Allow to set email address to private independent of sharing settings

[Somebodyisnobody]

Steps to reproduce

1. Disable "Allow users to publish their data to a global and public address book" under /Settings/Share
2. Goto "Personal info" and look for the option to handle email address as "private" or share with local "contacts"
3. Enable "Allow users to publish their data to a global and public address book" under /Settings/Share
4. Goto "Personal info" and look again

Expected behaviour

The option for Private/Contacts should appear always

Actual behaviour

The option disappears while the "Public"-option disappears. The problem is that users can see the email address of other users in the contacts menu.

Video for lazy guys: privacysettings.zip Reference: help.nextcloud.com

Server configuration

Nextcloud version: 13.0.2

Updated from an older Nextcloud/ownCloud or fresh install: demo.nextcloud.com=N/A; own Nextcloud=updated

Where did you install Nextcloud from: tar

Signing status:

Signing status

``` Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. ``` No integrity collision

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: FF 60.0.1

Operating system: Win10.1709

Logs

Web server error log

Web server error log

No log on demo.nextcloud.com

[nextcloud-bot]

Hey, this issue has been closed because the label stale is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

[Somebodyisnobody]

No one was looking on this issue but the bot closed it. That's also a way to keep the issue list small... Very disappointed 👎

[MorrisJobke]

@Somebodyisnobody Sorry for this - we are just in the transition and thus it caused sometimes the wrong closings.

Let me label it and ask some people.

[MorrisJobke]

The option disappears while the "Public"-option disappears. The problem is that users can see the email address of other users in the contacts menu.

cc @schiessle @ChristophWurst

[yasuoiwakura]

Hi, NC14 went by and the problem is still there. I was using OC9 and switch to NC15 and i am shocked to see such a privacy leak being here since 2 major releaes and almost 1 year...

All users publish their mail adress per default and i don't see a way to change this default setting.

At the current rate, to comply with GDPR, i have to tell users "you will share your contact information with everyone else using this cloud. Go to the settings menu To change that". Or i will just cancel switching to NC and just stay with OC.

Is there really no intention of fixing this? Or did we just terribly understand how to set up Nextcloud?

Greetings

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity and it seems to be missing some essential informations. It will be closed if no further activity occurs. Thank you for your contributions.

[Somebodyisnobody]

There are no essential informations missing and @MorrisJobke and co. should work on this one year after reporting. I have doubts about the balance between profit and support. @stale is an insult to my efforts!

[skjnldsv]

@Somebodyisnobody please keep it polite. I don't like the tone this thread have. I will ask you to read our code of conduct https://nextcloud.com/code-of-conduct/

We're a team that work on a lot of sections of nextcloud and this is a collaborative project. Your will to have a feature to be implemented is not the same to others.

[skjnldsv]

@schiessle @ChristophWurst @blizzz what shall we do? When disabling the Allow users to publish their data to a global and public address book, I'm guessing we stop sharing all the data by default?

Or do we still comply to the old setting a user had?

[blizzz]

Unchecking "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered" would prevent unknown users/mail addresses to be shown. Otherwise there is no specific switch to disable only display of the mail address. I don't think extending the mentioned switch to the local instance as well would be a good idea, because in organisations it's rather normal that email addresses are known and should be displayed, but perhaps not exposed to the outside.

[skjnldsv]

So what do you reckon? Closing this?

[yasuoiwakura]

Unchecking "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered" would prevent unknown users/mail addresses to be shown. Otherwise there is no specific switch to disable only display of the mail address. I don't think extending the mentioned switch to the local instance as well would be a good idea, because in organisations it's rather normal that email addresses are known and should be displayed, but perhaps not exposed to the outside.

Hi there, thanks for replying again! imho:

• auto-completion is a must-have (most users may not know other peoples usernames)
• seeing all users external mail adresses is a no-go (most users may not want to share there email)

i think, nextcloud shall enable seamless teamwork while protecting the users data without trade-off, especially since nectcloud seems to be dedicated to communities.

i would not want to share my email adress to all github-users, do you? ofc i want to interact with other github users, i guess same on your side?

noone would srsly say "you need to share you mail adress with all github users or you cannot interact with them".

Greetings :-)

[Somebodyisnobody]

Okay but think about a setting (maybe in a local club) where users should not see other e-mail addresses. I am not sure but by default it's not set to "private".

Why I have the possibility to change the privacy setting when "Allow users to publish their data to a global and public address book" is active but when it's disabled I don't have this possibility? The value "Allow users to publish [...]" means to give the possibility to publish their data. If it's unchecked, it's published anyway...

In my opinion the user needs to have the possibility to hide his email address.

[ghost]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[Somebodyisnobody]

Okay that's how issues marked as bugs are handled.

seems to be missing some essential information.

The issue was closed the second time (by bot) without discussing the arguments by @yasuoiwakura and me. A bit like "Just don't answer if you run out of arguments." 😢

I'm out; that was the last time I wasted time here.

[yasuoiwakura]

my only workaround is to <!--comment out --> the adress book in the upper right corner to make this security leak not too obvious to the users while looking for a safe cloud solution.

[skjnldsv]

@yasuoiwakura so, what would be the best solution for you? How do you think it should look like?

[yasuoiwakura]

thanks for replying @skjnldsv !

The userlist is transfered to the browser when a clients opens the adress book or uses the share-feature. This is also needed for a smooth workflow and totally okay imho. But i think the server should not include the email information whe sending the userlist to the browser unless there is

• a server setting or
• a profile setting wich would allow to transfer such data.

imho users should be able to see each others usernames and also share files without knowing each others mail adress. That's common practice for most B2C and community platforms since 20 years or so. There was always a checkbox [ ] i want to share my email with other users. And it was always unchecked. (Thats why that checkboy disappeared - no one wants to share their email)

greetings

[skjnldsv]

So if I properly understand, you have the "Allow users to publish their data to a global and public address book" option checked on your sharing settings, right?

I think everything should be private then yes. Otherwise it doesn't make sense. @schiessle you're our federation master, we need you :)

[yasuoiwakura]

So if I properly understand, you have the "Allow users to publish their data to a global and public address book" option checked on your sharing settings, right?

Yes it is activated. Grammy does not know that the username of Mister Walton is "WaltonF" so she needs autocomplete.

[schiessle]

the privacy settings on your profile page are at the moment only related to other Nextcloud servers (federation). The setting was introduced when we introduced the trusted server concept and the lookup server, back then the people menu didn't exist at all . We never had user on the same server in mind while implementing it. Until now there is no option to say "i don't want that other people on the same server can see my email address".

I think it could make sense, to allow people to set for example the email address to private and hide it from all other users.

This would be a future/enhancement of our current privacy settings.

[jamasi]

I think it could make sense, to allow people to set for example the email address to private and hide it from all other users.

This would be a future/enhancement of our current privacy settings.

I think that's not only a nice to have feature, but actually a mandatory thing if you want to run nextcloud in any environment where not all users are using email addresses that the cloud provider is providing as well.

Right now the only option to have Nextcloud working for a group with private email addresses is to disable the autocomplete function. While all it would take would be to have a setting to only allow searching (and display) of the username.

[yasuoiwakura]

future/enhancement of our current privacy settings "Don't call it a bug - call it a feature!"

[frankzimper]

THIS POST IS OLD. DON'T USE THIS SCRIPT ANYMORE! IT WON'T WORK AS IT USED TO

I helped myself by running this script after creating new users: https://gist.github.com/frankzimper/87b15de916f2de3769dbe52cfabdd5da

This way, the email addresses of the users are not even shown on the same instance. It basically does the same as the users can do for themselves by setting their email address to private.

[assodefis]

Would it be possible to have an option in nextcloud settings that do the same as modify /var/www/nextcloud/lib/private/Contacts/ContactsMenu/ContactsStore.php on line 268 $entry->addEMailAddress($email); to // $entry->addEMailAddress($email); andd keep it like that after updates?

[assodefis]

and one that put email address as private by default to new users. They are free to set it to public or not...

[Lumrenion]

As a non-profit organization, all our members have an account on our nextcloud. But per german law, we must not share their private email addresses with other members. That is why there must be an option to stop it from showing up in the nextcloud frontend. I noticed their private email address to be shown on two places:

When you search for a user on the top right, the email address is visible when hovering ofer the icon:

In the participant list of a nextcloud talk chat, the email address is visible as well:

The first one could be hidden with custom CSS, but the elements are lacking a proper ID attribute and honestly that is just a hack than a real solution. For Talk, there just is no possible CSS selector to target the email container.

#contactsmenu-contacts .contact .second-action {
    display: none;
}

[Lumrenion]

I just noticed, it might be a duplicate of this issue: #14959

There already is a pull request that addresses that issue, set for Nextcloud 22: #20667

[Moini]

I just saw the update info for the current releases and couldn't believe that the developers actually did the opposite of what's requested here and legally required - namely, they made the email address show up in the contacts menu not only in the hover title text, but print it out right next to the user name.

But why? ... This is pretty disappointing.

Did I overlook any new settings to disable it that come along with this update? The MR that was supposed to fix this has just been closed, and the fix branch was deleted.

[Somebodyisnobody]

What shall I tell you? I don't open issues anymore just because of this environment. I wish to have a better communication, a dead stale-bot and so on...

[jamasi]

Yes, it's really insane that there is still no simple setting to turn off that data leakage. Right now the best way is patching /var/www/nextcloud/lib/private/Contacts/ContactsMenu/ContactsStore.php to read like this:

                if (isset($contact['EMAIL'])) {
                        foreach ($contact['EMAIL'] as $email) {
                                //$entry->addEMailAddress($email);
                        }
                }

additionally in /var/www/nextcloud/lib/private/Profile/ProfileManager.php this line should be commented, so the email address is not leaked from the profile page:

        /**
         * Array of account property actions
         */
        private const ACCOUNT_PROPERTY_ACTIONS = [
                //EmailAction::class,  <--- this one
                PhoneAction::class,
                WebsiteAction::class,
                TwitterAction::class,
        ];

[b90g]

@schiessle imagine having an organization with a a lot of volunteers and their respective private email-addresses, it would be desired to not "publish" their email addresses to one another. Yet they should have the chance to get notifications, and event invitations..

[satoshinotdead]

That stills without dirty workaround?

We use open-source to make a really collaborative space not a closed one like Exchange or wathever.

Yes, we respect our privacy doing that way.

[jamasi]

FYI: 23.0.12 still needs the patch or rather dirty hack I posted a few posts back to not violate the DSGVO.

[rootsystem-github]

I helped myself by running this script after creating new users: https://gist.github.com/frankzimper/87b15de916f2de3769dbe52cfabdd5da

This way, the email addresses of the users are not even shown on the same instance. It basically does the same as the users can do for themselves by setting their email address to private.

we are on NC 25.0.6 and have this annoying problem since years. I am editing 6 files by hand after each update to hide email adresses. So i was hoping your script makes this easer for us after an update. But it has no effect. In oc_accounts there is the entry "scope":"v2-local". Your script sets this to "private" but it has no effect, the email is still showing up in share dialogs etc. You say "does the same as the users can do " - in NC 25.0.6 i find no way for a user to make the email private, only the options "Only visible to people on this instance and guests" or "Only synchronize to trusted servers". Did i miss something or is this feature to set it private gone since you wrote this post?

[frankzimper]

Well, yes. Things have changed since then. I am running two instances which are on version 26.0.01.
Here, logged in users can change the visibility settings of their profile on the /settings/user page. This is no longer stored in oc_accounts but in oc_profile_config.

It seems that my script should be changed so that it changes this entry. Unfortunately this record is not created when a user is created but rather later on demand. I'd have to figure out when it gets created.

What would be even better is, if we could configure that similar to the default_property_scope as documented in here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/profile_configuration.html#property-scopes

[rootsystem-github]

i made a clone and updated to 26.0.1. But the situation is exactly the same. What you wrote in your reply affects only the profile page. But e.g. in sharing dialogs, when you search for a user it still displays the email address, even if is set it to "Hide" in "Profile visibility".

I show you one of the places in sourcecode i edit after each update as an example. Here it is lib/private/Collaboration/Collaborators/UserPlugin.php line 196

$result['exact'][] = [
  'label' => $userDisplayName,
  'subline' => $status['message'] ?? '',
  'icon' => 'icon-user',
  'value' => [
    'shareType' => IShare::TYPE_USER,
    'shareWith' => $uid,
  ],
  'shareWithDisplayNameUnique' => !empty($userEmail) ? $userEmail : $uid,
  'status' => $status,
];

I always change the line 'shareWithDisplayNameUnique' => !empty($userEmail) ? $userEmail : $uid, to 'shareWithDisplayNameUnique' => ''. It does not ask for any flags like "hideEmail" or something similar, it just displays the email address, no matter what. Here a list of the files i modify after each update:

lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php,
lib/private/Share20/Manager.php,
apps/files_sharing/lib/Controller/ShareAPIController.php,
lib/private/Collaboration/Collaborators/MailPlugin.php,
lib/private/Collaboration/Collaborators/RemotePlugin.php,
lib/private/Collaboration/Collaborators/UserPlugin.php,
apps/polls/lib/Model/UserBase.php,
apps/bbb/lib/BigBlueButton/API.php,

[theCalcaholic]

In Nextcloud 27, the option was added to prevent access to the system address book but still allow exact matching of names or emails. This finally allows usage of NC in situations where you cannot leak email addresses between all users without patches. This would be the desired configuration (in Administration Settings -> Sharing):

Compare https://docs.nextcloud.com/server/latest/admin_manual/groupware/contacts.html#system-address-book