Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System Addressbook does not respect "Restrict users to only share with users in their groups" sharing option #42797

Open
thomas-mc-work opened this issue Jan 15, 2024 · 2 comments
Open

System Addressbook does not respect "Restrict users to only share with users in their groups" sharing option #42797

thomas-mc-work opened this issue Jan 15, 2024 · 2 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 27-feedback bug feature: carddav Related to CardDAV internals feature: contacts feature: sharing needs review Needs review to determine if still applicable

Comments

@thomas-mc-work
Copy link

thomas-mc-work commented Jan 15, 2024
edited
Loading

Describe the bug

Hello team,
it's probably not considered a bug. But to operators like me, a serious issue.

I've just noticed that a system address book has been introduced some versions ago. Generally, I appreciate this feature. There is just one thing that annoys me on it: It doesn't respect the setting "Restrict users to only share with users in their groups.". This option has also limited the visibility of users that aren't within the same groups. This is a serious privacy setting on some of the instances that I manage. It's the only way to isolate core members from guests. Now with the system address book, it's suddenly possible to discover all other users again.

Steps to reproduce

Have two groups of users and the setting "Restrict users to only share with users in their groups." enabled.

Expected behavior

From my point of view, there should be one of these two options. The system address book …

  • … can be disabled globally
  • … respects the aforementioned setting

Actual behavior

Every user on the instance is visible in the address book.

Contact version

5.5.1

Operating system

27.1.3

PHP engine version

None

Web server

Apache (supported)

Database

MariaDB

Additional info

No response
@thomas-mc-work thomas-mc-work added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug feature: contacts labels Jan 15, 2024
@joshtrichards joshtrichards transferred this issue from nextcloud/contacts Jan 15, 2024
@thomas-mc-work
Copy link
Author

I just found this command in the documentation to disable the system address book:

occ config:app:set dav system_addressbook_exposed --value="no"

@joshtrichards joshtrichards changed the title System Addressbook: Privacy issue System Addressbook does not respect "Restrict users to only share with users in their groups" sharing option Sep 22, 2024
@joshtrichards
Copy link
Member

I think the end result of #42501 + #46830 may be helpful here.

@joshtrichards joshtrichards added the needs review Needs review to determine if still applicable label Sep 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 27-feedback bug feature: carddav Related to CardDAV internals feature: contacts feature: sharing needs review Needs review to determine if still applicable
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshtrichards @thomas-mc-work