Nextcloud version: 23.0.0
Operating system and version: FreeBSD 13.0-RELEASE
Apache version: 2.4.52
PHP version: 7.4.27
Issue summary:
Nextcloud shows private user information on domain.tld/index.php/u/<username>
by default. This seems to be hard coded. I’m looking for a maintainable (i.e. without having to edit php files with every update) method to disable this anti-feature or to limit all personal data from this page to nothing.
Info that is exposed by default:
About
Full name
Headline
Organisation
Profile picture
Role
Twitter
Website
Steps to replicate:
Install a fresh Nextcloud instance, create a user and browse to domain.tld/index.php/u/<username>
in another/private browser.
Context:
I’m a day job privacy and security officer/DPO who is using his free time to set up a few Nextcloud instances for two privacy conscience non-profit organizations that are in need of a cheap (because of money constraints) privacy-friendly collaboration tool. Nextcloud is a logical choice: open source, well maintained and also user-friendly.
Unless I’m completely blind and missed a setting in the GUI, there is just one big problem. In the context of the GDPR and privacy by design the exposure of personal data by default is a anti-feature. You are only allowed to show this publicly when 1) there is a defined purpose for exposing this data and 2) when you have a lawful basis. We don’t have a purpose and legal basis for showing this information, on the contrary even: we have a purpose for not showing this information. This also means it’s automatically unlawful to expose this information to the outside world. But even if the GDPR wasn’t implemented and its national predecessor (Netherlands) didn’t exist, we find privacy to be important and thus don’t want to expose this information to the public anyway.
I’m not going to lie, I feel like I’m missing some completely obvious setting here. I can’t think of a good reason why this is set to these defaults (which for sure isn’t privacy by design) and why these settings aren’t configurable from the GUI. It doesn’t make sense in a post GDPR world.
Possible solutions:
What I’m hoping for is some maintainable/robust way to disable the availability of /u/
completely. If I missed some setting in the GUI/config.php for this, please show me .
Disabling it might be done by editing a php file, but this won’t be robust since it requires manual php edits with every update (and shows a warning about file integrity that loses its purpose when it becomes a default error).
Another method may be to set the default settings for all users to “Hide” or “Show to logged in users only”. But it seems these are hard coded as well and thus have the same drawback of needing manual php edits with every update. Also this might not change the current settings for already created users.
And thirdly I can think of a solution (which feels more like a hack) where a Apache rewrite rule or htaccess directive makes sure people can’t access the user profile pages.
Question:
Any thoughts on this from some more experienced Nextcloud users? Did I miss something obvious? How would you go about this?
Thanks in advance.