Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48245

Profile image accessibility should be configured only via forceloginforprofileimage

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.7.3, 2.8.1
    • Fix Version/s: None
    • Component/s: Files API
    • Labels:
    • Testing Instructions:
      Hide
      Background:
      1. Login as a user
      2. Set a profile image for your user
      3. View your profile
      4. Copy the link to the profile image and open it in a new browser tab
      5. Open developer tools and disable caching in that tab
      The test
      1. For each line in the testing matrix, configure the security policies
      2. Paste in the link to the profile image (don't just refresh because when you are denied access, you are redirected and you'll be requesting the wrong image)
      3. Confirm whether the image you set was displayed, or the stock image and the result matches the expected result in the testing matrix.
      4. Confirm whether the caching matches the expected cache-control in the matrix
      5. Repeat the view check each of Logged in, Logged in as guest, and Logged out
      The test matrix
      forceloginforprofileimage / forcelogin Logged in as a user Logged in as Guest Logged out Cache-control: Public is present in the request header
      No / No
      No / Yes
      Yes / No
      Yes / Yes
      Default / No
      Default / Yes
      Show
      Background: Login as a user Set a profile image for your user View your profile Copy the link to the profile image and open it in a new browser tab Open developer tools and disable caching in that tab The test For each line in the testing matrix, configure the security policies Paste in the link to the profile image (don't just refresh because when you are denied access, you are redirected and you'll be requesting the wrong image) Confirm whether the image you set was displayed, or the stock image and the result matches the expected result in the testing matrix. Confirm whether the caching matches the expected cache-control in the matrix Repeat the view check each of Logged in, Logged in as guest, and Logged out The test matrix forceloginforprofileimage / forcelogin Logged in as a user Logged in as Guest Logged out Cache-control: Public is present in the request header No / No No / Yes Yes / No Yes / Yes Default / No Default / Yes
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_28_STABLE
    • Pull Master Branch:
      MDL-48245-master

      Description

      While working on MDL-48023 it has been discovered that the profile image is served to the user using the two constraints below:

      1. $CFG->forcelogin
      2. $CFG->forceloginforprofileimage

      The current code and the description of the above parameters don't match with the expected behavior which is: only $CFG->forceloginforprofileimage should prevent a public accessibility to the user icon.

      This is a bug regarding to these descriptions and, moreover, the current code prevents to give profile images a "public" access for the reasons already given in MDL-48023 and in https://moodle.org/mod/forum/discuss.php?d=274619#p1180502.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              matteo Matteo Scaramuccia
              Participants:
              Component watchers:
              Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              6 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated: