Hide eMail addresses from participant suggestions (data protection)

[LukasFreeze]

Is your feature request related to a problem? Please describe.

In our organization, we have external contractors who we share a Nextcloud with. It is vital from a data protection perspective that those people only see each other under pseudonyms (nicknames, e.g. "FirstL") and no further personal information is visible to the others.

Problem: we can not use the calendar in its current form as no matter where we try to reduce eMail address visibility (or prohibit auto-completion in the "File Sharing" settings), we either get no suggested results at all or suggestions of user names with an eMail address in the next line:

Describe the solution you'd like

It would be great if users would be suggested as participants without showing their eMail address in the frontend! This kind of behavior works fine in "Deck", for example, and as far as I can tell anywhere you can mention users with "@"

The app still needs access to the eMail address of course, but in our case the majority of users does not need to see this at all and even administrators (who could legally be allowed to see the full information) are fine with only seeing names.

Describe alternatives you've considered

• Disable user profiles by default: no impact on eMail as it is required for certain functions

• completely disable Allow username autocompletion in share dialog and allow access to the system address book under "File Sharing" settings: only allows calendar invitations to be sent if entire eMail address is typed in by hand - too tedious to actually use

  • enabling Allow autocompletion when entering the full name or email address (ignoring missing phonebook match and being in the same group) is not really a solution as the name is visible in several places, so anyone could look up the eMail address via that name

Additional context

using Managed Nextcloud by IONOS

[miaulalala]

Can I clarify - this is just about the auto- suggestion and not about the actual event invitation, yes? Because the attendees will receive an ics that contains all emails from other invitees as well.

If so, I'd say this is a duplicate or related issue of https://github.com/nextcloud/calendar/issues/5615

[LukasFreeze]

Hi @miaulalala just about the auto-correction, yes - although the ics containing all other emails could be problematic as well (in our use case, we could avoid it).

You are probably right that this is a related issue to #5615, but not a duplicate: instead of better suggestions, I am asking for a single-line suggestion showing just the user name without the email. Besides, the bug described in #5615 does not occur in our instance - if anything, one could say the autocomplete is working too well ;-)

[miaulalala]

I still think this is possibly a bug with the autocompletion - can you post a screenshot of your autocomplete settings?

OTOH I still think it's a good idea to allow the invitation dialogue to hide emails. But what about duplicate contacts etc? It's a hard one. @jancborchardt can you weight in?

[LukasFreeze]

These are our settings:

Unfortunately I can't seem to change our locale to English, so here's a "translation" picture from the docs as well (ignore the checked options, the order is still the same):

I have tried other combinations of settings, but the only one with an effect on the calendar was unchecking all except the last option ("Allow autocompletion when entering the full name or email address...").

[miaulalala]

These are our settings:

Unfortunately I can't seem to change our locale to English, so here's a "translation" picture from the docs as well (ignore the checked options, the order is still the same):

I have tried other combinations of settings, but the only one with an effect on the calendar was unchecking all except the last option ("Allow autocompletion when entering the full name or email address...").

The last option for the settings ("Allow autocompletion when entering the full name or email address...") is what should help in your case, but that is indeed not working as intended for the calendar at the moment.

I'm a bit torn on this feature request, since the same goal (not showing arbitrary contacts to all users) can be achieved via the sharing settings and group management. Are you managing your external users via Groups somehow? Are they user accounts (possibly guest accounts) or address book contacts?

Since the sharing backend is the same for all autocompletion dialogues, can you try and see if the files sharing limits the contacts in a way that is acceptable to you?

[LukasFreeze]

We are using groups and every contact is a user account. I have tried every file sharing setting twice now and unfortunately can't achieve the desired behavior:

I think the problem is that even within a group, users should not be able to see each other's email addresses but only the assigned user names (pseudonyms).

The autocomplete dialogue in "Deck" is the best example of what I am aiming for: it only shows names and even entering the entire email adress gives "no results", so there is no chance of exposing an address:

search for name

search for email

I can also confirm that the sharing backend seems to be responsible, not just the calender app as I originally thought: The autocompletion dialogue in "Files" acts exactly like the calendar - this would also not work for our organization, but here we could simply disable sharing for the external users so they can not access the dialogue anymore. This is not possible in "Calendar", is it? Even with restricted access in the shared calendar we intend to use, every user can go and create events in their personal calendar which can then access the other users' data in the "participants" field.

The option "Exclude groups from sharing" is what I would expect to give the desired result, but it has no effect on the calendar as far as I can tell.

Thanks a lot for keeping up with me, I am sorry it has all been "nopes" from my end so far but I really appreciate all these suggestions!

[LukasFreeze]

Our instance has been updated from Nextcloud Enterprise 27.x to 28.0.7.5 in the meantime, but unfortunately nothing has changed about this behavior or ways to limit sharing permissions.

Any new thoughts here?