User Profile should be usable without public visibility

[kolewu]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.
The new user profile feature is a valuable addition to every cloud, but it's sad that it always is publicly visible. The most private clouds are just that: private. And so no information should be visible to the public.

The current profile is a choice between "make some information visible to the public" or "don't use profiles". But profiles are useful for private use inside the cloud, too.

Describe the solution you'd like
The user profile as a whole should at least get an option "only visible to logged in users". Even better, the administrator should be able to configure the visibility for all accounts.

So I request:

• a user option to make the profile invisible to the public
• administrator options
  • make no profile visible to the public and the user could not change this
  • make no profile visible to the public by default and the user can change it afterwords
• for updates make all profiles not visible to the public and the user could change this

Describe alternatives you've considered

Additional context

[eibex]

This would also help to ensure that potential usernames can't be checked by malicious users using cloud.example.com/u/{username}

[szaimen]

cc @jancborchardt @nimishavijay

[szaimen]

see #31623

[nimishavijay]

You can control the information that it displayed on your profile using the Profile visibility settings in the bottom of your personal settings page, and these settings allow you to configure if your information is shown to nobody, only logged in users of the instance or to the public. Would this solve the issue?

It could be useful to make the default visibility of all the information on your Profile to just users of the instance @jancborchardt

[eibex]

If everything is set not to public it would be better if when you tried to load a user profile while not logged in it would redirect you to the login page (as id the username you entered in the URL did not exist)

[kolewu]

You can control the information that it displayed on your profile using the Profile visibility settings in the bottom of your personal settings page, and these settings allow you to configure if your information is shown to nobody, only logged in users of the instance or to the public. Would this solve the issue?

It's not my own profile that I'm concerned of. As an admin It's all profiles of my instance. Until this change every information from the settings page, was restricted to members of the cloud and no one outside. With this update, some of the information is per default visible and this is and this is both extremely unexpected and totally undesirable in most if not all cases.
I know that there are people out there who believe that privacy is a thing of the past, but I strongly believe that the default setting, at least for an upgrade and existing accounts, must never be the way it is now: the username and some details like full name and user picture are visible to the whole world. This is completely irresponsible!

Translated with www.DeepL.com/Translator (free version)

It could be useful to make the default visibility of all the information on your Profile to just users of the instance @jancborchardt

And it could not only be useful, but this MUST be the default setting at least for upgrades!

[cherti]

Is there any update on this? in severely harms the usability of Nextcloud profiles if I can't disable that the username is even acknowledged in the first place. I would like to have a setting that just says "disable everything profile-related for everyone on the outside, including the fact that this profile page/user exists in the first place. The idea of profiles is pretty nice, but it feels very unpolished given I can only use it with exposing user-data to the outside.

[SergioArbarviro]

I fully agree with the statements above. The personal data of the users should remain private, which in my views means that, by default:

• no publicly visible information should be made available on the very existence of a user account - and even less so on the details in it;
• the "Full name", the avatar and the profile text are visible to other users of the same instance, but all the rest (and in particular the e-mail address) fshould remain hidden rom the other users of the same platform.

[mkarnebeek]

Any practical way to disable https://nexcloud.yourdomain/u/username being publically accessable for now? It shows my name and profile picture.

I've got my profile visibily set to "Federated" and have not added any trusted servers. Any way for example to change the default profile visibility for new accounts?

I would have expected Nexcloud to keep this private by default, and only make it public after explicitly telling to

[cherti]

Part of this could be remedied by #47170. it would not make profiles invisible at all, but at least it would change the defaults of all the fields to not be publicly visible by default. Not solving the fundamental concern that this allows username checking, but at least it reduces the information leaked a little.

[jancborchardt]

Any practical way to disable https://nexcloud.yourdomain/u/username being publically accessable for now? It shows my name and profile picture.

Yes, there is a switch for exactly that right in the personal settings:

[jancborchardt]

And as to how we should go ahead with this, copying my comment from @cherti’s pull request:

So we would like to promote people using the profile, possibly having it useful as some sort of federated address book. If the default is changed like this, people will likely never enable it.

@cherti your use-case of course is reasonable, and to achieve that I would rather say there should be an admin setting (or config.php setting). @AndyScherzinger @sorbaugh

[cherti]

But that admin setting is currently not there. So you would say keeping it the way it is, enabling the profile will expose parts of the profile to the outside? That strikes me to be quite at odds with Nextcloud publicly advertising as a privacy-conscious alternative to the existing players, don't you think so?

[jancborchardt]

But that admin setting is currently not there.

@cherti yep, so what I’m saying is it needs to be implemented. :) Then an admin can just decide instance-wide about default privacy for the profiles, or to shut it off completely (depending on what we make the setting do).

[cherti]

So for now you decide to leave the default configuration to be world-exposed until that is eventually implemented at some point? Or are you gonna merge this as a temporary fix for the current issue?

[jancborchardt]

So for now you decide to leave the default configuration to be world-exposed until that is eventually implemented at some point?

Yes. Because anyway the next release is happening tomorrow, and the next version in 3 months, so either way we wouldn’t have the temporary fix live soon.

[cherti]

Oh, so you will have implemented this feature for the next release already? I love to hear that!

[jancborchardt]

Oh, so you will have implemented this feature for the next release already? I love to hear that!

I can not make any promises of course. As Nextcloud is an open community, if anyone with more deep PHP knowledge wants to have a go at it, please go ahead.
But I would stop discussing here since it is just making the thread longer and anyone who possibly would work on this more confused.

For reference → What we should go with: #32086 (comment)