The Masks field is a tricky but powerful way to describe permissions.

It is actually able to do anything, but the who-can fields in the interface are much easier to use, so you should try to use the latter whenever possible and recur to masks only when necessary. The who-can fields are quite easy to understand, trickier cases are the ones that require the use of masks.

To use it effectively you should know the syntax used internally by the VFS. You can read it about it here.

This field maps one or multiple file-masks to a set of properties. In this example we set permission for a single file:

myfile.txt:
  can_see: false
  can_read: false

If you want your rule to target multiple files, you can use wildcards.

Rules on top have priority over bottom rules. Inner rules have priority over parent's rules. A mask can carry any node property, even property "masks".

Only files or folders

If the mask ends with |files|, then it will match only files and not folders. You can get the opposite effect with suffix |folders|.

Examples

hide folder2 under folder1, and all mp3 files under folder3/folder4

"folder1/folder2|folder3/folder4/*.mp3": 
  can_see: false

Forbid zip files in a folder

Select the folder and enter these rules in the Masks field

"*.zip":
  can_read: false

prevent download of all mp3 files, even in subfolders, and set mime type for .dat files

"**/*.mp3":
  can_read: false
"*.dat": 
  mime: application/something

Forbid zip files in a folder and its subfolders

Select the folder and enter these rules in the Masks field

"**.zip":
  can_read: false

** is like * but applies to subfolders too.

Allow zip files in a folder but not others

Select the folder and enter these rules in the Masks field

"*.zip":
  can_read: true
"*":
  can_read: false