[Bug]: User can overwrite profile visibility settings via API

[miaulalala]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

PUT /ocs/v2.php/cloud/users/<user_id>
Content-Type: application/json

{
  "key": "websiteScope",
  "value": "v2-published"
}

The API request allows a user to set visibility values that may not be supported on the frontend.

Steps to reproduce

1. Log in to a Nextcloud instance as a regular user.
2. Navigate to: Settings → Personal Info → Profile visibility
3. Observe that the "Published" visibility option is disabled (greyed out) for certain fields (e.g., website).
4. Intercept the request when modifying a profile field using a proxy tool (e.g., Burp Suite).
5. Modify the request

Expected behavior

The API is in sync with the frontend UI

Nextcloud Server version

33

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[joshtrichards]

Quick look: the provisioning backend doesn't do a check against isLookupServerUploadEnabled():

server/apps/federatedfilesharing/lib/FederatedShareProvider.php

Lines 959 to 971 in ca245b4

	/**
	* Check if it is allowed to publish user specific data to the lookup server
	*/
	public function isLookupServerUploadEnabled(): bool {
	// in a global scale setup the admin is responsible to keep the lookup server up-to-date
	if ($this->gsConfig->isGlobalScaleEnabled()) {
	return false;
	}
	$result = $this->config->getAppValue('files_sharing', 'lookupServerUploadEnabled', 'no') === 'yes';
	// TODO: Reenable if lookup server is used again
	// return $result;
	return false;
	}

It only appears to query it for capabilities output:

server/apps/provisioning_api/lib/Capabilities.php

Line 42 in ca245b4

$publishedScopeEnabled = $shareProvider->isLookupServerUploadEnabled();

The profile backend appears to check/use it explicitly:

server/apps/settings/lib/Settings/Personal/PersonalInfo.php

Line 60 in ca245b4

$lookupServerUploadEnabled = $shareProvider->isLookupServerUploadEnabled();

Externally it's probably still prevented from being published (though that should be confirmed for certain), but - yeah - should be prevented via provisioning api.

Disclaimer: I'm semi-speculating based a really quick look and on memory from the visibility/scope docs update I did recently: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/profile_configuration.html#