Moodle

Force login for images as config or detailed setting please

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: 1.6.2
  • Fix Version/s: None
  • Component/s: General
  • Labels:
    None
  • Database:
    Any
  • Affected Branches:
    MOODLE_16_STABLE

Description

It has been noted for some time that it is possible to see user pix even when not logged in.
http://moodle.org/mod/forum/discuss.php?d=18587
I thought that this was a security hole but apparently it is deliberate (see above thread).

However in some countries, at least Japan, people own the rights to their own image, and the freedom of information act proscribes the distribution of any information which allows the identification of the individual. The fact that a person looking like this
http://moodle.org/user/pix.php/1/f1.jpg
for instance is at a particular instituation, learning xyz, is in Japan a breach of legal rights, I believe.

Photos are considered as private and personal as name or profiles so the image equivalent of
$CFG->forceloginforprofiles
perhaps
$CFG->forceloginforimages
would be greatly appreciated.

Please see also this thread in Japanese
http://moodle.org/mod/forum/discuss.php?d=56692

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

The problem is that simple require_loggin() can not be used in user/pix.php because it does not use cookies. This means that it can not be controlled from config.php without breaking of the client side caching.

IMHO people should not be putting their images into avatars if they do not want them "distributed" - this is usually handled by site policy or you can disable avatars completely - $CFG->disableuserimages = true.

If you want to patch your site, remove $nomoodlecookie = true;
and add require_login(); after require_once('../config.php');

I am proposing to close this as will not be fixed.

Show
Petr Škoda (skodak) added a comment - The problem is that simple require_loggin() can not be used in user/pix.php because it does not use cookies. This means that it can not be controlled from config.php without breaking of the client side caching. IMHO people should not be putting their images into avatars if they do not want them "distributed" - this is usually handled by site policy or you can disable avatars completely - $CFG->disableuserimages = true. If you want to patch your site, remove $nomoodlecookie = true; and add require_login(); after require_once('../config.php'); I am proposing to close this as will not be fixed.
Hide
Permalink
Mitsuhiro Yoshida added a comment -

Petr,

Thank you for a really good suggestion!

Show
Mitsuhiro Yoshida added a comment - Petr, Thank you for a really good suggestion!
Hide
Permalink
Timothy Takemoto added a comment -

Thanks again for your rapid and kind response.

The guy that posted the bug on the Japanese forums patched his moodle as you suggested.

If it is only a question of making things a bit slower requiring the downloading of profile images each time, then I guess a configuration variable might still be nice.

Alternatively perhaps one might give images a random URL like mixi
http://img.mixi.jp/photo/member/29/73/502973_1362135142.jpg
images so at least they cant be guessed -
http://moodle.org/user/pix.php/1/f1.jpg
http://moodle.org/user/pix.php/2/f1.jpg
http://moodle.org/user/pix.php/3/f1.jpg
http://moodle.org/user/pix.php/14/f1.jpg

Show
Timothy Takemoto added a comment - Thanks again for your rapid and kind response. The guy that posted the bug on the Japanese forums patched his moodle as you suggested. If it is only a question of making things a bit slower requiring the downloading of profile images each time, then I guess a configuration variable might still be nice. Alternatively perhaps one might give images a random URL like mixi http://img.mixi.jp/photo/member/29/73/502973_1362135142.jpg images so at least they cant be guessed - http://moodle.org/user/pix.php/1/f1.jpg http://moodle.org/user/pix.php/2/f1.jpg http://moodle.org/user/pix.php/3/f1.jpg http://moodle.org/user/pix.php/14/f1.jpg
Hide
Permalink
Michael de Raadt added a comment -

Thanks for reporting this issue.

We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.

If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

Michael d;

lqjjLKA0p6

Show
Michael de Raadt added a comment - Thanks for reporting this issue. We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d; lqjjLKA0p6
Hide
Permalink
Michael de Raadt added a comment -

I'm closing this issue as it has become inactive and does not appear to affect a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Show
Michael de Raadt added a comment - I'm closing this issue as it has become inactive and does not appear to affect a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.