0006092: Subscribing to shared address books can leak private data. - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0006092	SOGo	Web Address Book	public	2025-02-14 08:58	2025-02-14 08:58

Reporter	kippels	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	5.8.0

Summary	0006092: Subscribing to shared address books can leak private data.
Description	I have two SOGoUserSources defined: The first has no filter, canAuthenitcate=YES and isAddressBook = NO the second one has a filter, canAuthenticate = NO and isAddressBook = YES When I add a shared address book it is possible to leak all private mail addresses from the first defined SOGoUserSource. Imo the isAddressBook-Setting should be respected here. When I only have the first SOGoUserSource defined this behaviour also occurs.
Steps To Reproduce	Click "Address Book" -> "Subscriptions (+)" -> Start typing
Additional Information	I have attached two screenshots that illustrate this problem. The first one is a search in the global address book, the second one is a search in the add subscription box
Tags	No tags attached.

Date Modified	Username	Field
2025-02-14 08:58	kippels	New Issue
2025-02-14 08:58	kippels	File Added: 2025-02-14-09-38-33.png
2025-02-14 08:58	kippels	File Added: 2025-02-14-09-39-08.png

kippels 2025-02-14 08:58 reporter	2025-02-14-09-38-33.png (39,165 bytes) 2025-02-14-09-38-33.png (39,165 bytes) 2025-02-14-09-39-08.png (50,776 bytes) 2025-02-14-09-39-08.png (50,776 bytes)