mirror of
https://github.com/nextcloud/server.git
synced 2026-02-27 03:50:37 -05:00
af00399893
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at https://github.com/nextcloud/server/pull/27879#pullrequestreview-753655308 for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <jonas@freesources.org> |
||
|---|---|---|
| .. | ||
| AppInfo | ||
| BackgroundJob | ||
| Connector | ||
| Controller | ||
| Dashboard | ||
| Db | ||
| Exception | ||
| Listener | ||
| Migration | ||
| Service | ||
| Capabilities.php | ||