feat(accounts): add admin-configurable per-property scope ceiling

Admins can now set a maximum allowed visibility scope per account
property via the system config key `account_manager.max_property_scope`
(array of property name => max scope, e.g.
`['email' => 'v2-local', 'website' => 'v2-local']`).

Backend (`AccountManager::testPropertyScope`) rejects any scope that
exceeds the configured ceiling, returning `Invalid scope` via the API.
The frontend (`FederationControl.vue`) also filters out disallowed
scope options so users only see choices their admin permits.
`PersonalInfo.php` sanitises and passes the config to the frontend
via initial state.

`IAccountManager` adds `PROPERTY_SCOPE_ORDER` documenting the
visibility ordering used for ceiling comparisons.

Also fixes a latent mutation bug in `FederationControl.vue` where
`supportedScopes` was calling `.push()` on the inner arrays of the
`Object.freeze`d `PROPERTY_READABLE_SUPPORTED_SCOPES_ENUM` constant,
causing duplicate entries to accumulate across re-renders.

Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: miaulalala

apps/settings/lib/Settings/Personal/PersonalInfo.php

@@ -115,12 +115,19 @@ public function getForm(): TemplateResponse {
 			'pronouns' => $this->getProperty($account, IAccountManager::PROPERTY_PRONOUNS),
 		];
 
+		$maxPropertyScopes = array_filter(
+			$this->config->getSystemValue('account_manager.max_property_scope', []),
+			static fn (string $scope, string $property): bool => in_array($property, IAccountManager::ALLOWED_PROPERTIES, true) && in_array($scope, IAccountManager::ALLOWED_SCOPES, true),
+			ARRAY_FILTER_USE_BOTH,
+		);
+
 		$accountParameters = [
 			'avatarChangeSupported' => $user->canChangeAvatar(),
 			'displayNameChangeSupported' => $user->canChangeDisplayName(),
 			'emailChangeSupported' => $user->canChangeEmail(),
 			'federationEnabled' => $federationEnabled,
 			'lookupServerUploadEnabled' => $lookupServerUploadEnabled,
+			'maxPropertyScopes' => $maxPropertyScopes,
 		];
 
 		$profileParameters = [

apps/settings/src/components/PersonalInfo/shared/FederationControl.vue

@@ -52,6 +52,7 @@ import { handleError } from '../../../utils/handlers.ts'
 const {
 	federationEnabled,
 	lookupServerUploadEnabled,
+	maxPropertyScopes,
 } = loadState('settings', 'accountParameters', {})
 
 export default {
@@ -123,18 +124,24 @@ export default {
 		},
 
 		supportedScopes() {
-			const scopes = PROPERTY_READABLE_SUPPORTED_SCOPES_ENUM[this.readable]
-
-			if (UNPUBLISHED_READABLE_PROPERTIES.includes(this.readable)) {
-				return scopes
-			}
-
-			if (federationEnabled) {
-				scopes.push(SCOPE_ENUM.FEDERATED)
+			const scopes = [...PROPERTY_READABLE_SUPPORTED_SCOPES_ENUM[this.readable]]
+
+			if (!UNPUBLISHED_READABLE_PROPERTIES.includes(this.readable)) {
+				if (federationEnabled) {
+					scopes.push(SCOPE_ENUM.FEDERATED)
+				}
+				if (lookupServerUploadEnabled) {
+					scopes.push(SCOPE_ENUM.PUBLISHED)
+				}
 			}
 
-			if (lookupServerUploadEnabled) {
-				scopes.push(SCOPE_ENUM.PUBLISHED)
+			// Apply admin-configured scope ceiling for this property.
+			const propertyKey = PROPERTY_READABLE_KEYS_ENUM[this.readable]
+			const maxScope = propertyKey && maxPropertyScopes?.[propertyKey]
+			if (maxScope) {
+				const order = [SCOPE_ENUM.PRIVATE, SCOPE_ENUM.LOCAL, SCOPE_ENUM.FEDERATED, SCOPE_ENUM.PUBLISHED]
+				const maxIndex = order.indexOf(maxScope)
+				return scopes.filter((scope) => order.indexOf(scope) <= maxIndex)
 			}
 
 			return scopes

config/config.sample.php

@@ -2886,6 +2886,29 @@
 	 */
 	'account_manager.default_property_scope' => [],
 
+	/**
+	 * Set a maximum allowed visibility scope for individual account properties.
+	 * Users cannot set a property to a scope more visible than the configured
+	 * ceiling, neither through the UI nor the API.
+	 *
+	 * Valid property names and scope values are defined in
+	 * ``OCP\Accounts\IAccountManager``.
+	 *
+	 * Example: Prevent users from making their email or website visible beyond
+	 * the local instance:
+	 * ``[
+	 *     \OCP\Accounts\IAccountManager::PROPERTY_EMAIL   => \OCP\Accounts\IAccountManager::SCOPE_LOCAL,
+	 *     \OCP\Accounts\IAccountManager::PROPERTY_WEBSITE => \OCP\Accounts\IAccountManager::SCOPE_LOCAL,
+	 * ]``
+	 *
+	 * WARNING: Restricting the scope of properties that are required for
+	 * federation (``displayname``, ``email``, ``avatar``, ``pronouns``) below
+	 * ``SCOPE_FEDERATED`` will break federated sharing and other cross-instance
+	 * features that depend on those fields being visible to trusted remote
+	 * servers.
+	 */
+	'account_manager.max_property_scope' => [],
+
 	/**
 	 * Enable the deprecated Projects feature, superseded by Related Resources since
 	 * Nextcloud 25.

dist/ActivityCommentAction-4Z_gsB_Z.chunk.mjs

@@ -0,0 +1,2 @@
+import{a as t}from"./index-C1xmmKTZ-BdqLiU2K.chunk.mjs";import{t as e}from"./translation-DoG5ZELJ-CPJIGC2H.chunk.mjs";import{C as m,a}from"./CommentView-bIFQcpqr.chunk.mjs";import{l as p}from"./activity-CS_yDSTQ.chunk.mjs";import{b as i,r as s,o as n,c,m as u}from"./preload-helper-CX9gtE7n.chunk.mjs";import{_ as l}from"./public-C1mLBHT3.chunk.mjs";import"./index-C6zIcU-d.chunk.mjs";import"./NcModal-kyWZ3UFC-CV6Hvf6d.chunk.mjs";import"./ArrowRight-JDdFcric.chunk.mjs";import"./Web-lLWc6zap.chunk.mjs";import"./index-CziSTDUD.chunk.mjs";import"./TrashCanOutline-B-GxU5E3.chunk.mjs";import"./mdi-BjKyjJ9m.chunk.mjs";import"./pinia-Bx2CoJV6.chunk.mjs";import"./PencilOutline-Bexowggr.chunk.mjs";/* empty css                                          */import"./NcAvatar-ruClKRzS-DbbQH8Qz.chunk.mjs";import"./index-BpWtOFbq.chunk.mjs";import"./util-BUyb4W9M.chunk.mjs";import"./colors-BfjxNgsx-CknPG731.chunk.mjs";import"./NcUserStatusIcon-JWiuiAXe-FPvdKWWr.chunk.mjs";import"./NcDateTime.vue_vue_type_script_setup_true_lang-B4upiZjL-CDStkW4e.chunk.mjs";import"./NcUserBubble-BE6yD-R0-BI6ZwX-N.chunk.mjs";import"./GetComments-B2KQKdVF.chunk.mjs";import"./index-COu4RIcm.chunk.mjs";const d=i({components:{Comment:a},mixins:[m],props:{reloadCallback:{type:Function,required:!0}},methods:{onNewComment(){try{this.reloadCallback()}catch(o){t(e("comments","Could not reload comments")),p.error("Could not reload comments",{error:o})}}}});function C(o,f,y,w,D,N){const r=s("Comment");return n(),c(r,u(o.editorData,{autoComplete:o.autoComplete,resourceType:o.resourceType,editor:!0,userData:o.userData,resourceId:o.resourceId,class:"comments-action",onNew:o.onNewComment}),null,16,["autoComplete","resourceType","userData","resourceId","onNew"])}const R=l(d,[["render",C],["__scopeId","data-v-29a1e244"]]);export{R as default};
+//# sourceMappingURL=ActivityCommentAction-CaBMEWuf.chunk.mjs.map

dist/ActivityCommentAction-CaBMEWuf.chunk.mjs

@@ -0,0 +1,2 @@
+import{t as s}from"./translation-DoG5ZELJ-CPJIGC2H.chunk.mjs";import{C as p,a}from"./CommentView-bIFQcpqr.chunk.mjs";import{_ as i}from"./public-C1mLBHT3.chunk.mjs";import{r as n,o as c,c as u,m as l}from"./preload-helper-CX9gtE7n.chunk.mjs";import"./index-CziSTDUD.chunk.mjs";import"./pinia-Bx2CoJV6.chunk.mjs";import"./PencilOutline-Bexowggr.chunk.mjs";import"./ArrowRight-JDdFcric.chunk.mjs";import"./Web-lLWc6zap.chunk.mjs";import"./NcModal-kyWZ3UFC-CV6Hvf6d.chunk.mjs";/* empty css                                          */import"./NcAvatar-ruClKRzS-DbbQH8Qz.chunk.mjs";import"./index-BpWtOFbq.chunk.mjs";import"./util-BUyb4W9M.chunk.mjs";import"./colors-BfjxNgsx-CknPG731.chunk.mjs";import"./NcUserStatusIcon-JWiuiAXe-FPvdKWWr.chunk.mjs";import"./NcDateTime.vue_vue_type_script_setup_true_lang-B4upiZjL-CDStkW4e.chunk.mjs";import"./TrashCanOutline-B-GxU5E3.chunk.mjs";import"./NcUserBubble-BE6yD-R0-BI6ZwX-N.chunk.mjs";import"./index-C1xmmKTZ-BdqLiU2K.chunk.mjs";import"./index-C6zIcU-d.chunk.mjs";import"./mdi-BjKyjJ9m.chunk.mjs";import"./activity-CS_yDSTQ.chunk.mjs";import"./GetComments-B2KQKdVF.chunk.mjs";import"./index-COu4RIcm.chunk.mjs";const d={name:"ActivityCommentEntry",components:{Comment:a},mixins:[p],props:{comment:{type:Object,required:!0},reloadCallback:{type:Function,required:!0}},data(){return{commentMessage:""}},watch:{comment(){this.commentMessage=this.comment.props.message}},mounted(){this.commentMessage=this.comment.props.message},methods:{t:s}};function g(t,o,e,f,m,C){const r=n("Comment");return c(),u(r,l({ref:"comment",tag:"li"},e.comment.props,{autoComplete:t.autoComplete,resourceType:t.resourceType,message:m.commentMessage,resourceId:t.resourceId,userData:t.genMentionsData(e.comment.props.mentions),class:"comments-activity",onDelete:o[0]||(o[0]=y=>e.reloadCallback())}),null,16,["autoComplete","resourceType","message","resourceId","userData"])}const P=i(d,[["render",g],["__scopeId","data-v-afc310f1"]]);export{P as default};
+//# sourceMappingURL=ActivityCommentEntry-B_giHO2y.chunk.mjs.map