Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 1.6.2
-
Fix Version/s: None
-
Component/s: General
-
Labels:None
-
Database:Any
-
Affected Branches:MOODLE_16_STABLE
Description
It has been noted for some time that it is possible to see user pix even when not logged in.
http://moodle.org/mod/forum/discuss.php?d=18587
I thought that this was a security hole but apparently it is deliberate (see above thread).
However in some countries, at least Japan, people own the rights to their own image, and the freedom of information act proscribes the distribution of any information which allows the identification of the individual. The fact that a person looking like this
http://moodle.org/user/pix.php/1/f1.jpg
for instance is at a particular instituation, learning xyz, is in Japan a breach of legal rights, I believe.
Photos are considered as private and personal as name or profiles so the image equivalent of
$CFG->forceloginforprofiles
perhaps
$CFG->forceloginforimages
would be greatly appreciated.
Please see also this thread in Japanese
http://moodle.org/mod/forum/discuss.php?d=56692
The problem is that simple require_loggin() can not be used in user/pix.php because it does not use cookies. This means that it can not be controlled from config.php without breaking of the client side caching.
IMHO people should not be putting their images into avatars if they do not want them "distributed" - this is usually handled by site policy or you can disable avatars completely - $CFG->disableuserimages = true.
If you want to patch your site, remove $nomoodlecookie = true;
and add require_login(); after require_once('../config.php');
I am proposing to close this as will not be fixed.