Any user can modify or delete other users

Support intro

Any user can modify or delete other users

Nextcloud version (eg, 20.0.5): Next cloud 20.0.5
Operating system and version (eg, Ubuntu 20.04): Debian 9
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.25
PHP version (eg, 7.4): PHP 7.3.33

The issue you are facing:

As the main admin, I have created a new user and made him part of a group, this user is not an admin.

This new user can now login and from menu users==>everyone can see some of the users and for some of these users, he can deleted them or wipe their data while.

(“Some of the users” means, he can see users that are part of a group (any group), but he cannot see users that have no group.)

It look like, as long as a non admin user is part of a group he has the possibility to delete or update other users as long as they are part of a group.

This is a “dangerous” possibility, how can I correct this behavior?
Thank you

I test it for you. My user test in group test has got no access to users in settings.
But i use Nextcloud 22.2.3 .
Please post details e.g. screenshots.

Thank you devnull for your answer.

Here is a screen shot:

-First line the actual user
-Second line, me the adminstrator
-Third line, another user to which the logged user (first line) can delete or modify the account

First and third user are in a group but in a different group


I do not like spaces in usernames or groups. There is also a bug with the Android App and usernames.

Can you delete the group and create a new group without a space. Perhaps it is a bug with groupnames.

I did delete the group with space in the name and recreate a new one, replacing spaces with _ but it is almost the same.
The only difference is that the first user (the logged one) is not in the list anymore.

I also noticed that this logged user has access to other group (but not his own group that is not listed).


I have open a bug report