fix(accounts): default property scopes to local instead of federated#58759
fix(accounts): default property scopes to local instead of federated#58759boris324 wants to merge 3 commits intonextcloud:masterfrom
Conversation
Add name="default_view" to the NcRadioGroup component so the underlying radio buttons are properly grouped. This enables keyboard navigation between radio options using arrow keys, improving accessibility. Fixes nextcloud#58729 Signed-off-by: boris324 <boris324@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
AWS allows bucket names up to 63 characters per their naming rules, but the bucket_name column in oc_preview_locations was varchar(40). This updates the initial migration to use length 63 for fresh installs and adds a new migration to alter the column for existing installs. Fixes: nextcloud#58755 Signed-off-by: boris324 <boris324@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…to local New users were created with displayname, email, avatar, and pronouns set to federated scope by default, exposing personal information to federated servers without explicit user consent. This changes all default property scopes to local, so user data stays private until the user explicitly opts into federation. Includes a repair step to migrate existing users who still have the old federated defaults on the affected properties. Fixes: nextcloud#58646 Signed-off-by: boris324 <boris324@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
boris324
requested review from
artonge,
icewind1991,
leftybournes,
salmart-dev and
szaimen
and removed request for
a team
There was a problem hiding this comment.
Pull request overview
Updates Nextcloud’s account-property privacy defaults to avoid unintentionally exposing user profile data via federation, and adds an upgrade/repair path for existing accounts.
Changes:
- Switch default scopes for
displayname,email,avatar, andpronounsfromSCOPE_FEDERATEDtoSCOPE_LOCAL. - Add a new repair step (
FixDefaultAccountScopesToLocal) and DB test coverage to migrate existing accounts away from the old federated defaults. - Includes additional unrelated changes (preview_locations migration + Files settings UI tweak) that should be split out or documented.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
lib/private/Accounts/AccountManager.php |
Changes default scopes for key account properties to local. |
lib/private/Repair/NC33/FixDefaultAccountScopesToLocal.php |
New repair step to rewrite affected properties from federated to local. |
lib/private/Repair.php |
Registers the new repair step in the default repair steps list. |
tests/lib/Accounts/AccountManagerTest.php |
Updates expected default scopes in unit tests. |
tests/lib/Repair/NC33/FixDefaultAccountScopesToLocalTest.php |
Adds DB tests for the new repair step. |
core/Migrations/Version33000Date20260306120000.php |
Adds a migration for preview_locations.bucket_name length (unrelated to account scopes). |
core/Migrations/Version33000Date20250819110529.php |
Adjusts initial schema for preview_locations.bucket_name length (unrelated). |
apps/files/src/components/FilesAppSettings/FilesAppSettingsGeneral.vue |
Adds a name attribute to a radio group (unrelated). |
lib/composer/composer/autoload_static.php |
Composer autoload update for the new repair step class. |
lib/composer/composer/autoload_classmap.php |
Composer classmap update for the new repair step class. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Server::get(AddCleanupDeletedUsersBackgroundJob::class), | ||
| Server::get(SanitizeAccountProperties::class), | ||
| Server::get(AddMovePreviewJob::class), | ||
| Server::get(ConfigKeyMigration::class), | ||
| Server::get(FixDefaultAccountScopesToLocal::class), | ||
| ]; |
There was a problem hiding this comment.
FixDefaultAccountScopesToLocal is added to the default repair steps list, which runs automatically on upgrade. Given the implementation currently scans the entire accounts table, consider moving it to getExpensiveRepairSteps() or refactoring it to queue a background job to avoid long upgrade runtimes on large installations.
| <NcRadioGroup | ||
| v-model="store.userConfig.default_view" | ||
| name="default_view" | ||
| :label="t('files', 'Default view')" |
There was a problem hiding this comment.
This UI change (adding a name attribute to the Files app settings radio group) is unrelated to the PR’s stated scope (account property privacy defaults). Please split it into a separate PR or update the PR description so the change is reviewed and tested in the right context.
| public function testDoesNotChangePublishedScope(): void { | ||
| $uid = 'test-fix-scope-published'; | ||
| $data = [ | ||
| IAccountManager::PROPERTY_DISPLAYNAME => [ | ||
| 'value' => 'Public User', |
There was a problem hiding this comment.
