10.9.1: Group admin can see all groups, even the ones that he is not admin of

Steps to reproduce

  1. Make a user admin of a group
  2. Login as that user
  3. Try to change a users group: the group admin can see all groups, although he is only admin of one group. But fortunately group admin gets an “authorization error” when assigning users to group without admin privileges for that group

Expected behaviour

Group admin can only see the group he is admin of (like in all versions below 10.9)

Actual behaviour

Group admin can see all groups

Server configuration

Operating system: Debian Bullseye

Web server: Apache2

Database: MySQL

PHP version: 7.4

ownCloud version: 10.9.1

Updated from an older ownCloud or fresh install: Updated

Where did you install ownCloud from: tar.gz

Signing status (ownCloud 9.0 and above): OK

List of activated apps:

  • activity:
    • Version: 2.7.0
    • Path: /var/www/owncloud/apps/activity
  • comments:
    • Version: 0.3.0
    • Path: /var/www/owncloud/apps/comments
  • configreport:
    • Version: 0.2.0
    • Path: /var/www/owncloud/apps/configreport
  • dav:
    • Version: 0.7.0
    • Path: /var/www/owncloud/apps/dav
  • federatedfilesharing:
    • Version: 0.5.0
    • Path: /var/www/owncloud/apps/federatedfilesharing
  • federation:
    • Version: 0.1.0
    • Path: /var/www/owncloud/apps/federation
  • files:
    • Version: 1.5.2
    • Path: /var/www/owncloud/apps/files
  • files_external:
    • Version: 0.8.0
    • Path: /var/www/owncloud/apps/files_external
  • files_mediaviewer:
    • Version: 1.0.5
    • Path: /var/www/owncloud/apps/files_mediaviewer
  • files_pdfviewer:
    • Version: 1.0.1
    • Path: /var/www/owncloud/apps/files_pdfviewer
  • files_sharing:
    • Version: 0.14.0
    • Path: /var/www/owncloud/apps/files_sharing
  • files_texteditor:
    • Version: 2.4.1
    • Path: /var/www/owncloud/apps/files_texteditor
  • files_trashbin:
    • Version: 0.9.1
    • Path: /var/www/owncloud/apps/files_trashbin
  • files_versions:
    • Version: 1.3.0
    • Path: /var/www/owncloud/apps/files_versions
  • firstrunwizard:
    • Version: 1.2.0
    • Path: /var/www/owncloud/apps/firstrunwizard
  • gallery:
    • Version: 16.1.2
    • Path: /var/www/owncloud/apps/gallery
  • market:
    • Version: 0.6.2
    • Path: /var/www/owncloud/apps/market
  • notifications:
    • Version: 0.5.4
    • Path: /var/www/owncloud/apps/notifications
  • provisioning_api:
    • Version: 0.5.0
    • Path: /var/www/owncloud/apps/provisioning_api
  • templateeditor:
    • Version: 0.4.0
    • Path: /var/www/owncloud/apps/templateeditor
  • twofactor_totp:
    • Version: 0.7.4
    • Path: /var/www/owncloud/apps/twofactor_totp
  • updatenotification:
    • Version: 0.2.1
    • Path: /var/www/owncloud/apps/updatenotification

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Chrome

Operating system: Windows 11

Logged in user is admin of one group, but can see all groups in dropdown menu:

Thanks for reporting this. I was able to verify the issue and reported it to the development team.

In this case it might have already made sense for you to open a Github ticket. You are more then welcome to open a topic about a github ticket, but in general most discussion happens in Github.

We should link the Github ticket here, once it has been created.

1 Like

Github Issue: https://github.com/owncloud/core/issues/39756


You can create a patch installable in a current system (oC 10.9.1) like so:

(Github will auto forward you to the second link if you concatenate .patch at the end of the first)

cd /var/www/owncloud
# or wherever your ownCloud is installed
wget https://patch-diff.githubusercontent.com/raw/owncloud/core/pull/39752.patch
patch -p 1 < 39752.patch
rm 39752.patch
# so the file doesn't show up in the file integrity check

I tested the patch and it resolves the issue.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.