server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

User Profile should be usable without public visibility

Open kolewu opened this issue 3 years ago • 10 comments

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe. The new user profile feature is a valuable addition to every cloud, but it's sad that it always is publicly visible. The most private clouds are just that: private. And so no information should be visible to the public.

The current profile is a choice between "make some information visible to the public" or "don't use profiles". But profiles are useful for private use inside the cloud, too.

Describe the solution you'd like The user profile as a whole should at least get an option "only visible to logged in users". Even better, the administrator should be able to configure the visibility for all accounts.

So I request:

  • a user option to make the profile invisible to the public
  • administrator options
    • make no profile visible to the public and the user could not change this
    • make no profile visible to the public by default and the user can change it afterwords
  • for updates make all profiles not visible to the public and the user could change this

Describe alternatives you've considered

Additional context

kolewu avatar Apr 22 '22 16:04 kolewu

This would also help to ensure that potential usernames can't be checked by malicious users using cloud.example.com/u/{username}

eibex avatar Apr 22 '22 17:04 eibex

cc @jancborchardt @nimishavijay

szaimen avatar Apr 22 '22 17:04 szaimen

see https://github.com/nextcloud/server/pull/31623

szaimen avatar Apr 28 '22 12:04 szaimen

You can control the information that it displayed on your profile using the Profile visibility settings in the bottom of your personal settings page, and these settings allow you to configure if your information is shown to nobody, only logged in users of the instance or to the public. Would this solve the issue?

It could be useful to make the default visibility of all the information on your Profile to just users of the instance @jancborchardt

nimishavijay avatar Apr 28 '22 14:04 nimishavijay

If everything is set not to public it would be better if when you tried to load a user profile while not logged in it would redirect you to the login page (as id the username you entered in the URL did not exist)

eibex avatar Apr 28 '22 19:04 eibex

You can control the information that it displayed on your profile using the Profile visibility settings in the bottom of your personal settings page, and these settings allow you to configure if your information is shown to nobody, only logged in users of the instance or to the public. Would this solve the issue?

It's not my own profile that I'm concerned of. As an admin It's all profiles of my instance. Until this change every information from the settings page, was restricted to members of the cloud and no one outside. With this update, some of the information is per default visible and this is and this is both extremely unexpected and totally undesirable in most if not all cases. I know that there are people out there who believe that privacy is a thing of the past, but I strongly believe that the default setting, at least for an upgrade and existing accounts, must never be the way it is now: the username and some details like full name and user picture are visible to the whole world. This is completely irresponsible!

Translated with www.DeepL.com/Translator (free version)

It could be useful to make the default visibility of all the information on your Profile to just users of the instance @jancborchardt

And it could not only be useful, but this MUST be the default setting at least for upgrades!

kolewu avatar May 05 '22 22:05 kolewu

Is there any update on this? in severely harms the usability of Nextcloud profiles if I can't disable that the username is even acknowledged in the first place. I would like to have a setting that just says "disable everything profile-related for everyone on the outside, including the fact that this profile page/user exists in the first place. The idea of profiles is pretty nice, but it feels very unpolished given I can only use it with exposing user-data to the outside.

cherti avatar Oct 14 '22 02:10 cherti

I fully agree with the statements above. The personal data of the users should remain private, which in my views means that, by default:

  • no publicly visible information should be made available on the very existence of a user account - and even less so on the details in it;
  • the "Full name", the avatar and the profile text are visible to other users of the same instance, but all the rest (and in particular the e-mail address) fshould remain hidden rom the other users of the same platform.

SergioArbarviro avatar Oct 09 '23 19:10 SergioArbarviro

Any practical way to disable https://nexcloud.yourdomain/u/username being publically accessable for now? It shows my name and profile picture.

I've got my profile visibily set to "Federated" and have not added any trusted servers. Any way for example to change the default profile visibility for new accounts?

I would have expected Nexcloud to keep this private by default, and only make it public after explicitly telling to

mkarnebeek avatar Jul 01 '24 08:07 mkarnebeek

Part of this could be remedied by https://github.com/nextcloud/server/pull/47170. it would not make profiles invisible at all, but at least it would change the defaults of all the fields to not be publicly visible by default. Not solving the fundamental concern that this allows username checking, but at least it reduces the information leaked a little.

cherti avatar Aug 27 '24 20:08 cherti

Any practical way to disable https://nexcloud.yourdomain/u/username being publically accessable for now? It shows my name and profile picture.

Yes, there is a switch for exactly that right in the personal settings:

image

jancborchardt avatar Sep 12 '24 12:09 jancborchardt

And as to how we should go ahead with this, copying my comment from @cherti’s pull request:

So we would like to promote people using the profile, possibly having it useful as some sort of federated address book. If the default is changed like this, people will likely never enable it.

@cherti your use-case of course is reasonable, and to achieve that I would rather say there should be an admin setting (or config.php setting). @AndyScherzinger @sorbaugh

jancborchardt avatar Sep 12 '24 12:09 jancborchardt

But that admin setting is currently not there. So you would say keeping it the way it is, enabling the profile will expose parts of the profile to the outside? That strikes me to be quite at odds with Nextcloud publicly advertising as a privacy-conscious alternative to the existing players, don't you think so?

cherti avatar Sep 12 '24 13:09 cherti

But that admin setting is currently not there.

@cherti yep, so what I’m saying is it needs to be implemented. :) Then an admin can just decide instance-wide about default privacy for the profiles, or to shut it off completely (depending on what we make the setting do).

jancborchardt avatar Sep 12 '24 18:09 jancborchardt

So for now you decide to leave the default configuration to be world-exposed until that is eventually implemented at some point? Or are you gonna merge this as a temporary fix for the current issue?

cherti avatar Sep 13 '24 08:09 cherti

So for now you decide to leave the default configuration to be world-exposed until that is eventually implemented at some point?

Yes. Because anyway the next release is happening tomorrow, and the next version in 3 months, so either way we wouldn’t have the temporary fix live soon.

jancborchardt avatar Sep 13 '24 10:09 jancborchardt

Oh, so you will have implemented this feature for the next release already? I love to hear that!

cherti avatar Sep 13 '24 10:09 cherti

Oh, so you will have implemented this feature for the next release already? I love to hear that!

I can not make any promises of course. As Nextcloud is an open community, if anyone with more deep PHP knowledge wants to have a go at it, please go ahead. But I would stop discussing here since it is just making the thread longer and anyone who possibly would work on this more confused.

For reference → What we should go with: https://github.com/nextcloud/server/issues/32086#issuecomment-2346157744

jancborchardt avatar Sep 13 '24 10:09 jancborchardt

Disclaimer: I am not a PHP person, but I very much want this issues resolved.

In the following file and line, https://github.com/nextcloud/server/blob/8cf585cd5b2a2d79373bcfd67221b301411eedec/apps/profile/lib/Controller/ProfilePageController.php#L50

Does this #[PublicPage] currently control whether the /u/ URLs are resolved publicly? What about this would need to change?

I imagine we'd need to remove this line (or not?), and add some functionality to enable public/notpublic conditionally? How is that done for any other routes? IS it done for any other routes, or does this functionality not exist in the codebase? Put another way, are there any routes, anywhere, whose access scope can be changed conditioned on an admin setting, that we could use as a model?

lux-u-tenebris avatar Oct 03 '25 00:10 lux-u-tenebris