Closed someone-somenet-org closed 3 months ago
You're reading wrongly IMO. Even if it's not fully documented, it states:
Group admins are granted administrative privileges
By "administrative privileges", it means username, password, email, quotas.
and can add and remove users from their groups
Please note the "and".
Thanks for your report, but the docs match the behavior. If you think the documentation could be clearer in some way about this topic, feel free to click Edit on GitHub in the upper right hand corner of the documentation to propose a possible change.
which sounds like a huge oversight and security issue to me.
For future reference, there is a banner at the top of our bug reporting template that says this:
🚨 SECURITY INFO
If you are reporting a security concern, please report it via our HackerOne page instead and review our security policy. This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime. It also may qualify your report for a bug bounty reward. Thank you for helping make Nextcloud more secure!
Clarification pending in: nextcloud/documentation#11956
⚠️ This issue respects the following points: ⚠️
Bug description
The docs state:
But it seems like group admins can do more like modify the username, password, email addresses or storage quotas of users in their groups, which sounds like a huge oversight and security issue to me.
Steps to reproduce
Expected behavior
Group admins being allowed to do exactly what the docs state: add and remove users from their groups and thats it.
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
Nextcloud Logs
No response
Additional info
No response