user_status "last statuses" widget leaks account names #27122
Labels
Comments
doobry-systemli
added
0. Needs triage
|
Oh wow, I just stumbled upon this bug and realized that it's possible to get a full list of users using the I already looked into a fix, but I'm unsure what's the best approach. We probably should check for the But to be honest, I'm not sure whether it's a good idea to provide an API endpoint that lists all users at once at all, even without So my suggested fix would be twofold:
Let me know what you think and I could prepare a patch. |
mejo-
added a commit
that referenced
this issue
Jul 8, 2021
…27122) The functions to find statuses from other users listed other users even if with disabled enumeration (`shareapi_allow_share_dialog_user_enumeration` setting in core app settings). Now the functions respect `shareapi_allow_share_dialog_user_enumeration` and return empty lists if it is not set to `yes`. Fixes: #27122
mejo-
added a commit
that referenced
this issue
Jul 8, 2021
…27122) The functions to find statuses from other users listed other users even if with disabled enumeration (`shareapi_allow_share_dialog_user_enumeration` setting in core app settings). Now the functions respect `shareapi_allow_share_dialog_user_enumeration` and return empty lists if it is not set to `yes`. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 8, 2021
…27122) The functions to find statuses from other users listed other users even if with disabled enumeration (`shareapi_allow_share_dialog_user_enumeration` setting in core app settings). Now the functions respect `shareapi_allow_share_dialog_user_enumeration` and return empty lists if it is not set to `yes`. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 8, 2021
…27122) The functions to find statuses from other users listed other users even if with disabled enumeration (`shareapi_allow_share_dialog_user_enumeration` setting in core app settings). Now the functions respect `shareapi_allow_share_dialog_user_enumeration` and return empty lists if it is not set to `yes`. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 8, 2021
…27122) The functions to find statuses from other users listed other users even if with disabled enumeration (`shareapi_allow_share_dialog_user_enumeration` setting in core app settings). Now the functions respect `shareapi_allow_share_dialog_user_enumeration` and return empty lists if it is not set to `yes`. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
|
I opened a PR to fix this issue: #27879 |
mejo-
added a commit
that referenced
this issue
Jul 8, 2021
…27122) The functions to find statuses from other users listed other users even if with disabled enumeration (`shareapi_allow_share_dialog_user_enumeration` setting in core app settings). Now the functions respect `shareapi_allow_share_dialog_user_enumeration` and return empty lists if it is not set to `yes`. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
szaimen
added
2. developing
mejo-
added a commit
that referenced
this issue
Jul 28, 2021
The functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 28, 2021
The functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 28, 2021
The functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 28, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 29, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 30, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 30, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Jul 30, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 15, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 15, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 15, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 16, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 19, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 20, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 25, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 25, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
mejo-
added a commit
that referenced
this issue
Oct 25, 2021
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at #27879 (review) for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There should be an option to globally disable the "Last statuses" widget. It leaks account names, which might be the desired behaviour, but might as well be not.
On "semi-public" Nextcloud instances you usually don't want to expose other users to each other, which is also why e.g.
shareapi_allow_share_dialog_user_enumerationcan be disabled.Currently it's only possible to disable user_status altogether. It would be nice if there was the option to keep user_status enabled but disable the "Last statuses" widget.
The text was updated successfully, but these errors were encountered: