Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy enhancements for contacts menu #5107

Closed
3 of 4 tasks
MariusBluem opened this issue May 25, 2017 · 36 comments
Closed
3 of 4 tasks

Privacy enhancements for contacts menu #5107

MariusBluem opened this issue May 25, 2017 · 36 comments

Comments

@MariusBluem
Copy link
Member

MariusBluem commented May 25, 2017

Follow up of #4656:

  • possibility to disable contacts menu from config.php? 🤔

  • If username-autocompletion is disabled, the contacts-menu should never ever show local users:

bildschirmfoto 2017-05-05 um 10 04 08

  • Groups, which are excluded from sharing should not see local users at all:

bildschirmfoto 2017-05-05 um 10 04 16

  • If sharing is restricted to users own groups, he should only see contacts from his groups:

bildschirmfoto 2017-05-05 um 10 04 38

We may also want to overthink the federation lookup-settings, since they could be also used for contacts-menu on user-side: 🤔 @schiessle
bildschirmfoto 2017-05-05 um 10 08 29

@ChristophWurst

@LEDfan
Copy link
Member

LEDfan commented Jul 2, 2017

Hi. In the JSXC app there are also requests for such restrictions (e.g. jsxc/jsxc#306). For the best UX I think it's very important that the implementation is the same.

How should this be implemented in the Chat app?

  • "Groups, which are excluded from sharing should not see local users at all" so this does also mean they can't Chat?
  • "If sharing is restricted to users own groups, he should only see contacts from his groups" so these users can only Chat with users in their own group.

(Note that this still is important even if the contacts menu and roster will by merged (nextcloud/jsxc.nextcloud#21), because otherwise users could manually start a conversation)

@zeigerpuppy
Copy link

This is really essential to address. Users should be able to look up and autocomplete users in their groups and their groups ONLY.
At the moment, autocomplete really makes a big security hole revealing users (ands their email addresses!) to each other

@ebogaard
Copy link

ebogaard commented Aug 9, 2017

As all group-/autocomplete-related issues are pointing to this issue, I'll add my findings when using 12.0.1 here in relation to the admin-option: "Allow username autocompletion in share dialog. If this is disabled the full username needs to be entered."

  1. This option seems to have an effect on both searching in the contacts menu and when sharing files. When disabling this option:
    1. The contacts menu doesn't show anyone (this is unexpected)
    2. You can only share with another user if you type the full username (this is expected)
  2. As coined in other comments, when enabled, the autocomplete should be limited to users you're in a group (any group) with:
    1. when sharing for the contacts menu
    2. but also in the contacts menu

Quick update: PR 5107 @ #5585 seems to fix part 2.ii, but not 2.i or either of the issues below 1..

@heinrichmartin
Copy link

@ebogaard, there is another aspect:
1.iii. The user pop-up menu (e.g. in the Activity app) doesn't show the email-to action (this is unexpected)

1.i and 1.iii should come in separate settings (separate from username autocompletion). Actually, my usecase is not about exposing usernames but email addresses only.

I just learned that users can hide their email address from others, but this is not the default. I.e. when an admin creates a user with his email address (to send the welcome message), then this email address is exposed immediately until the user logs in and changes the privacy setting. Shall I open another ticket for this issue?

@LEDfan
Copy link
Member

LEDfan commented Aug 16, 2017

@ebogaard

  1. This option seems to have an effect on both searching in the contacts menu and when sharing files. When disabling this option:
    1. The contacts menu doesn't show anyone (this is unexpected)

Why is this unexpected? As I see it the Contacts menu is meant as the start-point for Collaboration (Sharing, E-mailing, Chatting ... ) and we want the options to limit and control sharing to have the same effects on the other forms of collaboration. I agree the options should be renamed then a bit. See e.g. #4656 (comment)
cc @MariusBluem @jancborchardt @ChristophWurst this POV is correct right?

@LEDfan
Copy link
Member

LEDfan commented Aug 16, 2017

Another issue I was facing: shouldn't the Groups, which are excluded from sharing should not see local users at all option also make sure the users which are excluded doesn't show up in the Contacts menu? Since these users can't Share/Collaborate it wouldn't be ideal to show them in the Contacts menu, since a not excluded user then can share/collaborate with them.

