Make duplicate sharee autocomplete results easier to distinguish

[PVince81]

Steps

1. Create three users "user1", "user2" and "user3"
2. Set the display name of all three to "hallo"
3. Go to the files view
4. Open the sharing panel
5. Type "hal" in the autocomplete

Expected result

Three distinguishabe entries.

Actual result

All three entries say "hallo".
With no avatars set, there is no visual way for distinction.
The tooltip shows the user id but might not be suitable in the case of LDAP uuids.

Version

ownCloud 10.0.3RC1

See also owncloud/guests#142 (comment)

@pmaier1 @tomneedham

[PVince81]

The quickest solution would be to detect duplicates in the frontend side and when duplicates exist, display the contents of the tooltip inline: "hallo (user1)", "hallo (user2)", etc.

Email address would also be a solution but it might not always be available. Also in the case of LDAP, there might be multiple email addresses. I'd assume that there is a main email address (@tomneedham might know)

Note that whatever logic we decide to use here we might also need to apply to other app's autocomplete like the customgroups members autocomplete.

[PVince81]

Preventing duplicate display names is not a good idea considering that display names can come from LDAP or any custom user backend. I'd rather not explore that route as it could become complex.

[PVince81]

Let's try with the main email address. If not set, fallback to the user id.
And only display the additional part if there is a duplicate.
Make user id and email still visible in the tooltip.

[PVince81]

privacy concern: this would too easily reveal email addresses in contexts where it might not be desirable to let people know each other's emails

[tomneedham]

I'd assume that there is a main email address

right now there is always a primary mail address yes

[tomneedham]

There was a ticket about this somewhere - where someone was adding the email to the hover over alt text instead of the UUID which was deemed to be revealing too much for LDAP users

[PVince81]

Looks like for the guests app we'd like to have an additional indicator behind users ? @pmaier1

See owncloud/guests#149.

I'd have hoped that the email address would be enough.

[pmaier1]

I think we are going the right way with #28979 (comment). If there's more to be discussed, please approach me. This is a release blocker for 10.0.4. Adjusting priority.

[pmaier1]

Regarding #28979 (comment):
Yes, indicating guests is also needed. Not sure about the UI solution for this, though. Double parentheses will not be nice, I guess. For this it could be important to keep in mind that guests will at some point need to be migratable to the DB/LDAP. So guest status needs to be determined by a condition that changes when the user is migrated in the future.

[PVince81]

Need to first resolve privacy concern: #28979 (comment). Exposing email addresses feel wrong. Anyone could just type each letter "a", then "b" and harvest email addresses from the results. (they could script that)

[PVince81]

One idea would be to have a list of fields that can be used: "id", "email" and in the future potentially LDAP "search_terms" attributes. The admin could decide to allow displaying the email address there instead of the id, as an opt-in solution.

For now the field could be a simple dropdown in the admin sharing sections with two choices:

• user information to display in autocomplete: [dropdown here]
  • choice 1: user id
  • choice 2: primary email address
  • future choice X: LDAP field XYZ

Thoughts ?

[felixboehm]

@butonic @pmaier1 please provide your thoughts on this

[pmaier1]

Display name output format settings

• Admin settings section: User display name output format dropdown (needs a good wording!)
  • only display name
  • display name + user id
  • display name + e-mail address
  • (future: display name + LDAP field)
• Apply to all user name displays (sharing autocomplete, sharee list, comments, etc.)
• Drop tooltip (only use it when names are ellipsised)
• Custom groups!

[pmaier1]

Open

• Where to put the settings
• Wording
• UI

[PVince81]

To scope this specific ticket I'd like to limit the application of the user display names to only the share autocomplete and the list of user shares in the sidebar panel.

We can then evaluate further locations like author comments, custom groups, and extend the usage of the format there.

Considering that we want this reusable, we could even have a new method on IUser->getFormattedName() which would prepare the requested format and return it to the clients. Then it's mostly a matter of replacing the relevant code from IUser->getDisplayName() to IUser->getFormattedName().

Thoughts or objections ? @butonic @DeepDiver1975 @jvillafanez

[butonic]

As a user I typically look at the Avatar, the displayname and the email address, in that order. If a user has no email set we could fall back on the owncloud internal username. Falling back on the login can be considered a security issue because you can then look up logins. On the other hand, same goes for email.

The userid might be cryptic and confusing to users, IMO it should only be visible for admins (in the user list).

Even more problematic: db users can set their avatar and displayname at will, easily impersonating other users. For emails we send a verification mail, so it might be safe enough to rely on that ... if it is set.

an IUser->getFormattedName() may not be enough, because in the UI we typically want to show the Avatar, maybe the Displayname in Bold and the email in darkgray. Desktop and Mobile Clients might do completely different things to render a user. Maybe we want to add eg the last logintime in the future or the federated sharing id or whatever ... a simple string does not cut it. The secondDisplayname hack in the ldap app is already the wrong approach IMO. We need a user object and the UI is responsible for rendering it.

[PVince81]

@butonic are you talking about login or user id ? Note that user id is already visible in the tooltip currently.

You're right about getFormattedName(), then we need another approach to expose the format to the UI and some helper functions to format/render a usable display name + additions, including avatars. This could be done using a handlebars template (with conditions in it based on selected format). I'd welcome that as we'd avoid repeating the same rendering code all over the place like we do now.

[pmaier1]

If a user has no email set we could fall back on the owncloud internal username. Falling back on the login can be considered a security issue because you can then look up logins

oC already shows the "Username"/Login name in the mouse-over tooltip.

in the UI we typically want to show the Avatar, maybe the Displayname in Bold and the email in darkgray

Sounds nice!

Another thing that came to my mind: If the admin sets "only display name", then duplicates which are not distinguishable can still occur. Didn't think about that when we were talking. Actually we need to find a way that this can't happen in general or we add a hint to the option. Hmhm, not that satisfying.

The userid might be cryptic and confusing to users, IMO it should only be visible for admins (in the user list).

Essentially agreed. Is userid the same as "Username" in the user list? Wouldn't it be possible to provide another solution when user names are cryptic (mainly with LDAP, right?) and still rely on user name for basic cases?
Then we could have the "display name + user name" as default:

• Indistinguishable results can't happen anymore as user names and mail addresses are unique
• Admin can choose what to expose (user name / mail address)
• For the cryptic case you can either choose mail addresses or define an LDAP field
• We could still leave the "display name only" option for the security-aware people and add a hint that indistinguishable user information can be a consequence)

[butonic]

login would make at least sense to show in the ui. userid is cryptic and hes no value to end users. admins may use it with occ. but currently we dont store the login (ldap can even have multiple login attributes, eg samaccountname and userprincipalname)

[tomneedham]

oC already shows the "Username"/Login name in the mouse-over tooltip.

Note this is already considered to be too much information released for some customers - who want to hide the LDAP GUID for example

[pmaier1]

Note this is already considered to be too much information released for some customers - who want to hide the LDAP GUID for example

They could then use "display name only" which would make them happy as we drop the tooltip and really only display names would be accessible for users. The drawback of potential indistinguishability would be given as a hint in the settings.

[PVince81]

PR here, please try it out: #29334

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.