docs(wiki): add docs/wiki pages + sidebar/footer + wiki sync action (ignore docs/ in Docker builds)

Author: error311

.dockerignore

@@ -19,3 +19,4 @@ metadata/
 sessions/
 vendor/
 tests/
+docs/

.github/workflows/sync-wiki.yml

@@ -0,0 +1,50 @@
+---
+name: Sync wiki docs
+
+on:
+  push:
+    paths:
+      - "docs/wiki/**"
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+concurrency:
+  group: sync-wiki-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  sync_wiki:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout FileRise
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref }}
+
+      - name: Checkout wiki
+        uses: actions/checkout@v4
+        with:
+          repository: error311/FileRise.wiki
+          token: ${{ secrets.PAT_TOKEN }}
+          path: wiki-repo
+          fetch-depth: 0
+
+      - name: Sync docs/wiki to wiki repo
+        shell: bash
+        run: |
+          set -euo pipefail
+          rsync -av --delete --exclude .git docs/wiki/ wiki-repo/
+          cd wiki-repo
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .
+          if git diff --cached --quiet; then
+            echo "No changes to sync"
+          else
+            git commit -m "docs: sync wiki from FileRise"
+            git push origin HEAD:master
+          fi

docs/.DS_Store

@@ -0,0 +1,69 @@
+# ACL Recipes
+
+These recipes map to the **Folder Access** UI in the Admin Panel. Use them as starting points and adjust per folder.
+
+## Notes
+
+- **Manage (Owner)** grants full access for that folder.
+- **Write** is a shortcut that toggles the file actions (Create File, Upload, Edit, Rename, Copy, Delete, Extract).
+- **View (own)** limits listings to files the user uploaded.
+- Account flags (Read-only, Disable upload, Folder-only) still apply even if ACLs allow an action.
+
+---
+
+## Recipes
+
+### Read-only viewer
+
+- View (all): on
+- Everything else: off
+
+### Upload dropbox (per-user)
+
+- Upload: on
+- View (own): on (auto-enabled by Upload)
+- Everything else: off
+
+### Contributor (upload + edit, no delete)
+
+- View (all): on
+- Upload: on
+- Create File: on (optional)
+- Edit, Rename, Copy: on
+- Delete, Extract: off
+- Manage: off
+
+### Editor with delete, no sharing
+
+- View (all): on
+- Upload, Create File, Edit, Rename, Copy, Delete, Extract: on (or toggle Write)
+- Share File / Share Folder: off
+- Manage: off
+
+### Folder owner / manager
+
+- Manage (Owner): on
+
+### Share file links only
+
+- View (all): on
+- Share File: on
+- Manage: off
+
+### Share folder links
+
+- View (all): on
+- Share Folder: on (UI will require Manage)
+- Manage (Owner): on
+
+### Move items between folders
+
+- Source folder: Delete allowed (or Write)
+- Destination folder: Manage required (Move is owner-only today)
+
+---
+
+## Related docs
+
+- [ACL and permissions model](https://github.com/error311/FileRise/wiki/ACL-and-Permissions)
+- [Admin Panel](https://github.com/error311/FileRise/wiki/Admin-Panel)

docs/wiki/ACL-Recipes.md

@@ -0,0 +1,97 @@
+# ACL and Permissions Model
+
+FileRise uses per-folder ACLs that are enforced consistently across the web UI, API, and WebDAV.
+
+---
+
+## Roles and scopes
+
+- **Admin**: full access and configuration rights.
+- **Standard user**: access is governed by per-folder ACLs and user flags.
+
+User flags used by the app:
+
+- **Folder-only**: limits the user to their personal folder (usually `/uploads/<username>`).
+- **Read-only**: blocks write actions (upload/edit/rename/delete/move/copy).
+- **Disable upload**: blocks uploads but can still allow non-upload actions depending on ACLs.
+
+---
+
+## Folder ACLs
+
+Per-folder ACLs control what a user can do inside each folder. The UI exposes common capabilities such as:
+
+- View (own/all)
+- Upload
+- Create
+- Edit
+- Rename
+- Move / Copy
+- Delete
+- Extract
+- Share
+
+Folder ACLs are inherited by default. Admins can override or disable inheritance as needed.
+
+---
+
+## Permission details (Folder Access UI behavior)
+
+These notes describe what the **Folder Access** screen enforces today.
+
+### Quick rules
+
+- **Manage (Owner)** is the umbrella grant. It auto-enables View (all), file-level actions, and Share, and is required for subfolders and moves.
+- **Create File / Upload / Edit / Rename / Copy / Delete / Extract** are individual file actions. The UI gates each one on its own toggle.
+- **Write** is a shortcut checkbox: it toggles the file-level actions as a group. If any file action is on, Write shows as checked. It does **not** grant extra capabilities beyond those toggles in the UI.
+- **Share File** auto-enables View (own). **Share Folder** auto-enables Manage + View (all) and won’t stay on without them.
+
+### Action map (UI gating)
+
+| UI action | Requires | Notes |
+|-----------|----------|-------|
+| View (all) | View (all) | View (own) is disabled when full view is on. |
+| View (own) | View (own) | Upload also auto-enables this if no view is set. |
+| Create file | Create File or Manage | If Create File is off, the New button is disabled. |
+| Upload file | Upload or Manage | |
+| Edit file | Edit or Manage | |
+| Rename file | Rename or Manage | |
+| Copy file | Copy or Manage | |
+| Delete file | Delete or Manage | |
+| Extract archive | Extract or Manage | |
+| Create folder | Manage | Subfolders require Manage/Owner. |
+| Move (files/folders) | Manage | Owner on an ancestor also qualifies. |
+| Share file | Share File | Also sets Share (server side). |
+| Share folder | Share Folder + Manage + View (all) | UI enforces this combination. |
+
+Notes:
+
+- Account-level flags (Read-only / Disable upload / Folder-only) and source read-only still apply even if ACLs allow an action.
+
+---
+
+## WebDAV behavior
+
+WebDAV uses the same ACLs as the UI. If a user cannot perform an action in the UI, the same action is blocked over WebDAV.
+
+---
+
+## Shares and encrypted folders
+
+- Share links respect ACLs.
+- Encrypted-at-rest folders disable WebDAV, sharing, ZIP create/extract, and ONLYOFFICE by design.
+
+---
+
+## Pro groups
+
+In Pro, user groups can be granted folder ACLs. Group permissions are additive and do not reduce existing user access.
+
+If OIDC group mapping is enabled, group membership can be synced automatically from your IdP.
+
+---
+
+## Tips
+
+- Start with a narrow ACL set and add capabilities as needed.
+- For help debugging access, confirm folder inheritance and any user flags first.

docs/wiki/ACL-and-Permissions.md

@@ -0,0 +1,30 @@
+# Admin gotchas
+
+Common points of confusion for admins.
+
+## Pro not showing up
+
+- Confirm your license is saved in Admin -> FileRise Pro.
+- Confirm the Pro bundle is installed and readable.
+- Ensure your core version matches the Pro bundle version.
+
+## Updates expired
+
+- Pro keeps working on your current bundle.
+- Renew only if you want newer Pro bundles.
+
+## Upload problems
+
+- Check PHP upload size and post limits.
+- Verify the web server user can write to `uploads/` and `users/`.
+
+## Instance IDs
+
+- 12-month updates plans require Instance IDs at checkout.
+- Business licenses can add Instance IDs at /pro/instances.php.
+- Personal licenses require support to change Instance IDs.
+
+## Related
+
+- /docs/?page=pro-license-activation
+- /docs/?page=instance-ids

docs/wiki/Admin-Gotchas.md

@@ -0,0 +1,95 @@
+# Admin Panel
+
+The Admin Panel is where you manage users, folder access, authentication, integrations, and system settings. Only admin accounts can open it.
+
+## Access
+
+- Open the **Admin Panel** from the top-right menu in the FileRise UI.
+- Some controls are locked when an environment variable or config.php constant is set.
+- Pro-only sections show a "Pro" badge when the bundle is not active.
+- Use the Search button in the Admin Panel header to reveal the settings search box, then filter sections and settings.
+
+## Sections and options
+
+### Users & Access
+
+- **Manage users**: add users, remove users, reset passwords.
+- **Account-level flags** (apply across all folders):
+  - **Read-only**: view/download only.
+  - **Disable upload**: blocks uploads.
+  - **Can share**: allow share links (still subject to ACLs).
+  - **Bypass ownership**: relax owner-only restrictions for the user.
+- **Folder Access**: per-folder ACLs (view, view own, create file, upload, edit, rename, copy, move, delete, extract, share, manage).
+- **Pro**: User Groups and Client Portals are managed here when Pro is active.
+
+### Appearance & UI
+
+- **Header title** and **default language**.
+- **Pro branding**: logo upload, header colors, footer text.
+- **Display tuning**: hover preview size limits and file list summary depth.
+- **FFmpeg path**: optional override (locked by `FR_FFMPEG_PATH` if set).
+
+### Auth & WebDAV (OIDC/TOTP)
+
+- Enable/disable **Login form**, **HTTP Basic**, and **OIDC** login.
+- **Proxy-only login**: trust a reverse-proxy auth header and disable built-in logins.
+- **Auth header name** for proxy-only mode.
+- **WebDAV** enable/disable toggle.
+- **OIDC settings**: provider URL, redirect URI, client ID/secret (replace to update), public client toggle, debug logging, allow-demote, global OTPAuth URL, and a test button.
+
+### Uploads & Antivirus
+
+- **Resumable chunk size (MB)**: applies to file picker uploads (Resumable.js). Lower it if a reverse proxy limits request size (for example, Cloudflare Tunnels 100 MB).
+- **ClamAV** upload scanning toggle (locked by `VIRUS_SCAN_ENABLED` when set).
+- **Run self-test** button.
+- **Pro**: Virus detection log (read-only preview in Core).
+
+### Sharing & Links
+
+- **Shared max upload size** (bytes) for share uploads.
+- View and delete active file and folder share links.
+
+### Network & Proxy
+
+- **Published URL** override for share links and redirects (locked by `FR_PUBLISHED_URL` when set).
+- Effective **base path** and **share URL** display (read-only).
+
+### Encryption at rest
+
+- Status, master key source, and key file controls.
+- Generate or clear the key file (blocked when locked by env).
+- See [Encryption at Rest](https://github.com/error311/FileRise/wiki/Encryption-at-Rest) for details.
+
+### ONLYOFFICE
+
+- Enable ONLYOFFICE integration.
+- Document Server origin and JWT secret (replace to update).
+- Built-in CSP helper and connection tests.
+- Locked when ONLYOFFICE_* constants are set in `config.php`.
+
+### Storage / Disk Usage
+
+- Storage summary and disk-usage insights (scan-backed).
+
+### Sources
+
+- Enable Sources, add/edit/test connections, and set source read-only.
+- See [Pro Sources](https://github.com/error311/FileRise/wiki/Pro-Sources) for details.
+
+### Pro Features
+
+- **Search Everywhere**: enable/disable and default limit (env-locked when set).
+- **Audit logs**: enable, level, and size caps.
+
+### FileRise Pro
+
+- Pro license status, plan info, bundle install/update, and instance ID.
+
+### Thanks / Sponsor / Donations
+
+- Sponsorship links and support info.
+
+## Notes
+
+- Changes apply immediately after **Save**; some UI changes (header/branding) update instantly.
+- Source read-only and account-level flags still override per-folder ACLs.