Your question
Im trying to figure out how to disable files area the right way. Ideally via role. There are a lot of file related permissions regarding jmap files and webDAV. is it “just” to disable all of them?
Ive tested using bulwark and it seems to disable access. But it still shows up in left nav and ui still allows you to try. I know that this might just be bulwark webmail that doesnt react properly.
But it could also be because i didnt disable it correctly?
Is there “one” that disables the area completly?
The answer is: yes, revoking the DavFile permission group is the correct approach for per-user/per-role control, and the docs confirm that revoking permissions prevents access at the server level. The UI not reacting is a separate issue with the Bulwark webmail client, not with Stalwart itself.
Here’s the breakdown:
At the server/permission level (the right way):
The DavFile permission group covers all file-related WebDAV access. The permissions to revoke from a role are:
davFilePropFinddavFilePropPatchdavFileGetdavFileMkColdavFileDeletedavFilePutdavFileCopydavFileMovedavFileLockdavFileAcl
And for the JMAP side (JmapFileNode):
jmapFileNodeGetjmapFileNodeChangesjmapFileNodeQueryjmapFileNodeQueryChangesjmapFileNodeCreatejmapFileNodeUpdatejmapFileNodeDestroy
Removing all of these from a role (and assigning that role to your users) will correctly deny file storage access at the protocol level – both via WebDAV (/dav/file) and JMAP. There is no single “master switch” permission for files; you do need to remove the whole group.
Regarding the UI still showing the Files area in Bulwark: That is almost certainly a Bulwark issue. Bulwark may not dynamically check permissions to decide what to show in the nav – it’s a client-side rendering decision. Stalwart itself will correctly reject any actual request made to the file endpoints, but it has no control over what the webmail client chooses to render.
If you want a more blunt server-wide block (rather than per-role), you can also add an HTTP access control rule that blocks the /dav/file path entirely.
Relevant docs:
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
The answer already given is directly sourced from the official Stalwart documentation. Here are the specific doc pages that were consulted to produce it:
- WebDAV overview & disabling - confirms that revoking WebDAV permissions restricts access per-user/group/role, and that blocking
/dav/file via an HTTP access control rule is the server-wide option.
- Full permissions reference - lists every
davFile* and jmapFileNode* permission explicitly.
No human has replied to this topic yet, so no human-verified answer exists at this time. A community member or staff member may follow up with additional confirmation if needed.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
How do I use the Permissions | Stalwart - where?
And this seems to disable files area totally. So its not possible to configure for a role?
There’s no single master “files” toggle today; the closest you can get is a custom Role whose disabledPermissions lists all 18 file-related permissions: the 10 davFile* and 8 jmapFileNode* entries (Permissions | Stalwart and #jmapfilenode). Assign that role to the affected users/groups/tenant. disabledPermissions takes precedence over permissions, so it works even if another role grants any of them.
Bulwark’s left-nav still showing the files section is a Bulwark UI gap (it doesn’t yet react to denied permissions), not a Stalwart misconfiguration; the JMAP and WebDAV layers will refuse the operations regardless.