Sharing dropdown leaks email addresses of users in other groups

[danxuliu]

When a user has an email address set in her profile users in other groups can see her full name and email address through the sharing dropdown of the details view of the Files app even if "Restrict users to only share with users in their groups" is enabled in the "Sharing" section of the administration settings.

It seems that getEmail in apps/files_sharing/lib/Controller/ShareesAPIController.php does not honour the shareapi_only_share_with_group_members configuration value.

Steps to reproduce

1. Log in as the admin and enable "Restrict users to only share with users in their groups" in the "Sharing" section of the administration settings
2. Create a user group1-user1 belonging to group group1
3. Create a user group2-user2 belonging to group group2
4. Log in as user group1-user1, open the "Personal info" section of the settings, and set the full name to group1-fullname1 and the email address to [email protected]
5. Log in as user group2-user2 and open the "Sharing" tab of the details view of the Files app
6. In the sharing input field, type full or mail

Expected behaviour

No result appears in the sharing dropdown (like what happens after #5585 if full or mail is typed in the contacts menu instead).

Actual behaviour

In both cases, "group1-fullname1 ([email protected])" appears in the dropdown, although that user belongs to a different group than the current user.

[BornToBeRoot]

Will this be fixed in NC12 ?

[danxuliu]

Will this be fixed in NC12 ?

Yes, once fixed for Nextcloud 13 it should be backported to Nextcloud 12.

[LEDfan]

This is the same bug which caused #7428 and is fixed in Nextcloud 12.0.5 and NC 13 beta 4.

[muppeth]

Sorry for reopening, but I just noticed that the dropdown still leaks data on nextcloud 12.05 It still autocompletes usernames (LDAP) even though autocompletion has been disabled in sharing settings.