[Bug]: Group admins have more privileges than what the docs state

someone-somenet-org commented 3 months ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

The docs state:

Group Admin
Group admins are granted administrative privileges on specific groups, and can add and remove users from their groups.

But it seems like group admins can do more like modify the username, password, email addresses or storage quotas of users in their groups, which sounds like a huge oversight and security issue to me.

Steps to reproduce

Create group
Add userA to group
Add userB to group and make userB group admin
login as userB and goto user management
change userA's email-address or quota or username

Expected behavior

Group admins being allowed to do exactly what the docs state: add and remove users from their groups and thats it.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

solracsf commented 3 months ago

You're reading wrongly IMO. Even if it's not fully documented, it states:

Group admins are granted administrative privileges

By "administrative privileges", it means username, password, email, quotas.

and can add and remove users from their groups

Please note the "and".

joshtrichards commented 3 months ago

Thanks for your report, but the docs match the behavior. If you think the documentation could be clearer in some way about this topic, feel free to click Edit on GitHub in the upper right hand corner of the documentation to propose a possible change.

which sounds like a huge oversight and security issue to me.

For future reference, there is a banner at the top of our bug reporting template that says this:

🚨 SECURITY INFO

If you are reporting a security concern, please report it via our HackerOne page instead and review our security policy. This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime. It also may qualify your report for a bug bounty reward. Thank you for helping make Nextcloud more secure!

joshtrichards commented 3 months ago

Clarification pending in: nextcloud/documentation#11956

nextcloud / server