Allow Sharing Only with Confirmed E-Mail Address

[mritzmann]

We rarely have problems with the public Nextcloud installation being used for propaganda purposes (e.g. ISIS videos) or for distributing viruses. The procedure is always the same:

1. The user registers with a fake email address
2. Uploads the malicious file and shares it publicly

This causes also many abuse messages, justifiably. After all: Since the e-mail address has not been confirmed, the account is automatically deactivated and the public share disappears. At least that's better than nothing. (This works since this issue was fixed: nextcloud/server#16302 Thanks!)

So my suggestion is this:

• Only allow sharing once the email address has been confirmed. Sure, even so the installation can still be abused, but the effort is greater.

Not sure if this functionality can be covered by an app at all. But it would be a great option.

Or maybe there are other providers who have solved the problem already differently?

[MorrisJobke]

cc @skjnldsv

[skjnldsv]

Hey, I added a new feature.
Can you test #17?

Wit that you can then add the unconfirmed group(s) to the list of excluded groups from sharing (in the sharing settings)

[mritzmann]

Just installed the preferred_providers app with the patch on a test installation.

git clone https://github.com/nextcloud/preferred_providers.git ~/www/apps/preferred_providers
cd  ~/www/apps/preferred_providers
git checkout enhancement/allow-groups-confirmed-unconfirmed
php ~/www/occ app:enable preferred_providers

But because the signup page makes an API request to https://nextcloud.com/wp-json/signup/account with a token, i'm not sure how to test this. I would not like to test it directly on the productive installation. Is there a simple curl command to play through a registration?

Otherwise based on the setting page it looks like the Pull Request does exactly what I need. :-)

[mritzmann]

I tested it today and it works, thanks! 🙇