BUG? GDPR compliance issue? private email addresses are being shown!

Hi, I am not sure if it is a bug or an expected behaviour but I think it is a problem for GDPR compliance. That info might be also accesible from other apps.

This issue has been reported by a user in our nextcloud instance. That instance, which has an A+ in Nextcloud Security Scan. The instance also has all email privacy scope set to “Private” by default.

The issue has been tested in other instances hosted in different servers.

To replicate the isuue:

While wrintg an email in rainloop app, even if a user has no contacts in his account, rainloop proposes the emails of all the instance users.

Well, if it is not a bug, is there any way to avoid it?

i guess you should ask this at official rainloop -github as this app is just a package from it…

Maybe, but the leak of information is in Nextcloud Server app, not in Rainloop which is just a client. Anyway, I will write it also in Rainloop’s github.
Thank you!!!

https://github.com/pierre-alain-b/rainloop-nextcloud/issues would be the repository.

Here the report in rainloop-nextcloud github.

The issue has been merged with other thread, here the link: