don't reveal users mail adress by default

[yasuoiwakura]

Steps to reproduce

1. register as a new user
2. after some months, explore the menu
3. discover that your mail adress was public to ALL the other cloud users on the same server

Expected behaviour

Private data should not be revealed by default

Make public data available, protect private data.
Source:

• hacker ethics
• gdpr

Actual behaviour

Users mail adress is revealed to other users by default

Server configuration

LAMP, Ubuntu 18.04

Nextcloud version: 15.0.5
fresh installl since upgrade from OC failed

Where did you install Nextcloud from: Webclient

List of activated apps:
deactivated ALL Apps - same behavior

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:

```{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.REMOVED.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "15.0.5.3",
        "overwrite.cli.url": "https:\/\/cloud.REMOVED.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "pipe",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "CUSTOMSETTINGSMATTHIAS": "ab hier!!!",
        "default_language": "de",
        "default_locale": "de",
        "force_language": "de",
        "force_locale": "de",
        "mail_smtpsecure": "ssl",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}```

### Client configuration
**Browser:**
IE, FF, Chrome
**Operating system:**

[violoncelloCH]

what do you think @nextcloud/server-triage ?

[nickvergessen]

Actually the default is contacts only:
https://github.com/nextcloud/server/blob/master/lib/private/Accounts/AccountManager.php#L308

[violoncelloCH]

yes, but contacts means all other users on the same server plus trusted federation servers, doesn't it? I think that's the point of @yasuoiwakura...

[yasuoiwakura]

Yes, i see no reason to assume my users would want their mail adress revealed to each other.
I mean, I cannot see any of the github user's email (not even those who wrote in the same topic) and i guess there is a good reason it is private by default

[yasuoiwakura]

Any idea how to temporary fix or disable this leak? it is a real privacy problem for my users...

[yasuoiwakura]

Updated to NC16, still same problem.

btw. this information is false, since it claims that only administrators have access to my data:

https://cloud.domain.tld/index.php/settings/user/privacy

[nickvergessen]

Datas in this term are your files. The email address is also checked for sharing, so this is more of a general issue with a bigger impact on how all the things are handled and needs some more planing then a quick change on a setting

[nickvergessen]

Okay I just checked again and I was wrong.
If the email is set to private, you can not find users by their email address.

So I guess it boils down to the fact, that you registered (on a public instance) where "everyone on the cloud knows each other" is not a good sensitive default.
Maybe we should add an option for that, so admins can configure this.

[nickvergessen]

cc @rullzer @MorrisJobke what do you think about this?

[yasuoiwakura]

hm my current workaround is to <!--hide--> the contact list in the upper right corner.

imho, users should indeed be able to share files with other users/groups (should be defined by admin) without seeing their email.