-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
very dangerous group admin bug #8244
Comments
That's actually the expected behaviour but I think this is nevertheless worth discussing. Summoning @karlitschek and @jancborchhardt - what do you think? |
I'm more than happy to discuss this, but it should be obvious: they way it is right now makes it possible to wipe data unintentionally. No matter what, this cannot be the correct behavior. That's almost the same as giving every user admin rights with the ability to lock out the admin and delete all data. This doesn't seem right. |
From the perspective of someone who's recently set up multitenant Owncloud hosting for a few of our customers (and internally, and at home, love it) this is absolutely non-intuitive. I can see some of the reasoning behind the functionality but it's totally not something that I expected - I thought (OK, yes, without reading the manual) that a Group Admin would be able to admin the group (i.e. assign/unassign users) only. I don't like it. |
Just as remark: There is every few days somebody in our IRC chat who misunderstood the option too. I believe we should do something here. |
@LukasReschke Not quite sure how somebody could misunderstand the concept of a group admin. It's a user who can administer a group. |
I hope I don't make the impression that I bad mouth the product. I love ownCloud and it's a great product. But this is really dangerous and unless this is fixed, people should not use group admins. |
Be sure that this is not intended. It just isn’t done yet. This issue is a duplicate of #1212 – let’s continue there. |
ownCloud 6.0.2 (all other info irrelevant)
The cloud admin creates 2 users:
Behold: User A is able to delete user B from the system!
User B is also a group admin and manages other users. All of a sudden his user and his data (which he most likely shared with his own group) is gone. Gone forever.
Even if B were not a group admin, it can't be that user A deletes a user from the system (unless that user was created by A).
User A should only be able to
This is a high risk bug, unless this behavior is intentional.
If this were really the case, nobody could ever use group admins (unless the admin doesn't care about his users' data), which in turn renders the concept of group admins useless.
The text was updated successfully, but these errors were encountered: