How to block using impersonate? about impersonate HOT 18 CLOSED

@aproposnix with E2E it doesn't matter because you can't open the files on the server. In other words the admin can impersonate you but without your mnemonic key they still can't access your E2E files.

from impersonate.

Could you clarify the situation: "the app admins shouldn't see any of users files". so then don't grant them permission to use impersonate, e.g. having two groups sysadmin+appadmin and only sysadmin is allowed to use impersonate?

or do you want to prevent sysadmins to impersonate as appadmins?

from impersonate.

@KB7777 with 1.0.4 you can configure group memberships (Admin → Additional settings). The people who should be able to impersonate must be groupadmins within (and can only impersonate users in that group). Perhaps that's already sufficient?

from impersonate.

I think a user should be notified when an admin impersonates them. This app presents a trust issue with hosted Nextcloud instances.

What's the point of E2E encryption when an admin can just open your account and go through your files?

from impersonate.

Sorry for the delayed respons...

@ManOki @blizzz
I want to prevent appadmins to impersonate any of the user from Nextcloud, but appadmins has to get all rights to manage the Nextcloud instance from web app (not only access to manage the users, but manage settings, apps, etc.).

Regards.

from impersonate.

@KB7777 places all persons who are allowed to impersonate into one group and configure this as according to #41 (comment)

from impersonate.

@blizzz
But my appadmins have to be in "admin" group as well to manage all Nextcloud instance.
So they could impersonate any of the user.

from impersonate.

@KB7777 nope, iirc, you can confiugre an "impersonator" group and assign the people accordingly.

from impersonate.

@blizzz

This is not working :)
If I place my appadmins to "impersonator" group only they can't edit setting of Nextcloud instance.
Thay have to be in "admin" group to be the admin of all settings.

from impersonate.

@KB7777 they can be in both admins and impersonators, but you need to limit impersonating to the impersonators group

from impersonate.

But the user from "admins" group can change his group and add himself to "impersonator" group.

from impersonate.

true, that's a dilemma. but since they are admin anyway, they basically can do anything.

from impersonate.

Well, it's all about that -- How to block using impersonate? :)
Maybe option at config.php?

from impersonate.

don't bother for admins, they'll always find a way. If you don't trust them, take away the admin role.

from impersonate.

But the my appadmins can't access to the OS.

from impersonate.

@KB7777 they could write a malicious app, put it to the app store and install it. Would give them at least permissions of the web user.

from impersonate.

So, there is no point to restrict my appadmins group, because they could do anything in Nextcloud instance anyway? Hm...
Maybe information to the user if admin using impersonate app is not wrong idea.

from impersonate.

It's being logged in the nextcloud.log so far. User information could be interesting, though i guess there are pro and cons against that. You may open a feature request, though up front: i won't have resources to work on it any time soon.

from impersonate.