When one or more institutions are selected, only users from those institutions can access the folder and its documents.

This restriction applies to both the folder itself and its contents:

  1. Documents inside a restricted folder are only visible to users from the selected institutions.

  2. The folder permission cache respects the restriction — users outside the selected institutions will not have the folder in their cache.

Note

The accessible_institutions field is only relevant for group-level folders. It is ignored for institution-level folders, and the field is not shown in the form when the level is set to Institution. When the level is changed from Group to Institution, any previously selected accessible institutions are automatically cleared.

Dynamic filtering by parent folder

When creating or editing a folder, the accessible_institutions dropdown is dynamically filtered based on the selected parent folder:

  • If the parent folder has accessible_institutions set, the child can only choose from those institutions (a subset of the parent’s selection).

  • If the parent folder has no restriction (empty accessible_institutions), the child can choose from all published institutions in the group.

  • If no parent folder is selected, all published institutions in the group are shown.

This is enforced in two ways:

  1. Client-side: When the parent dropdown changes, an AJAX request reloads the accessible_institutions field with the filtered options.

  2. Server-side: The FolderForm.clean() method validates that the selected institutions are a subset of the parent’s accessible institutions. This prevents bypassing the client-side filtering.

Nested folders with different accessible institutions

Each folder’s accessible_institutions is evaluated independently at query time. However, the form enforces that a child folder’s accessible institutions must be a subset of its parent’s when the parent has restrictions.

Example 1 — parent restricted, child further restricted:

Parent Folder (Group, accessible_institutions=[Institution A, Institution B])
└── Child Folder (Group, accessible_institutions=[Institution A])

  • Institution A users: can see both Parent and Child folders.

  • Institution B users: can see the Parent folder but not the Child folder.

  • Institution C users: cannot see either folder.

Example 2 — parent unrestricted, child restricted:

Parent Folder (Group, accessible_institutions=[] / unrestricted)
└── Child Folder (Group, accessible_institutions=[Institution A])

  • Institution A users: can see both Parent and Child folders.

  • Institution B users: can see the Parent folder but not the Child folder.

In this case, Institution B users can navigate into the Parent folder but the restricted Child folder is hidden from them.

Example 3 — parent restricted, child left empty (auto-inherit):

Parent Folder (Group, accessible_institutions=[Institution A, Institution B])
└── Child Folder (Group, accessible_institutions=[] at creation)
    → automatically inherits [Institution A, Institution B]

  • The child cannot have wider access than its parent.

  • If the user leaves accessible_institutions empty when the parent has restrictions, the parent’s institutions are automatically inherited.