New users are unexpected added to all groups

[apuester]

Steps to reproduce

1. login as "admin"
2. create user "user1"
3. create groups "group1" and "group2"
4. add "user1" as group admin to "group1" and "group2"
5. login as "user1"
6. create user "user2" and select no groups

Expected behaviour

There should be a error like "no groups selected", because a user without groups would be invisible for "user1".

Actual behaviour

The "user2" is an all groups where "user1" is group admin of (in this case "group1" and "group2"). This unexpected behavior is a potential security issue.

Server configuration

Operating system:
Debian 8.6

Web server:
Apache/2.4.10

Database:
mysql: 5.5.53

PHP version:
5.6.27

Nextcloud version:
Nextcloud 10.0.3 (stable) and Nextcloud 11.0.1 (stable)

Updated from an older Nextcloud/ownCloud or fresh install:
Updated, bug is existing in both versions

Where did you install Nextcloud from:
Web installer

Are you using external storage
no

Are you using encryption
yes

Are you using an external user-backend, if yes which one:
no

Client configuration

Browser:
Chrome 55.0.2883.87

Operating system:
Ubuntu 16.04 LTS (64 Bit)

[nickvergessen]

I think this is the intended behaviour. User1 can still adjust the groups later on?

[apuester]

Yes, user1 can adjust the groups later on.

But i think that a user should only be a member of a group if i select the associated checkbox. If i don't check a checkbox i expect that the user is not added to any groups. If i am group admin only there should come a error, because the new user would be invisible for me.

If i am a "real" admin, the error does not occur. If i don't select a checkbox the user is not added to any groups.

Input:

Result:

[nickvergessen]

Okay yeah, so let's do an error instead.