Why any user can view all the contacts belonging to other groups?

Hello,
I noticed that any user can view all the contacts from all the groups present on the server.
Is this a normal behaviour ? a mistake on setting on the server side ? a bug ?
My concern is to hide all the contacts from groups that the user doesn’t belong.

You can see the the screen shot that the user can see may contact that not in the contact list (empty in this case).

Thank for your help answering this question (or issue).

2 Likes

Every week the same question. :roll_eyes: Please use the search function of the forum!

BTW, the contacts menu is not part of the contacts app!

Hi Thomas, thank you.
You are right, I probably made a too quick search for this issue.
I probably focused more on the issue [user can see contacts] rather that the solution [privacy enhancement]…
Andrimont

I don’t like this menu and made it hidden with CSS as long as Nextcloud has no option to do it in the settings or the config.php file.

Hello Thomas,
could explain the code is it to add or to remove and where is located the ccs file ?
Thanks.

Andrimont

#contactsmenu {
 	display: none;
}

I’ve added the code through a third-party app, so I don’t know the CSS file to modify. It should be /core/css/styles.scss.

There is the app “Custom CSS” : https://apps.nextcloud.com/apps/theming_customcss
When installed, you’ll find it under the menu : "Administration > Customization"
and there you can add ThomasMarx CSS code :

#contactsmenu {
 	display: none;
}

@kourmond That’s all in the topic I linked above. No reason to repeat everything.

Sorry about that.
Your comment was not clear to me, so I had to search for a “CSS app”.
Then I wrote it this way to save time for other people.

I have noticed that modifying the CSS this way only hides the menu to yourself, not other users…
So it seems that this solution is useless :frowning_face:

Neither an additional app nor an edited CSS file is a proper solution for this problem. The admin should be able to decide to display the contacts menu or not.

4 Likes

I also found this problem. Is there a better solution to it now?@anon99252149

Honestly, I don’t see the problem… Isn’t it easiest to see all users at an instance?

Hm, I would argue that one customer shouldn’t see all the users of another customer.
If all users know each other (one company only) there is no problem, but when it comes to customers or other user’s private data (name, email address, probably telephone number), they must be secured.

That doesn’t surprise me at all.

Come on @anon99252149, that’s totally unnecessary.

Can i ask you if you have 'integrity.check.disabled' => true, in you config.php?
if yes , i can provide a quick and dirty solution what we have implemented on our cloud infrastructure

Ah, so you’re talking about an enterprise installation… Sure, I agree, there it makes no sense. But this forum is for and about home users - if you have this problem in a large installation, contact the Nextcloud support team and if you have no support contract - realize you are using software without support -> never a good idea.

Yeah this example (that would hit my company) refers to an enterprise installation. I thought it would be the strongest argument here :wink:

I have to point out that the initially reported issue is solved with 12.0.4 just like other privacy related issues or some will be solved in 13.0 in the next weeks. So I can’t complain and just wanted to explain.

However I would like to explain why it affected me on a personal server as well.

I have a server primarily for my family (8 people). With the server far oversized for the current workload I allowed all these family members to invite their friends to the server (and create user accounts for them).
Each family member is now a group admin for their personal groups.

With the mentioned (now solved) issues friends of family member “A” could see all the friends of every other family member. That was too much leakage of personal data.

For me the only issue that needs to be fixed is that the chat app ojsxc still shows all users on the server. It’s already worked on here, but still needs to be finished:

Hope that explains it a bit. But as said: no complains. Most privacy issues are solved and I’m very much looking forward to update to NC13 as soon as it’s released.

1 Like

Yeah, that’s an interesting scenario for sure. And of course the enterprise argument is relevant - but that is a more complicated point, for simple reasons of motivation. Can I rant about that for a minute?

Our team, we, we care about privacy. Humans need privacy, it’s needed for freedom, democracy. We all started to do this to give people a way to take control over their data, because we’re unhappy about surveillance and so on. So we care about home users, a lot. As much as we can afford - it is why we keep Nextcloud super easy to install and use. Remember Spreed, the Go app? Home users don’t have time to figure out how to install that, so we rewrote it in PHP. Companies wouldn’t care anywhere near as much… They have people paid to spend time on this, after all.

For companies there is no ‘privacy’, privacy is a human thing. Of course companies need security and have to protect the privacy of users by law - but they make money and should be transparent otherwise, not have privacy.

It doesn’t mean we don’t care about enterprises: for Nextcloud to succeed, we need to make it better.We can do that in our free time, but it obviously goes faster if we can pay people. That is why we started the company in the first place, as a tool to make Nextcloud better, faster. Bring privacy to everybody. So we care about customers: they pay the bills to improve Nextcloud. We couldn’t do any of this without them.

And we want to hire more community members (we just hired Julius, the author of Deck, a few days ago, yay, btw). But companies that use Nextcloud, save or earn money with it, but don’t contribute - they are a lost opportunity to improve Nextcloud. If we spend time on them, they have less reason to become customer and we effectively make Nextcloud worse :frowning:

Sorry for the long answer. And on a personal note: we’re all happy with EVERY Nextcloud user, also companies. But we’re also every day asking our finance guy if we can hire that community guy and that documentation writer and that great coder and if we can organize more events and support more students to come to FOSDEM and so on. We have a lot of good resume’s of people (many on this forum, and in github) who we’d LOVE to hire. And we can only do that with more customers…

EDIT: this was NOT meant to make anyone feel bad, really. We write open source code, and with that come rights for users. Including, of course, not paying us! We choose that for a reason, we believe in it, and we love all of you :heart: paying or not. It is just money… :money_with_wings: But we want to change the world, :world_map: bring privacy to everybody - that ambition sometimes makes me post a bit more aggressive than I mean to :smiley: Hope you can forgive me! :hugs:

6 Likes