Inconsistent user management of the Nextcloud app
I have noticed something odd trying to configure user management of the nextcloud app.
I first install nextcloud allowing all Cloudron users. On first login as Nextcloud admin I noticed all Cloudron users where added (all normal so far). Then I wanted to restrict the app to a particular user group through the app user management on Cloudron. When login back in Nextcloud all users where still there (which might be normal as perhaps this is to do with how Nextcloud handles LDAP) and all users could still login (at least all cloudron admin, I could not test with non admin) which was more problematic.
So then I uninstalled the app and reinstalled it allowing only that user group right up on install. On first login I noticed that all Cloudron user admin where added, and not only the user from that group (though the non admin users which are not part of the group were not added). And again all admin could login into Nextcloud, even if not part of the allowed user group.
This is a little inconsistent and misleading compared to other apps like Rocket.chat which seem to only create users as allowed by Cloudron user management settings. I understand that this may be because of how Nextcloud handles LDAP, and not something in the hands of Cloudron but it feels it should be made obvious to the users that this is the case, otherwise one might think that by only allowing a particular group in the Cloudron app settings, this will prevent all users not part of that group to login.
In practice, to prevent those other users to login, than the Nextcloud admin can "disable" (though apparently cannot deleted) users from the Nextcloud users interfaces, but this somehow undermines one important function of the Cloudron user management.
Sorry if I missed something obvious but I looked in the docs and in other places (the update LDAP command in the Cloudron doc doesn't work).
On Cloudron admins can login to all apps always, I guess this is nowhere really mentioned as such.
Regarding the user listing in nextcloud, this is indeed a nextcloud issue, since it creates local users from LDAP and does not do a two-way sync.
Non admins should not be able to login if they have their access removed from the nextcloud instance, even if they are still listed within nextcloud.
Ok many thanks for looking into this. I didn't realised that was the default on all apps (it wasn't obvious in say rocket.chat where admin users which are not part of the restricted group don't appear at first, but indeed it turns out they can actually login and then they appear).
Yes it feels it might be worth noting somewhere that Cloudron admins not only can see and modify all apps and settings but can actually login in all apps irrespectively of user management settings.
Thanks for the quick response and all the work! Cloudron is awesome!
@avatar1024 Thanks, I have put a note in our doc for now. We will try to put a note in the UI as well for next release - https://cloudron.io/documentation/user-management/#administrator
Also, users appearing in the app itself relies on LDAP sync which the app may or may not support. (This is why, just for consistency, we simply tell people to make sure users login to the app first.)