nextcloud-server/apps
Jonas Meurer 3fe267b772
Respect user enumeration settings in user status lists
So far, the functions to find user statuses listed didn't respect user
enumeration settings (`shareapi_allow_share_dialog_user_enumeration`
and `shareapi_restrict_user_enumeration_to_group` core app settings).

Fix this privacy issue by returning an empty list in case
`shareapi_allow_share_dialog_user_enumeration` is unset or
`shareapi_restrict_user_enumeration_to_group` is set.

In the long run, we might want to return users from common groups if
`shareapi_restrict_user_enumeration_to_group` is set. It's complicated
to implement this in a way that scales, though. See the discussion at
https://github.com/nextcloud/server/pull/27879#pullrequestreview-753655308
for details.

Also, don't register the user_status dashboard widget at all if
`shareapi_allow_share_dialog_user_enumeration` is unset or
`shareapi_restrict_user_enumeration_to_group` is set.

Fixes: #27122

Signed-off-by: Jonas Meurer <jonas@freesources.org>
2021-10-20 11:33:23 +02:00
..
accessibility Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
admin_audit
cloud_federation_api
comments Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
contactsinteraction
dashboard Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
dav [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
encryption [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
federatedfilesharing
federation
files [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
files_external [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
files_sharing [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
files_trashbin
files_versions
lookup_server_connector
oauth2 Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
provisioning_api [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
settings [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
sharebymail [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00
systemtags
testing
theming Profile frontend 2021-10-19 04:59:36 +00:00
twofactor_backupcodes Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
updatenotification Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
user_ldap
user_status Respect user enumeration settings in user status lists 2021-10-20 11:33:23 +02:00
weather_status Bump core-js from 3.18.2 to 3.18.3 2021-10-17 16:25:41 +02:00
workflowengine [tx-robot] updated from transifex 2021-10-20 02:23:10 +00:00