# Google Drive Upload Control Guide

## Overview
This guide explains how to control uploads in Google Business Workspace to allow uploads only to specific directories (e.g., `roles/secretary`) while restricting all other shared drive locations.

## Method 1: Google Drive Native Permissions (Recommended)

### Step 1: Access Google Drive as Business Workspace Admin

1. Log in to Google Drive with Business Workspace account: `elparaisogolfclub@gmail.com`
2. Go to: https://drive.google.com/drive/shared-with-me
3. Or access via: https://admin.google.com/

### Step 2: Set Up Folder Permissions for `roles/secretary`

1. **Navigate to the `roles/secretary` folder** in Business Workspace Drive
2. **Right-click on the folder** → Click **"Share"**
3. **Add `secretary@elparaisogolf.com`** with **"Editor"** permissions
   - This allows uploads to this specific folder
4. Click **"Send"** or **"Done"**

### Step 3: Restrict Access to Other Shared Drive Locations

#### Option A: Remove Access from Other Folders
1. For each other folder in the Business Workspace shared drive:
   - Right-click the folder → Click **"Share"**
   - Find `secretary@elparaisogolf.com` in the list
   - Change permission from **"Editor"** to **"Viewer"** (or remove access entirely)
   - This prevents uploads to those folders

#### Option B: Use Google Workspace Admin Console (More Control)

1. **Log in to Google Admin Console**: https://admin.google.com/
2. Use Business Workspace admin: `elparaisogolfclub@gmail.com`
3. Navigate to: **Apps** → **Google Workspace** → **Drive and Docs**
4. Go to **"Sharing settings"**
5. Configure:
   - **External sharing**: Control who can share files
   - **Sharing outside organization**: Restrict as needed
   - **File sharing**: Set default permissions

### Step 4: Verify Permissions

1. Log in as `secretary@elparaisogolf.com`
2. Try to upload to `roles/secretary` folder → Should work ✅
3. Try to upload to other Business Workspace folders → Should be blocked ❌

## Method 2: System-Level Folder-Specific Restrictions

The system already supports folder-specific uploads through the `google_drive_folder_id` field. The upload restriction can be enhanced to be more granular.

### Current System Behavior

- The system uploads only to the folder specified in `google_drive_folder_id`
- When `can_upload = 'N'`, all Business Workspace uploads are blocked
- The restriction is all-or-nothing (all Business Workspace or none)

### Enhanced System Control (If Needed)

If you want the system to enforce folder-specific restrictions, we can modify the code to:
1. Store allowed folder IDs per volunteer
2. Check if the target folder is in the allowed list
3. Block uploads to unauthorized folders

**Note**: This would only control system uploads via the API, not manual uploads through Google Drive interface.

## Recommended Approach

**Use Google Drive Native Permissions (Method 1)** because:
- ✅ Works for both system uploads AND manual uploads
- ✅ Enforced at Google Drive level (cannot be bypassed)
- ✅ More granular control per folder
- ✅ Easier to manage through Google Admin Console
- ✅ Applies to all access methods (web, API, mobile app)

## Step-by-Step: Restrict Secretary to Only `roles/secretary`

### 1. Log in to Business Workspace Drive
- Account: `elparaisogolfclub@gmail.com`
- URL: https://drive.google.com/

### 2. Find the `roles/secretary` Folder
- Navigate to: `roles/secretary` folder
- Note the folder ID from the URL (if needed)

### 3. Set Permissions for `roles/secretary`
- Right-click `roles/secretary` → **Share**
- Add: `secretary@elparaisogolf.com`
- Permission: **Editor** (allows uploads)
- Click **Done**

### 4. Restrict All Other Folders
For each other folder in Business Workspace:
- Right-click folder → **Share**
- Find `secretary@elparaisogolf.com`
- Change to **Viewer** (read-only) or **Remove** access
- This prevents uploads to those folders

### 5. Verify
- Log in as `secretary@elparaisogolf.com`
- Try uploading to `roles/secretary` → Should work
- Try uploading to other folders → Should be blocked

## Troubleshooting

### Secretary Can Still Upload to Other Folders
- Check that `secretary@elparaisogolf.com` has only **Viewer** or no access to other folders
- Verify permissions in Google Drive (not just in your system)
- Check if they have access through a parent folder (inherited permissions)

### Secretary Cannot Upload to `roles/secretary`
- Verify `secretary@elparaisogolf.com` has **Editor** permission on `roles/secretary`
- Check that the folder exists and is accessible
- Verify the email address is correct (case-sensitive)

### System Uploads Still Work When Restricted
- The system restriction (`can_upload = 'N'`) blocks API uploads
- Google Drive permissions control manual uploads
- Both need to be configured for complete control

## Additional Google Workspace Admin Settings

### Restrict Shared Drive Access
1. Go to: **Admin Console** → **Apps** → **Google Workspace** → **Drive and Docs**
2. Click **"Sharing settings"**
3. Under **"Shared drives"**:
   - Control who can create shared drives
   - Set default permissions for new shared drives
   - Restrict external sharing

### Set Default Permissions
1. In **Drive and Docs** settings
2. Set **"Default access for new files"** to **"Private"**
3. This ensures new folders require explicit sharing

## Summary

**To allow uploads only to `roles/secretary` and block all others:**

1. ✅ Give `secretary@elparaisogolf.com` **Editor** access to `roles/secretary`
2. ✅ Give `secretary@elparaisogolf.com` **Viewer** (or no) access to all other Business Workspace folders
3. ✅ Set system restriction `can_upload = 'N'` to block automatic API uploads (optional, for extra control)

This combination provides:
- **Google-level control**: Prevents manual uploads to unauthorized folders
- **System-level control**: Prevents automatic API uploads when restricted
- **Granular permissions**: Per-folder access control