sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nextcloud-server/apps/user_status/lib
History
Jonas Meurer 02ce5c8f7d
Respect user enumeration settings in user status lists 
So far, the functions to find user statuses listed didn't respect user
enumeration settings (`shareapi_allow_share_dialog_user_enumeration`
and `shareapi_restrict_user_enumeration_to_group` core app settings).

Fix this privacy issue by returning an empty list in case
`shareapi_allow_share_dialog_user_enumeration` is unset or
`shareapi_restrict_user_enumeration_to_group` is set.

In the long run, we might want to return users from common groups if
`shareapi_restrict_user_enumeration_to_group` is set. It's complicated
to implement this in a way that scales, though. See the discussion at
https://github.com/nextcloud/server/pull/27879#pullrequestreview-753655308
for details.

Also, don't register the user_status dashboard widget at all if
`shareapi_allow_share_dialog_user_enumeration` is unset or
`shareapi_restrict_user_enumeration_to_group` is set.

Fixes: #27122

Signed-off-by: Jonas Meurer <jonas@freesources.org>
 		2021-10-25 10:05:33 +07:00
..
AppInfo Respect user enumeration settings in user status lists 2021-10-25 10:05:33 +07:00
BackgroundJob Better cleanup routine for statuses 2020-09-07 09:22:38 +07:00
Connector Always use IUserStatus consts 2020-09-07 11:30:18 +07:00
Controller UserStatus: no message means clear status message. This fixes #23332 2020-11-02 17:59:44 +07:00
Dashboard Always use IUserStatus consts 2020-09-07 11:30:18 +07:00
Db Don't update statuses to offline again and again 2021-06-07 10:14:35 +07:00
Exception
Listener Only load user status script when needed 2020-09-24 20:00:21 +07:00
Migration Migrate internal classes to the OCP db col types 2021-01-12 14:09:13 +07:00
Service Respect user enumeration settings in user status lists 2021-10-25 10:05:33 +07:00
Capabilities.php