@ebogaard
Copy link

@LEDfan

Why is this unexpected?

This is unexpected for two reasons:

  1. When autocomplete is enabled, you get a list of contacts before you even start typing in the contacts menu. If you disable this option, no contacts are shown. If that's correct (which I think it is), the configuration option should then also read something like: "don't show/suggest any contacts in the contacts menu". But then a better description ;-)
  2. If you disable this option, no contact is shown, even when you type in the full name. This differs from the way it works when sharing files/folders: there you get to see the user if you type the full name.

If I think of it: if you only look at the contacts menu, the disable autocomplete-option should actually read "Disable contacts menu".

@jancborchardt
Copy link
Member

This is really essential to address. Users should be able to look up and autocomplete users in their groups and their groups ONLY.

@schiessle @blizzz @LukasReschke can you look at this? All the cases noted here should be integrated in the existing options.

@blizzz
Copy link
Member

blizzz commented Aug 29, 2017

This is really essential to address. Users should be able to look up and autocomplete users in their groups and their groups ONLY.

@schiessle @blizzz @LukasReschke can you look at this? All the cases noted here should be integrated in the existing options.

Depending on the sharing options. There you can limit it to groups only. I would not restrict it to this by default, since a group structure is not necessary and the default experience would appear broken ("I cannot interact with anyone!").

@jimbowarrior
Copy link

even if you limit share to a group, you can see all contacts

@ChristophWurst ChristophWurst self-assigned this Aug 31, 2017
@BornToBeRoot
Copy link

Will this be backported to NC12 ?

Unless this feature is disabled or at least restriced to groups i cannot upgrade to version 12.

@rotanid
Copy link

rotanid commented Aug 31, 2017

@BornToBeRoot it is not even there in the code yet, that would be the first step.
i backported it manually as this is really a deal-breaker...

@LEDfan
Copy link
Member

LEDfan commented Aug 31, 2017

I bumped my PR for some love 😜 To all the people in this thread can you please test the PR and see if it has the desired result for you?

@BornToBeRoot my PR will be backported to 12 and IMO other improvements should be too.

@jimbowarrior
Copy link

what do you mean PR ? personal repo ? pre release ? How can I test ? I'm using stable branch NC12.0.2 but I can upload some code in my test server.

@Moimemeici
Copy link

i agree this option !

@jimbowarrior
Copy link

@MorrisJobke : shloud be implemented into 12.0.3 version ?

@BornToBeRoot
Copy link

@jimbowarrior 12.0.3 is already released (RC2)

Please implement in 12.0.4! So i can finally migrate from 11 to 12

@LukasReschke
Copy link
Member

Backport at #6554

@ixmann99
Copy link

ixmann99 commented Sep 27, 2017

contacts

Please see #5606 - someone has referenced that issue and said it is duplicate of this, while it is not.

While this share-and-see-users-outside-group bug is solved (I have confirmed it) in todays build, the Contact main link (header menu - present on all pages - see attachment) is still leaking data from other groups. Very important to get that bug solved.

For reference is also OwnCloud suggesting years back (google it) that groups is suggested to be used to completely isolate business. It would be strange to do something completely different here.

Another thing is that it doesn't do anything (if this is by intent and developer really wants users to search outside your goup). You can search in contact, but when you click them, nothing happens. So it is only a showstopper and no-one has any use to just search usernames? I would just disable this Contact-menu-option in this case (where you have opted to not share outside groups). It will not kill any known functionality.

@rotanid
Copy link

rotanid commented Sep 28, 2017

maybe there is a problem with the backport to the stable branch?
@ixmann99 i assume you tried the stable branch only?

@ixmann99
Copy link

ixmann99 commented Oct 2, 2017

@rotanid No, this is a daily build. I activated daily and ran update in hope that it was fixed. But it wasn't (12.0.3 Build:2017-09-27T01:01:16+00:00)

@ixmann99
Copy link

ixmann99 commented Oct 4, 2017

This is a little to important to wait for next version I think....

@LEDfan
Copy link
Member

LEDfan commented Oct 4, 2017

Hi @ixmann99 I just tested stable12 and can confirm this is solved.

