Restrict poll functions to user's group.

[joe-average-user]

What is going wrong?

As far as I can see there is no option at all (for global administrator) to restrict polls created by users to their own group.

Expected behavior
A general config option to restrict polls to their creating user group.

Information about your polls installation

0.10.4

Fresh installation or update from a prior version (from which one)?
fresh

How did you install this version?(Appstore or describe installation)
appstore

Information about your Instance of Nextcloud/ownCloud

Nextcloud 14.0.14

[dartcafe]

Not at the moment. Restriction to polls for invited groups will be possible after the 1.0 release.

[joe-average-user]

Thank you for answering. Good to hear this point is in mind. I'd like to add that an option for the global administrator would be handy that polls do not leave the creating users group. The user itself should not be able to select the group(s) because the group names alone can be a security issue.Think of a setup where groups represent user domains.

[dartcafe]

because the group names alone can be a security issue

Why are group names a security risk? Can you clarify?

With 1.0 a creator of a poll is able to invite groups and restrict the access to this group, if he wants. It is not intended to restrict the creators of a poll to create polls restricted to their groups.

Please have in mind, that a user can be member of unlimited groups.

What is developed: Poll owners will have the possibility to create hidden or visible polls with invitations and public links for site users, groups and external users. External users will create their own share link after providing their user name.

[joe-average-user]

We are hosting several domains. All users are members of their respective domain represented as a group named like the domain. We try to isolate the groups from each other as good as we can. It makes no sense in our environment that a member of domain A can invite a member of Domain B. If an account in one domain gets hacked it would be dead simple to find all hosted domains if there is some function where all the groups are shown. This opens up the possibility to find new to-be-hacked accounts.
Without having read the code I think it should be not too complicated to prevent this group interaction as an option for the global administrator.

[dartcafe]

As we have no global admin settings for polls right now, this is something to implement first. And there are a couple of checks to be added and to test, so it is not that trivial. So don't expect this feature very soon.

[NicoP-S]

We also have trouble with this behavior.
There is a general setting under share -> Restrict users to share to their own groups

I think other apps like the forms app using this setting to prevent this behavior.
Maybe this would be a solution without the need of an settings section

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.