Hello,
I would just like to report the information of “Who has access to your data” in the privacy settings of a user account. It says Administrator, even though I as admin do not have access to it. I am using server-side encryption, which means I should not have access to the data of the users. This information confuses the users, therefore, I would like to ask if it is possible to correct this?
Thanks!
An administrator has “always” access to the data. He might not be able to see “all” data but as a matter of fact data not only means file data 
An administrator e.g. can use the impersonate app to act as a different user.
@j-ed Thanks for the answer, that makes very much sense but still the content can not be seen, so the phrase which gets displayed to the user is not precise enough.
I haven’t personally checked it but I would expect that an administrator is able to see a users content if he fires-up the impersonate app.
Yes, he can. Using the impersonate app is like logging in as that user, so you see the user’s files, app arrangement, favorites and so on and so on.
@CamZie How does the folder structure on the filesystem actually look like, when server-side encryption is enabled? Do you see for example?
…/ncdata/User1/files/Documents
Are filenames readable and is the file content not readable via command shell (ssh)?
I have tried the impersonate app on two different users and saw that it can access images and txt files but not PDF files. On the server log I received the following error message when accessing a PDF.
2020/02/18 11:35:17 [error] 20154#20154: *317510 FastCGI sent in stderr: “PHP message: [owncloud][webdav][4] {“Exception”:“Sabre\DAV\Exception\ServiceUnavailable”,“Message”:“Encryption not ready: multikeydecrypt with share key failed:error:0909006C:PEM routines:get_name:no start line”,“Code”:0,“Trace”:[{“file”:”/var/www/nextcloud/apps/dav/lib/Connector/Sabre/File.php",“line”:404,“function”:“convertToSabreException”,“class”:“OCA\DAV\Connector\Sabre\File”,“type”:“->”,“args”:[{“class”:“OCA\Encryption\Exceptions\MultiKeyDecryptException”}]},{“file”:“/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php”,“line”:85,“function”:“get”,“class”:“OCA\DAV\Connector\Sabre\File”,“type”:“->”,“args”:},{“function”:“httpGet”,“class”:“Sabre\DAV\CorePlugin”,“type”:“->”,“args”:[{“absoluteUrl”:“https://REMOVED/remote.php/webdav/Terms_of_service.pdf”,“class”:“Sabre\HTTP\Request”},{“class”:“Sabre\HTTP\Response”}]},{“file”:“/var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php”,“line”:105,“function”:“call_user_” while reading response header from upstream, client: REMOVED, server: REMOVED, request: “GET /remote.php/webdav/Terms_of_service.pdf HTTP/2.0”, upstream: “fastcgi://unix:/var/run/php-fpm.sock:”, host: “REMOVED”
I’m guessing that maybe the reason why images and txt files could be accessed, are because they are cached.
Regarding the folder structure on the server: Yes, the filenames are readable like the example you gave, but the contents are not readable and are encrypted.
does it really confuse the user? why? because it tells him about a given fact valid for ALL softwares in the net? like: usually admins can see everything (even if they aren’t allowed to take a look)
so i think NC is just paying with open cards here. being a homeuser (as this is the homeuser-forum) it even means that he has hardware control about your files.
it just makes clear… you are trusting your cloudprovider… and so you should trust him as well in this case.
to get rid of that message i think you’d completly need to disable privacy app within your nc. and i do as well think that it just disables this one setting only and not all privacy settings…