The PR test plan mentions ensuring v2-private scopes aren’t modified, but the tests in this file currently cover only SCOPE_PUBLISHED and SCOPE_LOCAL. Please add a dedicated SCOPE_PRIVATE test case to prevent accidental future broadening of the migration condition.
| /** | ||
| * Increase bucket_name column length to 63 to match AWS bucket naming rules | ||
| */ | ||
| #[ModifyColumn(table: 'preview_locations', name: 'bucket_name', description: 'Increase column length to 63 to match AWS bucket naming rules')] | ||
| class Version33000Date20260306120000 extends SimpleMigrationStep { |
There was a problem hiding this comment.
This migration changes preview_locations.bucket_name length (and adds a new migration) but the PR title/description is about account property scopes. Please either split these schema changes into a separate PR or update the PR description and linked issue context so reviewers can validate the intended impact and release notes.
| $changed = false; | ||
| foreach (self::AFFECTED_PROPERTIES as $property) { | ||
| if (isset($data[$property]['scope']) | ||
| && $data[$property]['scope'] === IAccountManager::SCOPE_FEDERATED | ||
| ) { | ||
| $data[$property]['scope'] = IAccountManager::SCOPE_LOCAL; | ||
| $changed = true; | ||
| } |
There was a problem hiding this comment.
The repair logic changes any affected property that currently has SCOPE_FEDERATED to SCOPE_LOCAL. This also affects users/admins who intentionally set these properties to federated (and it ignores the account_manager.default_property_scope override used elsewhere for defaults). If the intent is to only revert the historic default, consider reading the system override and skipping properties that are configured to remain federated, or otherwise narrowing the migration criteria; otherwise the PR description should be adjusted to reflect the broader behavior.
| $select = $this->connection->getQueryBuilder(); | ||
| $select->select('uid', 'data') | ||
| ->from('accounts'); | ||
|
|
||
| $update = $this->connection->getQueryBuilder(); | ||
| $update->update('accounts') | ||
| ->set('data', $update->createParameter('data')) | ||
| ->where($update->expr()->eq('uid', $update->createParameter('uid'))); | ||
|
|
||
| $result = $select->executeQuery(); | ||
| while ($row = $result->fetch()) { | ||
| $processed++; | ||
| $data = json_decode($row['data'], true); | ||
| if (!is_array($data)) { |
There was a problem hiding this comment.
This repair step performs a full table scan of accounts and potentially issues one UPDATE per matching row. Because it is registered as a default (non-expensive) repair step, this can make upgrades/repairs slow or time out on large instances. Consider reducing work (e.g., add a coarse SQL filter on data, process in chunks with progress output, or queue a background job as done by other heavy account repairs).
|
@nextcloud/designers can you give your opinion on that one? |
| </NcFormBox> | ||
| <NcRadioGroup | ||
| v-model="store.userConfig.default_view" | ||
| name="default_view" |
artonge
added
3. to review
Summary
SCOPE_FEDERATEDtoSCOPE_LOCALfor all properties (displayname, email, avatar, pronouns were previously federated by default)FixDefaultAccountScopesToLocal) that migrates existing users who still have the old federated defaults on the affected properties back to local scopeBackground
New users were created with
displayname,email,avatar, andpronounsset tov2-federatedscope by default. This exposed personal information to federated servers without explicit user consent. The privacy-respecting default should bev2-local, keeping user data visible only to users on the same instance.Administrators who want to restore the old behavior can use the
account_manager.default_property_scopesystem config option to override individual property scopes.Fixes: #58646
Test plan
v2-localscope in theoc_accountstableocc maintenance:repairand verify the repair step updates existing accounts fromv2-federatedtov2-localfor the affected propertiesv2-publishedorv2-privatescopes are not modified by the repair stepaccount_manager.default_property_scopeconfig override still works to set federated scope if desired🤖 Generated with Claude Code