Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"invitations" leak all usernames #881

Closed
meaz opened this issue Apr 3, 2020 · 5 comments · Fixed by #1307
Closed

"invitations" leak all usernames #881

meaz opened this issue Apr 3, 2020 · 5 comments · Fixed by #1307
Labels
enhancement
Milestone
1.7

Comments

@meaz
Copy link

meaz commented Apr 3, 2020
edited
Loading

What is going wrong?

As an user, I can find all usernames in my instance by using the "Invitations" feature.

To Reproduce

  1. As an admin, "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered" is disabled
  2. Create a poll as user
  3. Go to Details, then Shares
  4. Start typing something in the box under " Invited users will get informed immediately via eMail!"

Expected behavior
As an user, I should not be able to see all usernames existing on the instance.
I should be able to add an user for an invitation only if I know his/her username fully, not my guessing it by writing some letters only.

Information about your polls installation

1.30
Fresh installation
Appstore

Information about your Instance of Nextcloud/ownCloud

Nextcloud 18
@dartcafe
Copy link
Collaborator

dartcafe commented Apr 4, 2020

Interesting, I thought, this is handled by the core, when suing the user API. We will have to check this.

@dartcafe dartcafe mentioned this issue Apr 23, 2020
Closed
@oafgip
Copy link

oafgip commented Jun 9, 2020

Hello,
Aren't invitations supposed to be limited to groups?
When user of a group tries to share a poll, the list of other groups is proposed. Is there any trick to restrict to the group of the user?
Regards.

@dartcafe
Copy link
Collaborator

Aren't invitations supposed to be limited to groups?

No. There is no limitation.

dartcafe added a commit that referenced this issue Dec 21, 2020
@dartcafe
fix #881 - respect autocompletion restrictions from share settings
4526faa
@dartcafe dartcafe mentioned this issue Dec 21, 2020
Merged
@dartcafe
Copy link
Collaborator

#1307 uses another search which respects the autocomplete limitations of the share settings (users and groups).

@dartcafe dartcafe added this to the 1.7 milestone Dec 21, 2020
dartcafe added a commit that referenced this issue Dec 28, 2020
@dartcafe
Merge pull request #1307 from nextcloud/search-users
e84ca86 
fix #881 - respect autocompletion restrictions from share settings
@dartcafe dartcafe mentioned this issue Jan 2, 2021
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 6, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
1.7
Development

Successfully merging a pull request may close this issue.

fix #881 - respect autocompletion restrictions from share settings nextcloud/polls
3 participants
@meaz @dartcafe @oafgip