As for pages and contents, permissions can also be defined for files, though not as fine-grained as for content (= on a per-file/folder level). The permissions in the File Abstraction Layer are grouped in two main groups:

  • system permissions
  • and user permissions

System Permissions

System permissions are required by every part of the system to perform operations. They are strictly enforced and prevent an action no matter what component triggered them.

For example think of a click in the file list versus a processed file that is to be saved. The former could be stopped because the user does not have enough permissions. The latter should always happen if the storage is writable.

Administrators always have full access. The only reason they might not have access is that the underlying file system or storage service does not allow access to a resource.


How are permissions from the storage device handled?

User Permissions

User permissions for files used to be set in the “Fileoperation permissions” section of the “backend user” or “backend user group” records. This still works with FAL. But it is a deprecated way because FAL offers more fine grained permission settings.


As of TYPO3 6.0 it is recommended to set user default permissions in User TSconfig either in backend user records or backend user group records.

Default User Permissions

The default permissions for backend users and backend user groups are READONLY:

permissions.file.default {
   addFile      = 0
   readFile     = 1
   writeFile    = 0
   copyFile     = 0
   moveFile     = 0
   renameFile   = 0
   unzipFile    = 0
   deleteFile   = 0
   addFolder    = 0
   readFolder   = 1
   writeFolder  = 0
   copyFolder   = 0
   moveFolder   = 0
   renameFolder = 0
   deleteFolder = 0
   recursivedeleteFolder = 0

User Permissions Per Storage

It is also possible to set different permissions for different storages. To achieve this you need to know the uid of the storage record and specify it in User TSconfig along with the permissions.

Example: Permissions = ALL for storage with uid “1”: {
   addFile      = 1
   readFile     = 1
   writeFile    = 1
   copyFile     = 1
   moveFile     = 1
   renameFile   = 1
   unzipFile    = 1
   deleteFile   = 1
   addFolder    = 1
   readFolder   = 1
   writeFolder  = 1
   copyFolder   = 1
   moveFolder   = 1
   renameFolder = 1
   deleteFolder = 1
   recursivedeleteFolder = 1


Configured permissions for a specific storage take precedence over default permissions.

If no permissions are defined in TSconfig, then the settings in the user and in the group record are taken into account and will be treated as default permissions for all storages.

Permissions Details

This model for permissions behaves very similar to permission systems on Unix and Linux systems. Folders are seen as a collection of files and folders. If you want to change that collection by adding, removing or renaming files or folders folders you need to have write permissions for the folder as well. If you only want to change the contents of a file you need write permissions for the file but not for the containing folder.

Create new files, upload files
Show contents of files
Edit or Save contents of file, even if NO write permissions to folders are granted
Allow copying of files; needs writeFolder permissions for the target folder
Allow moving files; needs writeFolder permissions for source and target folders
Allow renaming a file; needs writeFolder permissions
Allow unzipping a file; needs writeFolder permissions on the target folder
delete a file; needs writeFolder permissions
add or create new folders; needs writeFolder permissions for the parent folder
list contents of folder
Permission to change contents of folder (add files, rename files, add folders, rename folders). Changing contents of existing files is not governed by this permission!
Needs writeFolder permissions for the target folder
Needs writeFolder permissions for both target and source folder (because it is removed from the latter, which changes the folder).
Needs writeFolder permissions (because it changes the folder itself and also the containing folder’s contents).
Remove an (empty) folder; needs write folder permissions
Remove a folder even if it has contents; needs write folder permissions