However, when I do that, users with said permissions can only open files in the folder in read-only mode. Even more confusing, they can still do everything else like save under a different name, create a file, delete a file... so in a way, they can still edit a file (by saving it under name "file2", deleting "file1", then renaming "file2" to "file1"), but it's a huge pain.