Skip to main content
Copyparty uses a flexible permission system with single-letter flags to control user access to volumes.

Permission Flags

Read Permissions

r
read
Full read access
  • Browse folder contents
  • Download individual files
  • Download folders as zip/tar
  • See filekeys and dirkeys
  • View file metadata and properties
accs:
  r: *  # everyone can read
g
get
Get-only access (no browsing)
  • Download files by direct URL only
  • Cannot see folder contents
  • Cannot download as zip/tar
  • Useful for “hotlink” scenarios
accs:
  g: *  # anyone with the URL can download
Often combined with filekeys to prevent URL guessing.
G
upget
Upload-get accessSame as g but uploaders can see their own filekeys.
  • Upload files
  • Receive working direct link after upload
  • Cannot see other users’ uploads
  • Cannot browse folder
[/sharex]
  /mnt/screenshots
  accs:
    wG: *  # anonymous upload, get links back
  flags:
    fk: 4  # 4-character filekeys required
h
html
HTML-only accessSame as g except:
  • Folders return their index.html file
  • Filekeys not required for index.html
  • Useful for static website hosting
accs:
  h: *  # serve static HTML site

Write Permissions

w
write
Upload permission
  • Upload new files
  • Move/copy files into this folder
  • Create new subdirectories
  • Requires r permission to see uploaded files
accs:
  rw: alice  # alice can read and write
  w: bob     # bob can upload but not see files (write-only)
m
move
Move permission
  • Move files/folders from this folder to another
  • Rename files within the folder
  • Requires w permission at destination
[/incoming]
  /mnt/incoming
  accs:
    w: *    # anyone can upload
    rm: ed  # ed can browse and move files out
d
delete
Delete permission
  • Permanently delete files
  • Permanently delete folders
  • Cannot be undone (unless using unpost feature)
accs:
  rwd: admin  # admin can read, write, delete

Special Permissions

.
dots
Dotfiles permissionUser can enable the option to show dotfiles (hidden files) in listings.
  • See files/folders starting with .
  • Toggle visibility in settings
  • Dotfiles still accessible by direct URL regardless
accs:
  r.: alice  # alice can read + see dotfiles
See dotfiles configuration for more details.
a
admin
Admin permission
  • See upload timestamps
  • See uploader IP addresses
  • Reload configuration
  • Access control panel features
  • View system information
accs:
  ra: admin  # admin can read + admin features
A
all
All permissions combinedShortcut for rwmda. (read/write/move/delete/admin/dotfiles)
accs:
  A: superuser  # superuser has all permissions

Permission Combinations

Common Patterns

[/public]
  /mnt/public
  accs:
    r: *  # everyone can browse and download

[/dropbox]
  /mnt/dropbox
  accs:
    w: *     # anyone can upload
    A: admin # admin has full access
  flags:
    e2d      # enable database for tracking uploads
    nodupe   # reject duplicate files

[/alice]
  /mnt/users/alice
  accs:
    A: alice   # alice has full control
    r: admin   # admin can view

[/bob]
  /mnt/users/bob
  accs:
    A: bob
    r: admin

[groups]
  team: alice, bob, charlie

[/workspace]
  /mnt/team
  accs:
    rwmd: @team  # team members can manage files
    r: guest     # guest has read-only access

[/site]
  /var/www/site
  accs:
    h: *     # serve index.html to everyone
    rw: dev  # developer can update files

Permission Precedence

User Groups

Permissions can be granted to:
  • Individual users: alice, bob
  • Groups: @team, @admins
  • Everyone: *
  • Logged-in users: @acct

Granting and Revoking

accs:
  r: *,-@acct     # everyone EXCEPT logged-in users
  r: @team,-alice # team members except alice
  rw: @admins     # all admins have read-write
Permissions are additive within a user’s grants. A user with both r and w can read and write.

Volume Inheritance

Permissions do not inherit from parent volumes. Each volume has independent permissions. 
[/]           # root volume
  /srv
  accs:
    r: *      # everyone can read root

[/private]    # sub-volume with different permissions
  /srv/private
  accs:
    r: admin  # only admin can read /private
Visitors can see that /private exists (from the root volume) but cannot open it unless they have permission.

Authentication Requirements

Password Protection

Volumes require authentication if no * (everyone) permission is granted: 
# Requires login
[/secured]
  /mnt/secured
  accs:
    r: alice, bob  # only alice and bob can access

# No login required
[/public]
  /mnt/public
  accs:
    r: *  # everyone can access

Mixed Access

[/mixed]
  /mnt/mixed
  accs:
    r: *       # everyone can read
    w: alice   # only alice can write (requires login)

Advanced Features

Unpost Permission

The --unpost feature allows users to delete their own recent uploads even without d permission. 
[global]
  e2d            # required for unpost
  unpost: 43200  # 12 hours (default)
  unp-who: 1     # 1=same IP+account, 2=same IP, 3=same account

[/uploads]
  /mnt/uploads
  accs:
    w: *  # anyone can upload
    # anyone can undo their own uploads for 12 hours

Append Permission

Control who can append to existing files: 
[global]
  apnd-who: dw  # delete+write required to append (default)
  # Options: no, aw (admin+write), dw, w

[/logs]
  /var/logs
  accs:
    rw: logger  # logger can write and append
  flags:
    apnd_who: w  # override: write permission is enough

Edit Permission

By default, editing files requires rwd (read+write+delete). The --rw-edit option changes this: 
[global]
  rw-edit: md,txt  # only need rw for .md and .txt files

[/docs]
  /mnt/docs
  accs:
    rw: editor  # can edit markdown/txt (not delete)
  flags:
    rw_edit: md,txt,conf  # per-volume override

Security Best Practices

Important security considerations:
  1. Write-only folders (w without r) prevent uploaders from seeing what they uploaded
  2. Get-only access (g) should be combined with filekeys to prevent URL guessing
  3. Admin permission (a) reveals uploader IPs - grant carefully
  4. Delete permission (d) is permanent - consider using unpost instead
1

Start with minimal permissions

Begin with read-only (r) and add write permissions as needed
2

Use groups for teams

Create groups instead of listing individual users repeatedly
3

Separate admin volumes

Create dedicated volumes for admin-only content
4

Enable unpost for safety

Use --unpost to allow users to undo accidental uploads
5

Review regularly

Audit permissions periodically, especially for a and d

Troubleshooting

User has w but not r permission. Add r for visibility:
accs:
  rw: user  # both read and write
Moving requires m permission at source and w at destination:
[/source]
  accs:
    rm: user  # can read and move FROM here

[/dest]
  accs:
    w: user   # can write (move) TO here
Check for * in permissions. Remove to require authentication:
accs:
  r: *      # BAD - everyone can access
  r: alice  # GOOD - only alice can access
User needs . permission AND must enable in settings:
accs:
  r.: user  # grant dotfiles permission
Then user enables dotfiles option in the [⚙️] settings tab.

Build docs developers (and LLMs) love

Get started for freeTalk to us