Tweak the default scopes for Accounts

[tcitworld]

Currently the following default scopes for new accounts are defined inside AccountManager. We should let the server admin define them through the administration panel or config.php.
This is especially important on instances where users don't know each other.

self::PROPERTY_DISPLAYNAME =>
    [
        'value' => $user->getDisplayName(),
        'scope' => self::VISIBILITY_CONTACTS_ONLY,
        'verified' => self::NOT_VERIFIED,
    ],
self::PROPERTY_ADDRESS =>
    [
        'value' => '',
        'scope' => self::VISIBILITY_PRIVATE,
        'verified' => self::NOT_VERIFIED,
    ],
self::PROPERTY_WEBSITE =>
    [
        'value' => '',
        'scope' => self::VISIBILITY_PRIVATE,
        'verified' => self::NOT_VERIFIED,
    ],
self::PROPERTY_EMAIL =>
    [
        'value' => $user->getEMailAddress(),
        'scope' => self::VISIBILITY_CONTACTS_ONLY,
        'verified' => self::NOT_VERIFIED,
    ],
self::PROPERTY_AVATAR =>
    [
        'scope' => self::VISIBILITY_CONTACTS_ONLY
    ],
self::PROPERTY_PHONE =>
    [
        'value' => '',
        'scope' => self::VISIBILITY_PRIVATE,
        'verified' => self::NOT_VERIFIED,
    ],
self::PROPERTY_TWITTER =>
    [
        'value' => '',
        'scope' => self::VISIBILITY_PRIVATE,
        'verified' => self::NOT_VERIFIED,
    ],

[tcitworld]

Probably a duplicate of #6578.

[MorrisJobke]

cc @nextcloud/sharing

[MorrisJobke]

@nextcloud/designers

[schiessle]

That was chosen by purpose because this was the default even before we introduced the setting. So we kept it as default in order not to break known behavior.

[jancborchardt]

What are you exactly suggesting we tweak from the current state? Which default visibility should be changed to what?

[tcitworld]

I didn't ask to change the default ones, I asked for the possibility for the admin to change them. In my case, email would also be VISIBILITY_PRIVATE.

[jancborchardt]

Ok, seems to make sense security-wise. We could have it as a setting in the config file, but not necessary in the interface.

@schiessle?

[codeshell]

Any update on this issue? Seems pretty important to me as this yet unchangeable default probably renders a lot of installations non-compliant in terms of data protection regulations.

Think of a nextcloud instance that allows users to create profiles / login via social accounts. The admin cannot prevent the e-mail address of new users from being automatically exposed to existing users. As most users won't be aware of this default setting and keep it, this means that the e-mail adresses of most existing users are immidiately exposed / available to a new user. He/she doesn't even have to belong to a group. That's most certainly even worse than how social networks deal with social data.

Not meant as a rant but a friendly request to review the priority of this issue.

Doesn't need the social login example to become relevant but it makes it even more obvious.

[simon511000]

Up ?

[stefandesu]

I arrived at this issue now as well and I don't understand how this has not been fixed yet. I'm using LDAP for authentication which means that Nextcloud shows the email addresses of all users, even if they haven't logged into Nextcloud yet (so they didn't even have the chance to disable email sharing). I will probably change this in code even though it might get overridden by an update because this seems super important to me.

[kesselb]

If someone want's to pick this up:

server/lib/private/Accounts/AccountManager.php

Line 302 in 35c2a9f

protected function buildDefaultUserRecord(IUser $user) {

This method is called if no configuration for a user account is found. For reading a system configuration value at this place the constructor must be changed and IConfig injected as dependency and stored as class member. Next step is to read a value from config.php with getSystemValue and merge it with the default values. Probably not bad do check if the provided values are valid (e.g. it's a array with value, scope and verified). Please don't forget to update the tests. To change the existing configuration probably some command would be necessary.

Happy hacking 😎

[MohammedNoureldin]

Can this be configured also for LDAP users? the email of LDAP users is by default hidden, but I want it to be visible. How can it be done? though the code looks like this in AccountManager.php: