Allow to set email address to private independent of sharing settings

[Somebodyisnobody]

Steps to reproduce

1. Disable "Allow users to publish their data to a global and public address book" under /Settings/Share
2. Goto "Personal info" and look for the option to handle email address as "private" or share with local "contacts"
3. Enable "Allow users to publish their data to a global and public address book" under /Settings/Share
4. Goto "Personal info" and look again

Expected behaviour

The option for Private/Contacts should appear always

Actual behaviour

The option disappears while the "Public"-option disappears.
The problem is that users can see the email address of other users in the contacts menu.

Video for lazy guys:
privacysettings.zip
Reference:
help.nextcloud.com

Server configuration

Nextcloud version: 13.0.2

Updated from an older Nextcloud/ownCloud or fresh install: demo.nextcloud.com=N/A; own Nextcloud=updated

Where did you install Nextcloud from: tar

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No integrity collision

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: FF 60.0.1

Operating system: Win10.1709

Logs

Web server error log

Web server error log

No log on demo.nextcloud.com

[nextcloud-bot]

Hey, this issue has been closed because the label stale is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)

[MorrisJobke]

The option disappears while the "Public"-option disappears.
The problem is that users can see the email address of other users in the contacts menu.

cc @schiessle @ChristophWurst

[yasuoiwakura]

Hi, NC14 went by and the problem is still there.
I was using OC9 and switch to NC15 and i am shocked to see such a privacy leak being here since 2 major releaes and almost 1 year...

All users publish their mail adress per default and i don't see a way to change this default setting.

At the current rate, to comply with GDPR, i have to tell users "you will share your contact information with everyone else using this cloud. Go to the settings menu To change that".
Or i will just cancel switching to NC and just stay with OC.

Is there really no intention of fixing this? Or did we just terribly understand how to set up Nextcloud?

Greetings

[skjnldsv]

@schiessle @ChristophWurst @blizzz what shall we do?
When disabling the Allow users to publish their data to a global and public address book, I'm guessing we stop sharing all the data by default?

Or do we still comply to the old setting a user had?

[blizzz]

Unchecking "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered" would prevent unknown users/mail addresses to be shown. Otherwise there is no specific switch to disable only display of the mail address. I don't think extending the mentioned switch to the local instance as well would be a good idea, because in organisations it's rather normal that email addresses are known and should be displayed, but perhaps not exposed to the outside.

[skjnldsv]

So what do you reckon? Closing this?

[yasuoiwakura]

Unchecking "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered" would prevent unknown users/mail addresses to be shown. Otherwise there is no specific switch to disable only display of the mail address. I don't think extending the mentioned switch to the local instance as well would be a good idea, because in organisations it's rather normal that email addresses are known and should be displayed, but perhaps not exposed to the outside.

Hi there, thanks for replying again!
imho:

• auto-completion is a must-have (most users may not know other peoples usernames)
• seeing all users external mail adresses is a no-go (most users may not want to share there email)

i think, nextcloud shall enable seamless teamwork while protecting the users data without trade-off, especially since nectcloud seems to be dedicated to communities.

i would not want to share my email adress to all github-users, do you?
ofc i want to interact with other github users, i guess same on your side?

noone would srsly say "you need to share you mail adress with all github users or you cannot interact with them".

Greetings :-)

[Somebodyisnobody]

Okay but think about a setting (maybe in a local club) where users should not see other e-mail addresses.
I am not sure but by default it's not set to "private".

Why I have the possibility to change the privacy setting when "Allow users to publish their data to a global and public address book" is active but when it's disabled I don't have this possibility? The value "Allow users to publish [...]" means to give the possibility to publish their data. If it's unchecked, it's published anyway...

In my opinion the user needs to have the possibility to hide his email address.

[jamasi]

I think it could make sense, to allow people to set for example the email address to private and hide it from all other users.

This would be a future/enhancement of our current privacy settings.

I think that's not only a nice to have feature, but actually a mandatory thing if you want to run nextcloud in any environment where not all users are using email addresses that the cloud provider is providing as well.

Right now the only option to have Nextcloud working for a group with private email addresses is to disable the autocomplete function. While all it would take would be to have a setting to only allow searching (and display) of the username.

[yasuoiwakura]

future/enhancement of our current privacy settings
"Don't call it a bug - call it a feature!"

[frankzimper]

THIS POST IS OLD. DON'T USE THIS SCRIPT ANYMORE!
IT WON'T WORK AS IT USED TO

I helped myself by running this script after creating new users:
https://gist.github.com/frankzimper/87b15de916f2de3769dbe52cfabdd5da

This way, the email addresses of the users are not even shown on the same instance. It basically does the same as the users can do for themselves by setting their email address to private.

[assodefis]

Would it be possible to have an option in nextcloud settings that do the same as
modify /var/www/nextcloud/lib/private/Contacts/ContactsMenu/ContactsStore.php on line 268
$entry->addEMailAddress($email);
to
// $entry->addEMailAddress($email);
andd keep it like that after updates?

[assodefis]

and one that put email address as private by default to new users. They are free to set it to public or not...

[Lumrenion]

As a non-profit organization, all our members have an account on our nextcloud. But per german law, we must not share their private email addresses with other members. That is why there must be an option to stop it from showing up in the nextcloud frontend.
I noticed their private email address to be shown on two places:

When you search for a user on the top right, the email address is visible when hovering ofer the icon:

In the participant list of a nextcloud talk chat, the email address is visible as well:

The first one could be hidden with custom CSS, but the elements are lacking a proper ID attribute and honestly that is just a hack than a real solution. For Talk, there just is no possible CSS selector to target the email container.

#contactsmenu-contacts .contact .second-action {
    display: none;
}

[Lumrenion]

I just noticed, it might be a duplicate of this issue: #14959

There already is a pull request that addresses that issue, set for Nextcloud 22: #20667

[Moini]

I just saw the update info for the current releases and couldn't believe that the developers actually did the opposite of what's requested here and legally required - namely, they made the email address show up in the contacts menu not only in the hover title text, but print it out right next to the user name.

But why? ... This is pretty disappointing.

Did I overlook any new settings to disable it that come along with this update? The MR that was supposed to fix this has just been closed, and the fix branch was deleted.

[jamasi]

Yes, it's really insane that there is still no simple setting to turn off that data leakage. Right now the best way is patching
/var/www/nextcloud/lib/private/Contacts/ContactsMenu/ContactsStore.php to read like this:

                if (isset($contact['EMAIL'])) {
                        foreach ($contact['EMAIL'] as $email) {
                                //$entry->addEMailAddress($email);
                        }
                }

additionally in /var/www/nextcloud/lib/private/Profile/ProfileManager.php this line should be commented, so the email address is not leaked from the profile page:

        /**
         * Array of account property actions
         */
        private const ACCOUNT_PROPERTY_ACTIONS = [
                //EmailAction::class,  <--- this one
                PhoneAction::class,
                WebsiteAction::class,
                TwitterAction::class,
        ];

[b90g]

@schiessle imagine having an organization with a a lot of volunteers and their respective private email-addresses, it would be desired to not "publish" their email addresses to one another. Yet they should have the chance to get notifications, and event invitations..

[satonotdead]

That stills without dirty workaround?

We use open-source to make a really collaborative space not a closed one like Exchange or wathever.

Yes, we respect our privacy doing that way.

[jamasi]

FYI: 23.0.12 still needs the patch or rather dirty hack I posted a few posts back to not violate the DSGVO.

[rootsystem-github]

I helped myself by running this script after creating new users: https://gist.github.com/frankzimper/87b15de916f2de3769dbe52cfabdd5da

This way, the email addresses of the users are not even shown on the same instance. It basically does the same as the users can do for themselves by setting their email address to private.

we are on NC 25.0.6 and have this annoying problem since years. I am editing 6 files by hand after each update to hide email adresses. So i was hoping your script makes this easer for us after an update. But it has no effect. In oc_accounts there is the entry "scope":"v2-local". Your script sets this to "private" but it has no effect, the email is still showing up in share dialogs etc. You say "does the same as the users can do " - in NC 25.0.6 i find no way for a user to make the email private, only the options "Only visible to people on this instance and guests" or "Only synchronize to trusted servers". Did i miss something or is this feature to set it private gone since you wrote this post?

[frankzimper]

Well, yes. Things have changed since then. I am running two instances which are on version 26.0.01.
Here, logged in users can change the visibility settings of their profile on the /settings/user page. This is no longer stored in oc_accounts but in oc_profile_config.

It seems that my script should be changed so that it changes this entry. Unfortunately this record is not created when a user is created but rather later on demand. I'd have to figure out when it gets created.

What would be even better is, if we could configure that similar to the default_property_scope as documented in here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/profile_configuration.html#property-scopes

[rootsystem-github]

i made a clone and updated to 26.0.1. But the situation is exactly the same. What you wrote in your reply affects only the profile page. But e.g. in sharing dialogs, when you search for a user it still displays the email address, even if is set it to "Hide" in "Profile visibility".

I show you one of the places in sourcecode i edit after each update as an example. Here it is lib/private/Collaboration/Collaborators/UserPlugin.php line 196

$result['exact'][] = [
  'label' => $userDisplayName,
  'subline' => $status['message'] ?? '',
  'icon' => 'icon-user',
  'value' => [
    'shareType' => IShare::TYPE_USER,
    'shareWith' => $uid,
  ],
  'shareWithDisplayNameUnique' => !empty($userEmail) ? $userEmail : $uid,
  'status' => $status,
];

I always change the line 'shareWithDisplayNameUnique' => !empty($userEmail) ? $userEmail : $uid, to 'shareWithDisplayNameUnique' => ''.
It does not ask for any flags like "hideEmail" or something similar, it just displays the email address, no matter what.
Here a list of the files i modify after each update:

lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php,
lib/private/Share20/Manager.php,
apps/files_sharing/lib/Controller/ShareAPIController.php,
lib/private/Collaboration/Collaborators/MailPlugin.php,
lib/private/Collaboration/Collaborators/RemotePlugin.php,
lib/private/Collaboration/Collaborators/UserPlugin.php,
apps/polls/lib/Model/UserBase.php,
apps/bbb/lib/BigBlueButton/API.php,

[theCalcaholic]

In Nextcloud 27, the option was added to prevent access to the system address book but still allow exact matching of names or emails. This finally allows usage of NC in situations where you cannot leak email addresses between all users without patches.
This would be the desired configuration (in Administration Settings -> Sharing):

Compare https://docs.nextcloud.com/server/latest/admin_manual/groupware/contacts.html#system-address-book

[EWPrivat]

I helped myself by running this script after creating new users: https://gist.github.com/frankzimper/87b15de916f2de3769dbe52cfabdd5da
This way, the email addresses of the users are not even shown on the same instance. It basically does the same as the users can do for themselves by setting their email address to private.

we are on NC 25.0.6 and have this annoying problem since years. I am editing 6 files by hand after each update to hide email adresses. So i was hoping your script makes this easer for us after an update. But it has no effect. In oc_accounts there is the entry "scope":"v2-local". Your script sets this to "private" but it has no effect, the email is still showing up in share dialogs etc. You say "does the same as the users can do " - in NC 25.0.6 i find no way for a user to make the email private, only the options "Only visible to people on this instance and guests" or "Only synchronize to trusted servers". Did i miss something or is this feature to set it private gone since you wrote this post?

What files do you editing? I have the same issue on my school.

[rootsystem-github]

see my post above, there i listed the files:

Here a list of the files i modify after each update:

lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php,
lib/private/Share20/Manager.php,
apps/files_sharing/lib/Controller/ShareAPIController.php,
lib/private/Collaboration/Collaborators/MailPlugin.php,
lib/private/Collaboration/Collaborators/RemotePlugin.php,
lib/private/Collaboration/Collaborators/UserPlugin.php,
apps/polls/lib/Model/UserBase.php,
apps/bbb/lib/BigBlueButton/API.php,

[EWPrivat]

see my post above, there i listed the files:

Here a list of the files i modify after each update:

lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php,
lib/private/Share20/Manager.php,
apps/files_sharing/lib/Controller/ShareAPIController.php,
lib/private/Collaboration/Collaborators/MailPlugin.php,
lib/private/Collaboration/Collaborators/RemotePlugin.php,
lib/private/Collaboration/Collaborators/UserPlugin.php,
apps/polls/lib/Model/UserBase.php,
apps/bbb/lib/BigBlueButton/API.php,

Thank you very much! I have removed almost all places where email addresses are visible. They only appear when “sharing” a file.
Can you give me a tip on how I can remove that? I hate DSGVO...

[rootsystem-github]

i wrote a script in php to go through all files. Here are the numbers:

	1 => "lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php",
	2 => "apps/mail/lib/Service/AutoCompletion/AutoCompleteService.php",
	3 => "apps/files_sharing/lib/Controller/ShareAPIController.php",
	4 => "lib/private/Collaboration/Collaborators/MailPlugin.php",
	5 => "lib/private/Collaboration/Collaborators/RemotePlugin.php",
	6 => "lib/private/Collaboration/Collaborators/UserPlugin.php",
	7 => "apps/polls/lib/Model/UserBase.php",

and here are the replace routines:

switch ($key) {
		case 1:
			$cntMatch = 1;
			$search = '$entry->addAction($action);';
			$replace = '// DSGVO-Patched: $entry->addAction($action);';
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			break;
		case 2:
			$cntMatch = 1;
			$search = 'return array_merge($recipientsFromContacts, $recipientsFromCollector, $recipientGroups);';
			$replace = '// DSGVO-Patched: return array_merge($recipientsFromContacts, $recipientsFromCollector, $recipientGroups);' . "\n" . '		return array_merge($recipientGroups); // DSGVO-Patched';
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			break;
		case 3:
			$cntMatch = 1;
			$search = "\$result['mail_send'] = \$share->getMailSend() ? 1 : 0;";
			$replace = "// DSGVO-Patched: \$result['mail_send'] = \$share->getMailSend() ? 1 : 0;\n		\$result['mail_send'] = 0; // DSGVO-Patched";
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			if($success) {
				$cntMatch = 2;
				$search = '$share->setNote($note);';
				$replace = '// DSGVO-Patched: $share->setNote($note);';
				list($successSecondCall, $linesProcessed) = replaceString($search, $replace, $linesProcessed, $cntMatch);
				$success = $success && $successSecondCall;
			}
			break;
		case 4:
			$cntMatch = 2;
			$search = "'shareWithDisplayNameUnique' =>";
			$replace = "'shareWithDisplayNameUnique' => '' // DSGVO-Patched: ";
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			break;
		case 5:
			$cntMatch = 1;
			$search = "'shareWithDisplayNameUnique' =>";
			$replace = "'shareWithDisplayNameUnique' => '', // DSGVO-Patched: ";
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			break;
		case 6:
			$cntMatch = 3;
			$search = "'shareWithDisplayNameUnique' =>";
			$replace = "'shareWithDisplayNameUnique' => '', // DSGVO-Patched: ";
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			break;
		case 7:
			$cntMatch = 2;
			$search = "\$items[] = new User(\$item['value']['shareWith']);";
			$replace = "// DSGVO-Patched: \$items[] = new User(\$item['value']['shareWith']);\n			\$user = new User(\$item['value']['shareWith']); // DSGVO-Patched\n			\$user->setEmailAddress(''); // DSGVO-Patched\n			\$items[] = \$user; // DSGVO-Patched";
			list($success, $linesProcessed) = replaceString($search, $replace, $lines, $cntMatch);
			break;
	}

And:

/**
 * replaceString
 *
 * @param string $search
 * @param string $replace
 * @param array $lines
 * @param int $cntMatch
 * @return array
 */
function replaceString($search, $replace, $lines, $cntMatch) {
	$cnt = 0;
	$linesProcessed = [];
	$lineCnt = count($lines);
	for ($i = 0; $i < $lineCnt; $i++) {
		if(strpos($lines[$i], $search) !== false) {
			$linesProcessed[] = str_replace($search, $replace, $lines[$i]);
			$cnt++;
		} else {
			$linesProcessed[] = $lines[$i];
		}
	}
	if($cnt == $cntMatch) {
		return [true, $linesProcessed];
	} else {
		return [false, []];
	}
}

good luck goin DSGVO conform with nextcloud!

[rootsystem-github]

but this is now for NC 30

[satonotdead]

I removed Nextcloud because of this. It's against their own core principles.

[EWPrivat]

I removed Nextcloud because of this. It's against their own core principles.

Do you have an another solution? Owncloud?

[satonotdead]

Do you have an another solution? Owncloud?

I'm hosting File Browser, Mattermost and webmail from the provider. I miss Nextcloud but privacy matters and that's a very big red flag to me.

[yasuoiwakura]

Do you have an another solution? Owncloud?

I'm hosting File Browser, Mattermost and webmail from the provider. I miss Nextcloud but privacy matters and that's a very big red flag to me.

its a 2018 issue, switched back to owncloud years ago because noone really cares about theese issues.