How to make all profiles visible ONLY to logged-in users?

Nextcloud version: 24.0.7
Operating system and version: Ubuntu 20.04

The issue you are facing:

I really like the profiles you get at site.com/u/username - but I am surprised that I cannot seem to find any way to completely hide these user accounts from not-logged-in visibility.

For instance, even when I set every single field on a test profile to “Show to logged in users only” - sure, Login | HSTS Redirection Community shows very little information, like “username has not added any info yet, The headline and about sections will show up here” but even so, this still means anyone on the internet now can tell that this username exists, because this URL can be scraped and is valid, versus testing with a user account that does not exist: site.com/u/fakeuser shows something better - “Profile not found, The profile does not exist.”

I don’t want to stop using profiles, but I also want any not-logged-in user who tries to view any user accounts, to simply be shown either “profile not found” or, even better, just redirected to the login page.

How can I make anything involving userprofiles require logon to be visible?

I can confirm this behavior on my instance (Nextcloud Server 24.0.8) too.

As Nextcloud aims for privacy, this looks like a bug to me.

there is a “profile visibility” setting where a user (admin) can control visibility of specific attributes

image1115×531 14.5 KB

having it set as above results in %username% has not added any info yet. It is still possible to harvest user names but other profile details could be hidden.

Good to know. However - these settings are user-dependant.

Made me looking for a system-wide setting and I found following:

grafik495×580 21.1 KB

This disables the profile-page system-wide (for all users). Afterwards site.com/u/username shows “Profile not found” all the time.

It’s also described here
https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/profile_configuration.html