source.dussan.org Git - nextcloud-server.git/commit

author	Jonas Meurer <jonas@freesources.org>
	Thu, 8 Jul 2021 16:26:27 +0000 (18:26 +0200)
committer	Jonas Meurer <jonas@freesources.org>
	Wed, 20 Oct 2021 09:33:23 +0000 (11:33 +0200)
commit	3fe267b77279a44dcd9f4ccf75cd2f7ac8321c7b
tree	84568b792a7112523427c7726d1ed0e92d60fc99	tree \| snapshot
parent	2083e1ede253a6ea76f67d37c382cd851620ad99	commit \| diff

Respect user enumeration settings in user status lists

So far, the functions to find user statuses listed didn't respect user
enumeration settings (`shareapi_allow_share_dialog_user_enumeration`
and `shareapi_restrict_user_enumeration_to_group` core app settings).

Fix this privacy issue by returning an empty list in case
`shareapi_allow_share_dialog_user_enumeration` is unset or
`shareapi_restrict_user_enumeration_to_group` is set.

In the long run, we might want to return users from common groups if
`shareapi_restrict_user_enumeration_to_group` is set. It's complicated
to implement this in a way that scales, though. See the discussion at
https://github.com/nextcloud/server/pull/27879#pullrequestreview-753655308
for details.

Also, don't register the user_status dashboard widget at all if
`shareapi_allow_share_dialog_user_enumeration` is unset or
`shareapi_restrict_user_enumeration_to_group` is set.

Fixes: #27122
Signed-off-by: Jonas Meurer <jonas@freesources.org>

apps/user_status/lib/AppInfo/Application.php		diff \| blob \| history
apps/user_status/lib/Service/StatusService.php		diff \| blob \| history
apps/user_status/tests/Unit/Service/StatusServiceTest.php		diff \| blob \| history