You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you set up a poll with hidden results ("Never show results" is selected), your users will not see who voted in the poll and how they voted. Even the header line does not show the count of votes received.
However, if any user checks "Receive notification email on activity", a notification is sent for each vote cast, including the name of the voter.
Expected behaviour
"Receive notification email on activity" for polls with "Never show results" should not inform normal users about other user's votings.
The "activity" that causes notifications should be limited to those changes that are visible to the user, like new comments.
Actual behaviour
A notification is sent for each vote cast, including the name of the voter, thus leaking information about who voted and when.
Server configuration detail
Operating system: Linux 4.15.0 #1 SMP Mon Dec 9 19:36:21 MSK 2019 x86_64
Steps to reproduce
If you set up a poll with hidden results ("Never show results" is selected), your users will not see who voted in the poll and how they voted. Even the header line does not show the count of votes received.
However, if any user checks "Receive notification email on activity", a notification is sent for each vote cast, including the name of the voter.
Expected behaviour
"Receive notification email on activity" for polls with "Never show results" should not inform normal users about other user's votings.
The "activity" that causes notifications should be limited to those changes that are visible to the user, like new comments.
Actual behaviour
A notification is sent for each vote cast, including the name of the voter, thus leaking information about who voted and when.
Server configuration detail
Operating system: Linux 4.15.0 #1 SMP Mon Dec 9 19:36:21 MSK 2019 x86_64
Webserver: Apache (fpm-fcgi)
Database: mysql 10.1.44
PHP version:
7.2.31
Modules loaded: Core, date, libxml, openssl, pcre, zlib, bz2, calendar, ctype, hash, filter, ftp, gettext, gmp, SPL, iconv, Reflection, session, standard, SimpleXML, sockets, mbstring, tokenizer, xml, cgi-fcgi, mysqlnd, apcu, bcmath, curl, dba, dom, enchant, fileinfo, gd, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, odbc, PDO, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, redis, soap, sodium, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, xmlreader, xmlrpc, xmlwriter, xsl, zip, ionCube Loader, Zend OPcache
Nextcloud version: 18.0.6 - 18.0.6.0
Updated from an older Nextcloud/ownCloud or fresh install: installed 1.5 years ago
Where did you install Nextcloud from: unknown
Signing status
Array
(
)
List of activated apps
Configuration (config/config.php)
Are you using external storage, if yes which one:
Are you using encryption:
Are you using an external user-backend, if yes which one:
Client configuration
Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Safari/537.36
Operating system: Ubuntu Linux
Logs
Web server error log
Nextcloud log
Browser log
nothing relevant
The text was updated successfully, but these errors were encountered: