Generate Temporary Password without group-admin

[blitzdesigner]

Hello there, it is quite a security and privacy-concern in my eyes, that the users have to be group-admin of the spreed.me group to be able to generate TPs. They can easily mess around with other userdata.

wouldn't it be possible and more secure to allow users in the spreed.me group to generate TPs without being group-admin? Or maybe create another regular group to control which users are allowed to generate TPs.

thanks alot!

greetings

[leonklingele-work]

Hi @blitzdesigner,

They can easily mess around with other userdata.

what makes you think so? Spreed.ME group admins are not Nextcoud admins and can't harm your instance in any way (except if you manually granted them more permissions).

wouldn't it be possible and more secure to allow users in the spreed.me group to generate TPs without being group-admin?

Yes, that would certainly be possible, though I don't really understand what benefits it would give.

[blitzdesigner]

Hi @leonklingele-work,

what makes you think so? Spreed.ME group admins are not Nextcoud admins and can't harm your instance in any way (except if you manually granted them more permissions).

I thought a group-admin can also alter the password, full name and email-adress of the group members?

Yes, that would certainly be possible, though I don't really understand what benefits it would give.

Well, I think of that from the perspective of "less possibilities, less potential problems".

[leonklingele-work]

I thought a group-admin can also alter the password, full name and email-adress of the group members?

No, that would be quite a privacy and security issue. Even though as a group admin you see the options to delete, disable or modify an user account, you'll receive an 'Authentication error' if you actually try to conduct the changes. It's an UI bug which should be reported to the Nextcloud server repository.

Do you agree that in this case it doesn't really matter whether we allow Spreed.ME group admins or Spreed.ME group members the generation of Temporary Passwords?

[blitzdesigner]

No, that would be quite a privacy and security issue. Even though as a group admin you see the options to delete, disable or modify an user account, you'll receive an 'Authentication error' if you actually try to conduct the changes. It's an UI bug which should be reported to the Nextcloud server repository.

Well, then its "just" a privacy-thing. I will report that bug to nextcloud, if it hasnt already be done.

Do you agree that in this case it doesn't really matter whether we allow Spreed.ME group admins or Spreed.ME group members the generation of Temporary Passwords?

In this case, I totally agree :-)

Thanks!