From 173af95648f2b07df5ddab345afe59a221f7ab45 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 9 Sep 2016 09:58:06 +0200
Subject: [PATCH] Add a section about common misconfigurations

---
 .../files_access_control.rst                  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/admin_manual/configuration_files/files_access_control.rst b/admin_manual/configuration_files/files_access_control.rst
index 884008da7..455a05664 100644
--- a/admin_manual/configuration_files/files_access_control.rst
+++ b/admin_manual/configuration_files/files_access_control.rst
@@ -64,6 +64,30 @@ expression: ``/^application\/(zip|x-zip-compressed)$/i``
     .. figure:: images/files_access_control_block_mimetype.png
        :alt: Prevent upload based on mimetype
 
+Common misconfigurations
+------------------------
+
+Blocking user groups
+====================
+
+When trying to deny access to a group of users, make sure that sharing does not
+allow them to create a way back in. When users are able to create a public link,
+the users can log themselves out and visit their own public link to access the
+files. Since at this point they are no user and therefor no member of the
+blocked group, they will be able to read and change the file.
+
+The recommended work around is to create the same rule again, and deny access
+for all users that are ``not member of`` a group, that contains all users of
+your installation.
+
+External storage
+================
+
+While access to files in external storages is not possible via Nextcloud, users
+that have direct access to the external storage, can of course change files
+there directly. Therefor it is recommended to disable the ``Allow users to mount
+external storage`` option, when trying to to completely lock out users.
+
 .. _available-rules-label:
 
 Available rules