Honor avatar visibility settings by rullzer · Pull Request #17715 · nextcloud/server

rullzer · 2019-10-28T12:50:26Z

Fixes #5456
Only when an avatar is set to public should we show it to the public.
For now this has an open question as to how to solve federated avatars.
But I assume a dedicated paramter or endpooint would make sense there.

Todo:

Fix tests (most likely)
Think about federated avatars

Fixes #5456 Only when an avatar is set to public should we show it to the public. For now this has an open question as to how to solve federated avatars. But I assume a dedicated paramter or endpooint would make sense there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

…atar_privacy

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

rullzer · 2019-11-13T19:44:08Z

For federated avatars we need a new endpoint anyways to verify their token etc. Lets leave that till later.

rullzer · 2019-11-13T19:45:18Z

To test. Set your avatar level in the personal settings.
And request the avatar. Depending how it is set you should see it or get a 404.

skjnldsv

Works!

ChristophWurst

Code looks good!

rullzer · 2019-11-14T09:23:26Z

@nickvergessen you first wanted to test something right?

nickvergessen · 2019-12-04T08:28:28Z

The Contacts level does not work. Should we just remove it? Since we don't send any referrers, we can not know if the image was requested by a remote instance in the allowed space. Or are avatars uploaded to the lookup server?

skjnldsv · 2019-12-04T08:32:12Z

I have no clue what that means Joas!
I'll follow you to what you think is best

rullzer · 2019-12-04T08:46:59Z

The Contacts level does not work. Should we just remove it? Since we don't send any referrers, we can not know if the image was requested by a remote instance in the allowed space. Or are avatars uploaded to the lookup server?

We should fix it. I'd leave it for now. And see if we can come up with and endpoint to request remote avatars where you send your share token for example.

nickvergessen · 2019-12-04T09:28:30Z

Okay, then lets merge

tobiasKaminsky · 2019-12-04T09:41:14Z

Damn, I saw this too late.
@rullzer this will break our clients as they assume that we get an image back.
Returning something else was previously also the case (then you got the userId back).

Can we adjust this to show the generic colored round avatar with first char in it?

rullzer · 2019-12-04T10:28:04Z

@tobiasKaminsky no it won't. As long as you send your credentials you should get back the image.

tobiasKaminsky · 2019-12-04T10:41:49Z

Clients also use https:///nextcloud/index.php/avatar/USER/ this to get avatars from other users (on the same instance [currently no federation]) when we do a search, or show it in file list if file was shared by an user.

rullzer · 2019-12-04T10:48:04Z

Clients also use https:///nextcloud/index.php/avatar/USER/ this to get avatars from other users (on the same instance [currently no federation]) when we do a search, or show it in file list if file was shared by an user.

yes I know. But read the code.

https://github.com/nextcloud/server/pull/17715/files#diff-17d17c6a954f29c12717db921f235531R134-R137

If the avatar is not public. And you do an anonymous request we return the 404.
So as long as you authenticated request your avatars all is fine.

tobiasKaminsky · 2019-12-04T10:51:21Z

True, stupid from me, I read only have of the code :-(
Sorry for the noise

rullzer added bug 2. developing Work in progress labels Oct 28, 2019

rullzer added this to the Nextcloud 18 milestone Oct 28, 2019

rullzer added 2 commits November 13, 2019 20:30

Merge remote-tracking branch 'origin/master' into fix/5456/respect_av…

4fcba8a

…atar_privacy

Update tests

54eb27d

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

rullzer added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Nov 13, 2019

rullzer requested review from ChristophWurst, juliusknorr, nickvergessen and skjnldsv November 13, 2019 19:44

skjnldsv approved these changes Nov 14, 2019

View reviewed changes

ChristophWurst approved these changes Nov 14, 2019

View reviewed changes

skjnldsv added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Nov 14, 2019

rullzer added 3. to review Waiting for reviews and removed 4. to release Ready to be released and/or waiting for tests to finish labels Nov 14, 2019

nickvergessen merged commit 738e6bf into master Dec 4, 2019

nickvergessen deleted the fix/5456/respect_avatar_privacy branch December 4, 2019 09:28

Zocker1999NET mentioned this pull request Jun 6, 2021

Privacy: Avatar public available #5456

Closed

Uh oh!

Conversation

rullzer commented Oct 28, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rullzer commented Nov 13, 2019

Uh oh!

rullzer commented Nov 13, 2019

Uh oh!

skjnldsv left a comment

Choose a reason for hiding this comment

Uh oh!

ChristophWurst left a comment

Choose a reason for hiding this comment

Uh oh!

rullzer commented Nov 14, 2019

Uh oh!

nickvergessen commented Dec 4, 2019

Uh oh!

skjnldsv commented Dec 4, 2019

Uh oh!

rullzer commented Dec 4, 2019

Uh oh!

nickvergessen commented Dec 4, 2019

Uh oh!

tobiasKaminsky commented Dec 4, 2019

Uh oh!

rullzer commented Dec 4, 2019

Uh oh!

tobiasKaminsky commented Dec 4, 2019

Uh oh!

rullzer commented Dec 4, 2019

Uh oh!

tobiasKaminsky commented Dec 4, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

rullzer commented Oct 28, 2019 •

edited

Loading