But you have to disable this listing of Contacts outside of your groups, To do this:

  1. click the gear icon
  2. click admin
  3. go to sharing in the left bar
  4. click Restrict users to only share with users in their groups
  5. click Exclude groups from sharing and fill in any groups you don't want to show up in the Contacts menu
  6. done
    schermafbeelding 2017-10-04 om 08 26 00

For reference is also OwnCloud suggesting years back (google it) that groups is suggested to be used to completely isolate business. It would be strange to do something completely different here.

There are two main uses cases for groups: enable collaboration and to completely isolate business, there is no good default for this IMO.

Another thing is that it doesn't do anything (if this is by intent and developer really wants users to search outside your goup). You can search in contact, but when you click them, nothing happens.

That's because you don't have an app enabled which uses this feature (Email, chat etc).

@ixmann99
Copy link

ixmann99 commented Oct 10, 2017

Hi @LEDfan

Number 4. is already checked in my installs. This is so important to me that I have both tested v12 in Softaculous one-click-install and through full blown mysql-install/setup on two dedicated boxes (Centos). The contact menu (with no-clickable names and groups outside your group) still appear unless you ment to say you have re-packed v 12 stable the last days with the fix. If that is the case, I haven't tested it yet.

Number 5. destroys crucial functionality so that no users can share anything - not even with their own group. Hardly a solution or even a workaround. See picture below, demonstrates that 4. still is showing and that 5. is destroying the share-function both for groups and people in same group.

BTW: The users displayed in the Contact-menu belongs to other groups, not the current user I'm logged in as/belong to.

screen2

@lamixer
Copy link

lamixer commented Oct 23, 2017

Hello:

I just realised today that any user on my server can see the name and email address of any other user! Wow, that is a major problem for me. I use my server to share files with clients and it is not appropriate for clients to see a list of my other clients --- AND THEIR EMAIL ADDRESSES!

I'm not sure when this started, NC12 I guess. I'm on 12.0.3 (I think) and I have the Contacts app disabled. Is there a fix coming for this? Did I miss a setting somewhere that will stop it? Can I modify a file to fix it?

At present it seems the only solution is to assign fake names to everyone and delete the email addresses!

@ghost
Copy link

ghost commented Oct 23, 2017

I have the Contacts app disabled.

The contacts menu is not part of the Contacts app. ;-)

@andrimont
Copy link

andrimont commented Oct 25, 2017

You can manage in the settings (admin) to hide ALL the contacts.
screenshot 2017-10-25 08 36 56

But every time that you want to share a link, you have to type the exact user name.

screenshot 2017-10-25 08 41 01
screenshot 2017-10-25 08 41 47

Also ThomasMarx suggested to hide the dangerous menu with CSS :
https://help.nextcloud.com/t/why-any-user-can-view-all-the-contacts-belonging-to-other-groups/22642/4

@xshadow
Copy link

xshadow commented Nov 16, 2017

The App Circles does not honour "Allow username autocomplementation in share dialog ..." setting! If Circles enabled and you add a new circle and you click on add a member it will propose usernames to you.

@blizzz
Copy link
Member

blizzz commented Nov 17, 2017

@xshadow please open a bug at the circles app https://github.com/nextcloud/circles

@xshadow
Copy link

xshadow commented Nov 17, 2017

I already did: nextcloud/circles#152 :)

@BornToBeRoot
Copy link

The sharing dialog still leaks data in 12.0.4 / daily

When I type in a single letter, I get a list of people with whom I'm not in a group.

image

My settings...

image

Users with whom I am in a group are shown first, but the others are also displayed.

@jimbowarrior
Copy link

same issue !!!

@xshadow
Copy link

xshadow commented Dec 6, 2017

Did you uncheck the option, in tab sharing?:

"Allow username autocompletion in share dialog. If this is disabled the full username needs to be entered."

@BornToBeRoot
Copy link

If I disable the option, I think it works correctly.

But it should work even if the option is enabled...

@blizzz
Copy link
Member

blizzz commented Dec 7, 2017

Please open a new issue. I lock conversations here, because the original issue is dealt with. Any new issue needs a new report.

@nextcloud nextcloud locked and limited conversation to collaborators Dec 7, 2017
@jospoortvliet
Copy link
Member

jospoortvliet commented Dec 13, 2017

Just mentioning #7428 as the follow-up from @BornToBeRoot

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests