[Bug]: Different user's CardDAV contacts appear in address book

[wilhelmy]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I made a second account for someone else on my nextcloud instance, now they have my contacts in their address book. This was never explicitly enabled. I tried upgrading my nextcloud instance to the latest stable release but the problem persists.

Steps to reproduce

1. Create two accounts
2. Put contacts in one account
3. Watch them appear in the other account's address book

Expected behavior

I would expect that other users cannot see my contacts without explicitly enabling access rights for them.

Nextcloud Server version

31

Operating system

Other

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.barfooze.de",
            "regenwetter.phaer.org"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.2.1",
        "overwrite.cli.url": "https:\/\/nextcloud.barfooze.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "htaccess.RewriteBase": "\/",
        "maintenance": false,
        "loglevel": 0,
        "mysql.utf8mb4": true,
        "theme": "",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "app_install_overwrite": [
            "calendar",
            "social"
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "has_rebuilt_cache": true,
        "encryption.legacy_format_support": false,
        "encryption.key_storage_migrated": false
    }
}

List of activated Apps

Enabled:                                                                                                                                                                                                                  [3/693]
  - activity: 4.0.0             
  - app_api: 5.0.2   
  - audioplayer: 3.4.1                      
  - bruteforcesettings: 4.0.0                  
  - calendar: 5.2.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.0.4
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notes: 4.11.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.0.1
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - carnet: 0.25.6 (installed 0.25.6)
  - encryption: 2.19.0 (installed 2.2.0)
  - files_markdown: 2.4.1 (installed 2.4.1)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - music: 2.1.1 (installed 2.1.1)
  - socialsharing_email: 3.3.0 (installed 3.3.0)
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - user_ldap: 1.22.0
  - video_converter: 1.0.6 (installed 1.0.6)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

Additional info

No response

[kesselb]

Thanks for reaching out.

Could you please clarify whether this is about a contact you manually created in your address book or about the automatically generated contacts for each user on the instance (system address book)?

[wilhelmy]

This is about my private contacts. The system address book also showed up, but disappeared again after my update. I hoped that my private contacts would disappear too, but they're still there, so that must be a different issue.

[kesselb]

I recall similar reports where too aggressive caching could lead to such a state.

[SebastianKrupinski]

@wilhelmy I tested this on my dev system, but could not reproduce your issue.

If you use two different browsers and log in to both accounts, one on each browser does this still happen?

[wilhelmy]

I recall similar reports where too aggressive caching could lead to such a state.

What kind of caching would that be? I have a standard setup with nginx as httpd and php-fpm. I don't recall changing any caching settings.

[kesselb]

What kind of caching would that be?

For example #40863

The addressbooks are stored in oc_addressbooks and the contacts in oc_cards. I suggest to check if those are really the same contacts or a copy of it to narrow down the problem. Shares for addressbooks are stored in oc_dav_shares (type = addressbook, resourceid = the id from oc_addressbooks).