Security problem / sharing options / autocompletion Nextcloud 12.0.4

Security problem / sharing options

In my opinion. I am not a software developer, but admin and user.

When combining the options
"Restrict users to share only with users in their group"
"Allow username autocompletion in share dialog." If this is disabled
the full username or email address needs to be entered "

If I enter the name with autocomplete when sharing, all hits for all users are displayed. Also the users of groups with whom I may not share. With it I can find out all users (with email) about all groups.

I would expect autocomplete to show only the users allowed to share.

Is this a security bug or how can I prevent it?

It is a privacy design issue, yes. Recommend to check server issues as I think this is already open.

1 Like

You can find further info here: