-
Improvement
-
Resolution: Fixed
-
Minor
-
4.5
-
MOODLE_405_STABLE
-
MOODLE_405_STABLE
-
MDL-82532-main -
This improvement proposes a new system-level capability
moodle/user:viewprofilepics
By default the capability is granted to the user archetype, so everyone logged in has it.
If you don't have this capability then anywhere user profile pictures are displayed, the system will behave as if the user has not set a profile picture (usually, showing the default person icon). Additionally, you will not be able to download the profile picture if you use the direct pluginfile.php URL.
The reason we would like this capability is that we wish to prevent prisoners (i.e. students who are serving a prison sentence) from seeing pictures of the other students and staff. We already apply lots of restrictions to prisoners, this would be an additional one. The theory is that if a student uploads their picture, it's reasonable for them to expect that we will show it to other students, but maybe not if that other student is 'Knuckles' McGinty.
Similar situations might occasionally arise at other institutions.
Technical detail
The capability is checked at system level. It would be nice to check it at user level but our use case doesn't require it and that has a big performance cost because pages which show lots of user images would have to load the context for each user. It would be complicated to make a way to add this to existing queries to avoid a performance cost (not to mention that we can't do that within third-party plugin code). This could be changed in another MDL if later required.
The capability only works if either $CFG->forcelogin (forces login for everything including profile pics) or $CFG->forceloginforprofileimage (forces login just for profile pics) are turned on. If not, it does nothing. The reason for this is that there is no point preventing access to profile images if you can see them just by logging out, and I didn't want the system to mislead people that it was working because they don't appear in the UI for a test user when they are still downloadable by that user if the user logs out.
Note the way forcelogin / forceloginforprofileimage work seems insane but is a big can of worms, see MDL-48245, so I don't want to change it.
Current logic
These are the current rules for if a user is allowed to view a profile image:
Force login | Logged in as user | Logged in as guest | Not logged in |
---|---|---|---|
None | |||
forcelogin only | |||
forceloginforprofileimage only | |||
both |
New logic
The 'cap' is moodle/user:viewprofilepics, which by default is present on user and guest role (so default behaviour is same as above)
Force login | Logged in as user | Logged in as guest | Not logged in |
---|---|---|---|
None | |||
forcelogin only | Requires cap | Requires cap | |
forceloginforprofileimage only | Requires cap | ||
both | Requires cap |
Viewing your own picture
In the 'Requires cap' cells of the table above, you are allowed to view your own user picture even if you don't have the capability. (The rationale is that if users can upload a picture they should be able to see it, and it helps show if you're logged in.)