mirror of
https://github.com/nextcloud/server.git
synced 2026-05-20 09:12:51 -04:00
50a25748c0
So far, the functions to find user statuses listed didn't respect user enumeration settings (`shareapi_allow_share_dialog_user_enumeration` and `shareapi_restrict_user_enumeration_to_group` core app settings). Fix this privacy issue by returning an empty list in case `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. In the long run, we might want to return users from common groups if `shareapi_restrict_user_enumeration_to_group` is set. It's complicated to implement this in a way that scales, though. See the discussion at https://github.com/nextcloud/server/pull/27879#pullrequestreview-753655308 for details. Also, don't register the user_status dashboard widget at all if `shareapi_allow_share_dialog_user_enumeration` is unset or `shareapi_restrict_user_enumeration_to_group` is set. Fixes: #27122 Signed-off-by: Jonas Meurer <jonas@freesources.org> |
||
|---|---|---|
| .. | ||
| accessibility | ||
| admin_audit | ||
| cloud_federation_api | ||
| comments | ||
| contactsinteraction | ||
| dashboard | ||
| dav | ||
| encryption | ||
| federatedfilesharing | ||
| federation | ||
| files | ||
| files_external | ||
| files_sharing | ||
| files_trashbin | ||
| files_versions | ||
| lookup_server_connector | ||
| oauth2 | ||
| provisioning_api | ||
| settings | ||
| sharebymail | ||
| systemtags | ||
| testing | ||
| theming | ||
| twofactor_backupcodes | ||
| updatenotification | ||
| user_ldap | ||
| user_status | ||
| weather_status | ||
| workflowengine | ||