Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-82532

Profile: Capability to allow/prevent view of profile images

XMLWordPrintable

    • MOODLE_405_STABLE
    • MOODLE_405_STABLE
    • MDL-82532-main
    • Hide

      Note: It may be easier to carry out these test steps using two different browsers (or similar) so that you can keep one logged in as 'admin' and use the other to log into user accounts.

      1. Go to site administration and search 'forcelogin'. There should be 3 results.
      2. Change the settings if necessary to match the defaults - forceloginforprofiles should be turned on, the other two should be off. If anything changed, press Save changes.
      3. You will need two test accounts that you can log into, so create two new accounts via Site administration / Users / Accounts / Add a new user:
        • Set the username to pictest1 (the first user) or pictest2.
        • Set the password to anything suitable so you can log in later.
        • Set the first name to Pic test and the last name to either 1 or 2.
        • Set the email address to something suitable, e.g. pictest1@email.invalid.
        • Drag and drop an image (different for each user) to the New picture file area underneath the User picture heading.
        • Press Create user.
      4. Create a new role using Site administration / Users / Permissions / Define roles screen:
        • Click Add a new role button.
        • Leave archetype at No role and click Continue.
        • In the form, set short name and full name to dangerous.
        • In the Context types where this role may be assigned setting, tick the box for System context type.
        • Press Show advanced if necessary to see the 'Prohibit' options.
        • Find the moodle/user:viewprofilepictures capability and set this to Prohibit.
        • Press Create this role button.
      5. Assign the role to pictest2 using Site administration / Users / Permissions / Assign system roles screen:
        • Choose the dangerous role.
        • Type pictest2 in the right-hand search box, select the user when they appear in the right-hand box, and click Add.
      6. Go to a test course and enrol both users as students.
      7. Create a forum on the test course.
      8. Log in as pictest1 and post a discussion in the forum.
      9. Log in as pictest2 and post a discussion in the forum.
        • EXPECTED: User pictest2 can see the two different user pictures against their own discussion and against user pictest1's discussion.
      10. By right-clicking and choosing Copy image link or similar (name varies slightly depending on browser), copy the URL of pictest1's user picture. Open a new browser tab, paste in the URL and check it loads correctly. Keep the tab open for later.
      11. Back as admin, go into Site administration and search forcelogin again. This time, enable the forceloginforprofileimage setting and press Save changes.
      12. Back as pictest2, reload the forum page.
        • EXPECTED: You should see pictest2's profile image next to their discussion, but pictest1's profile image should now display as the default picture.
      13. Still as pictest2, go to the tab with pictest1's user image. Copy the URL and paste it into a new tab (this is so you still have the original URL in the other tab). Hit return to load the picture. If it still shows the user image, hold down Shift (to skip browser cache) and press Reload.
        • EXPECTED: The image now redirects to the default picture.
      14. Back as admin, turn off forceloginforprofileimage setting and turn on forcelogin, then press Save changes.
      15. Repeat the above tests 12 and 13. Results should be the same (except that it won't have the image in cache so you won't need to reload on step 13).
      16. Now log in as pictest1 (who doesn't have the 'dangerous' role) and therefore gets default behaviour.
      17. Go to the forum page.
        • EXPECTED: Both profile pictures display.
      Show
      Note: It may be easier to carry out these test steps using two different browsers (or similar) so that you can keep one logged in as 'admin' and use the other to log into user accounts. Go to site administration and search 'forcelogin'. There should be 3 results. Change the settings if necessary to match the defaults - forceloginforprofiles should be turned on, the other two should be off. If anything changed, press Save changes . You will need two test accounts that you can log into, so create two new accounts via Site administration / Users / Accounts / Add a new user : Set the username to pictest1 (the first user) or pictest2 . Set the password to anything suitable so you can log in later. Set the first name to Pic test and the last name to either 1 or 2 . Set the email address to something suitable, e.g. pictest1@email.invalid . Drag and drop an image (different for each user) to the New picture file area underneath the User picture heading. Press Create user . Create a new role using Site administration / Users / Permissions / Define roles screen: Click Add a new role button. Leave archetype at No role and click Continue . In the form, set short name and full name to dangerous . In the Context types where this role may be assigned setting, tick the box for System context type. Press Show advanced if necessary to see the 'Prohibit' options. Find the moodle/user:viewprofilepictures capability and set this to Prohibit . Press Create this role button. Assign the role to pictest2 using Site administration / Users / Permissions / Assign system roles screen: Choose the dangerous role. Type pictest2 in the right-hand search box, select the user when they appear in the right-hand box, and click Add . Go to a test course and enrol both users as students. Create a forum on the test course. Log in as pictest1 and post a discussion in the forum. Log in as pictest2 and post a discussion in the forum. EXPECTED: User pictest2 can see the two different user pictures against their own discussion and against user pictest1's discussion. By right-clicking and choosing Copy image link or similar (name varies slightly depending on browser), copy the URL of pictest1's user picture. Open a new browser tab, paste in the URL and check it loads correctly. Keep the tab open for later. Back as admin , go into Site administration and search forcelogin again. This time, enable the forceloginforprofileimage setting and press Save changes . Back as pictest2 , reload the forum page. EXPECTED: You should see pictest2's profile image next to their discussion, but pictest1's profile image should now display as the default picture. Still as pictest2, go to the tab with pictest1's user image. Copy the URL and paste it into a new tab (this is so you still have the original URL in the other tab). Hit return to load the picture. If it still shows the user image, hold down Shift (to skip browser cache) and press Reload. EXPECTED: The image now redirects to the default picture. Back as admin , turn off forceloginforprofileimage setting and turn on forcelogin , then press Save changes . Repeat the above tests 12 and 13. Results should be the same (except that it won't have the image in cache so you won't need to reload on step 13). Now log in as pictest1 (who doesn't have the 'dangerous' role) and therefore gets default behaviour. Go to the forum page. EXPECTED: Both profile pictures display.

      This improvement proposes a new system-level capability

      moodle/user:viewprofilepics

      By default the capability is granted to the user archetype, so everyone logged in has it.

      If you don't have this capability then anywhere user profile pictures are displayed, the system will behave as if the user has not set a profile picture (usually, showing the default person icon). Additionally, you will not be able to download the profile picture if you use the direct pluginfile.php URL.

      The reason we would like this capability is that we wish to prevent prisoners (i.e. students who are serving a prison sentence) from seeing pictures of the other students and staff. We already apply lots of restrictions to prisoners, this would be an additional one. The theory is that if a student uploads their picture, it's reasonable for them to expect that we will show it to other students, but maybe not if that other student is 'Knuckles' McGinty.

      Similar situations might occasionally arise at other institutions.

      Technical detail

      The capability is checked at system level. It would be nice to check it at user level but our use case doesn't require it and that has a big performance cost because pages which show lots of user images would have to load the context for each user. It would be complicated to make a way to add this to existing queries to avoid a performance cost (not to mention that we can't do that within third-party plugin code). This could be changed in another MDL if later required.

      The capability only works if either $CFG->forcelogin (forces login for everything including profile pics) or $CFG->forceloginforprofileimage (forces login just for profile pics) are turned on. If not, it does nothing. The reason for this is that there is no point preventing access to profile images if you can see them just by logging out, and I didn't want the system to mislead people that it was working because they don't appear in the UI for a test user when they are still downloadable by that user if the user logs out.

      Note the way forcelogin / forceloginforprofileimage work seems insane but is a big can of worms, see MDL-48245, so I don't want to change it.

      Current logic

      These are the current rules for if a user is allowed to view a profile image:

      Force login Logged in as user Logged in as guest Not logged in
      None
      forcelogin only
      forceloginforprofileimage only
      both

      New logic

      The 'cap' is moodle/user:viewprofilepics, which by default is present on user and guest role (so default behaviour is same as above)

      Force login Logged in as user Logged in as guest Not logged in
      None
      forcelogin only Requires cap Requires cap
      forceloginforprofileimage only Requires cap
      both Requires cap

      Viewing your own picture

      In the 'Requires cap' cells of the table above, you are allowed to view your own user picture even if you don't have the capability. (The rationale is that if users can upload a picture they should be able to see it, and it helps show if you're logged in.)

            quen Sam Marshall
            quen Sam Marshall
            Katie Ransom Katie Ransom
            Jun Pataleta Jun Pataleta
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 hours, 18 minutes
                5h 18m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.