Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48245

Profile image accessibility should be configured only via forceloginforprofileimage

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 2.7.3, 2.8.1
    • None
    • Files API
    • MOODLE_27_STABLE, MOODLE_28_STABLE
    • MDL-48245-master
    • Hide
      Background:
      1. Login as a user
      2. Set a profile image for your user
      3. View your profile
      4. Copy the link to the profile image and open it in a new browser tab
      5. Open developer tools and disable caching in that tab
      The test
      1. For each line in the testing matrix, configure the security policies
      2. Paste in the link to the profile image (don't just refresh because when you are denied access, you are redirected and you'll be requesting the wrong image)
      3. Confirm whether the image you set was displayed, or the stock image and the result matches the expected result in the testing matrix.
      4. Confirm whether the caching matches the expected cache-control in the matrix
      5. Repeat the view check each of Logged in, Logged in as guest, and Logged out
      The test matrix
      forceloginforprofileimage / forcelogin Logged in as a user Logged in as Guest Logged out Cache-control: Public is present in the request header
      No / No
      No / Yes
      Yes / No
      Yes / Yes
      Default / No
      Default / Yes
      Show
      Background: Login as a user Set a profile image for your user View your profile Copy the link to the profile image and open it in a new browser tab Open developer tools and disable caching in that tab The test For each line in the testing matrix, configure the security policies Paste in the link to the profile image (don't just refresh because when you are denied access, you are redirected and you'll be requesting the wrong image) Confirm whether the image you set was displayed, or the stock image and the result matches the expected result in the testing matrix. Confirm whether the caching matches the expected cache-control in the matrix Repeat the view check each of Logged in, Logged in as guest, and Logged out The test matrix forceloginforprofileimage / forcelogin Logged in as a user Logged in as Guest Logged out Cache-control: Public is present in the request header No / No No / Yes Yes / No Yes / Yes Default / No Default / Yes

    Description

      While working on MDL-48023 it has been discovered that the profile image is served to the user using the two constraints below:

      1. $CFG->forcelogin
      2. $CFG->forceloginforprofileimage

      The current code and the description of the above parameters don't match with the expected behavior which is: only $CFG->forceloginforprofileimage should prevent a public accessibility to the user icon.

      This is a bug regarding to these descriptions and, moreover, the current code prevents to give profile images a "public" access for the reasons already given in MDL-48023 and in https://moodle.org/mod/forum/discuss.php?d=274619#p1180502.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              matteo Matteo Scaramuccia
              Matteo Scaramuccia, David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo
              Votes:
              9 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated: