Issue Details (XML | Word | Printable)

Key: MDL-7094
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Martin Dougiamas
Reporter: Timothy Takemoto
Votes: 2
Watchers: 1
Operations

Add/Edit UI Mockup to this issue
If you were logged in you would be able to see more operations.
Moodle

Force login for images as config or detailed setting please

Created: 19/Oct/06 01:24 PM   Updated: 13/Mar/07 12:50 PM
Component/s: General
Affects Version/s: 1.6.2
Fix Version/s: None

Database: Any
Participants: Martin Dougiamas, Mitsuhiro Yoshida, Petr Skoda and Timothy Takemoto
Security Level: None
Affected Branches: MOODLE_16_STABLE


 Description  « Hide
It has been noted for some time that it is possible to see user pix even when not logged in.
http://moodle.org/mod/forum/discuss.php?d=18587
I thought that this was a security hole but apparently it is deliberate (see above thread).

However in some countries, at least Japan, people own the rights to their own image, and the freedom of information act proscribes the distribution of any information which allows the identification of the individual. The fact that a person looking like this
http://moodle.org/user/pix.php/1/f1.jpg
for instance is at a particular instituation, learning xyz, is in Japan a breach of legal rights, I believe.

Photos are considered as private and personal as name or profiles so the image equivalent of
$CFG->forceloginforprofiles
perhaps
$CFG->forceloginforimages
would be greatly appreciated.

Please see also this thread in Japanese
http://moodle.org/mod/forum/discuss.php?d=56692

 All   Comments   Change History   Version Control      Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Petr Skoda added a comment - 19/Oct/06 04:49 PM
The problem is that simple require_loggin() can not be used in user/pix.php because it does not use cookies. This means that it can not be controlled from config.php without breaking of the client side caching.

IMHO people should not be putting their images into avatars if they do not want them "distributed" - this is usually handled by site policy or you can disable avatars completely - $CFG->disableuserimages = true.

If you want to patch your site, remove $nomoodlecookie = true;
and add require_login(); after require_once('../config.php');

I am proposing to close this as will not be fixed.


[ Permalink | « Hide ]
Mitsuhiro Yoshida added a comment - 19/Oct/06 07:15 PM
Petr,

Thank you for a really good suggestion!


[ Permalink | « Hide ]
Timothy Takemoto added a comment - 19/Oct/06 07:29 PM
Thanks again for your rapid and kind response.

The guy that posted the bug on the Japanese forums patched his moodle as you suggested.

If it is only a question of making things a bit slower requiring the downloading of profile images each time, then I guess a configuration variable might still be nice.

Alternatively perhaps one might give images a random URL like mixi
http://img.mixi.jp/photo/member/29/73/502973_1362135142.jpg
images so at least they cant be guessed -
http://moodle.org/user/pix.php/1/f1.jpg
http://moodle.org/user/pix.php/2/f1.jpg
http://moodle.org/user/pix.php/3/f1.jpg
http://moodle.org/user/pix.php/14/f1.jpg
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.3-#344) - Bug/feature request - Atlassian news - Contact Administrators