Group admin can delete users outside his group

[9662]

### Steps to reproduce 1. Create groups `Management`, `Engineering` 2. Create a user, let's call her `Ana` 3. Make `Ana` a member of `Engineering` 4. Make `Ana` a group admin for `Engineering` (do **not** make her a super admin!) 5. Create another user, `Bertrand` 6. Make `Bertrand` a member of `Management` and `Engineering` 7. Log in as `Ana` 8. As user `Ana`, delete user `Bertrand` ### Expected behaviour Either: * `Ana` should not have the option to delete user `Bertrand`, or * `Ana`'s "deletion" action should only remove `Bertrand` from the groups `Ana` is an admin of, instead of deleting the user. ### Actual behaviour `Ana` deletes `Bertrand` (without so much as a confirmation message!) ### Server configuration **Operating system**: openSUSE Leap 42.1 (x86_64) **Web server:** nginx 1.11.9-69.1 **Database:** sqlite **PHP version:** PHP 5.6.30 **Nextcloud version:** 11.0.1.2 **Updated from an older Nextcloud/ownCloud or fresh install:** updated from 10 or so **Where did you install Nextcloud from:** Nextcloud website **Signing status:**

Signing status

``` Integrity checker has been disabled. Integrity cannot be verified. ```

**List of activated apps:**

App list

``` Enabled: - activity: 2.4.1 - admin_audit: 1.1.0 - calendar: 1.5.0 - comments: 1.1.0 - contacts: 1.5.3 - dav: 1.1.1 - deck: 0.1.1 - direct_menu: 0.10.0 - federatedfilesharing: 1.1.1 - federation: 1.1.1 - files: 1.6.1 - files_accesscontrol: 1.1.2 - files_automatedtagging: 1.1.1 - files_external: 1.1.2 - files_pdfviewer: 1.0.1 - files_retention: 1.0.1 - files_sharing: 1.1.1 - files_texteditor: 2.2 - files_trashbin: 1.1.0 - files_versions: 1.4.0 - files_videoplayer: 1.0.0 - firstrunwizard: 2.0 - gallery: 16.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextcloud_announcements: 1.0 - notifications: 1.0.1 - password_policy: 1.1.0 - provisioning_api: 1.1.0 - serverinfo: 1.1.1 - sharebymail: 1.0.1 - survey_client: 0.1.5 - systemtags: 1.1.3 - tasks: 0.9.4 - theming: 1.1.1 - twofactor_backupcodes: 1.0.0 - updatenotification: 1.1.1 - user_external: 0.4 - workflowengine: 1.1.1 Disabled: - documents - encryption - external - templateeditor - user_ldap - user_saml ```

**The content of config/config.php:**

Config report

``` N/A ```

**Are you using external storage, if yes which one:** No **Are you using encryption:** No **Are you using an external user-backend, if yes which one:** None ### Client configuration **Browser:** **Operating system:** ### Logs #### Web server error log

Web server error log

``` Insert your webserver log here ```

#### Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here ```

#### Browser log

Browser log

``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

[9662]

@jospoortvliet

Keep in mind, everyone, that we're NOT paid to do what YOU want unless you're a customer

I'm not paid at all to report bugs and contribute to discussions in whichever way I can. This issue does not affect me personally, but clearly is a problem for a number of users, at least one of which claims is stopping them from becoming a paid subscriber, so your little rant is wholly inappropriate (and by the way, many of us use multiple online identities).

Renaming the 'group admin' to 'sub admin' will probably take care of most of the confusion here and we'll do that.

That's agreed. Closer integration of Circles might well be the solution. This is however the first explicit endorsement of that approach by a core contributor, the previous absence of which I believe might have caused some anxiety amongst some of the affected users.

Please note that just ranting isn't one of the options that gets either you or us any closer to a solution.

As a developer myself I wholly agree, but if directed at my earlier comment this is entirely out of place and I would expect an apology.

@skjnldsv

That is not how I'm used to collaborate with people. Please keep it civil or we'll lock this thread.

Ah, the "you've hurt my feelings and now I'm going to wield my power on you" argument. :roll_eyes: A great way to work with people and get things done.

I won't implement this feature as this is not my priority nor my will at the moment.

My request is that you provide evidence of an assertion that you previously made and that, if it can be quantified, has material relevance to the discussion at hand. If you are not able to provide that evidence, kindly withdraw your assertion in the interest of clarity.

More generally, to my knowledge nobody has asked you to implement anything (nor to take a role in this project in the first place, for that matter) and almost all you have done in this specific issue is contribute negativity and antagonism. Why don't you just unsubscribe from this issue and let other people who are willing to contribute constructively take care of it?

[skjnldsv]

Why don't you just unsubscribe from this issue and let other people who are willing to contribute constructively take care of it?

Fun fact: I did until you mentioned me 🙃

Ah, the "you've hurt my feelings and now I'm going to wield my power on you" argument. A great way to work with people and get things done.

Interesting way of putting this. I would definitely say that is indeed what is going to happen. Nothing related to power, please read https://nextcloud.com/code-of-conduct/ You come here and lack manners and then ask me not to be offended by the way you answer? I feel like this is clearly inappropriate. So, indeed, if you cannot find a way to communicate with me or others here, we will definitely take some actions to make sure this doesn't happens again.

We do not tolerate personal attacks, racism, sexism or any other form of discrimination. Disagreement is inevitable, from time to time, but respect for the views of others will go a long way to winning respect for your own view. Respecting other people, their work, their contributions and assuming well-meaning motivation will make community members feel comfortable and safe and will result in motivation and productivity.

As a user, your feedback is important, as is its form. Poorly thought out comments can cause pain and the demotivation of other community members, but considerate discussion of problems can bring positive results. An encouraging word works wonders.

[nickvergessen]

STOP!

[szaimen]

As this sounds like a nice feature, currently there are no plans to implement such a feature. Thus I will close this ticket for now. This does not mean we don't want this feature, but it is simply not on our roadmap for the near future. If somebody wants to implement this feature nevertheless we are happy to assist and help out.

If you wish to have this feature implemented by the Nextcloud GmbH there is the option for consulting work on top of your Nextcloud Enterprise subscription to get your features implemented.