The Masks field is a tricky but powerful way to describe permissions.

It is actually able to do anything, but the who-can fields in the interface are much easier to use, so you should try to use the latter whenever possible and recur to masks only when necessary. The who-can fields are quite easy to understand, trickier cases are the ones that require the use of masks.

To use it effectively you should know the syntax used internally by the VFS. You can read it about it here.

This field maps one or multiple file-masks to a set of properties. In this example we set permission for a single file:

myfile.txt:
  can_see: false
  can_read: false

Rules on top have priority over bottom rules. Inner rules have priority over parent's rules. A mask can carry any node property (even property "masks") plus a special property maskOnly (optional) to restrict the application of the mask to only files or folders, just by specifying exactly files or folders.

Examples

hide folder2 under folder1, and all mp3 files under folder3/folder4

"folder1/folder2|folder3/folder4/*.mp3": 
  can_see: false

Forbid zip files in a folder

Select the folder and enter these rules in the Masks field

"*.zip":
  can_read: false

prevent download of all mp3 files, even in subfolders, and set mime type for .dat files

"**/*.mp3":
  can_read: false
"*.dat": 
  mime: application/something

Forbid zip files in a folder and its subfolders

Select the folder and enter these rules in the Masks field

"**.zip":
  can_read: false

** is like * but applies to subfolders too.

Allow zip files in a folder but not others

Select the folder and enter these rules in the Masks field

"*.zip":
  can_read: true
"*":
  can_read: false