wiki | forum | trac | otrs | joomla | tech blog | mailman | bewelcome Branches: test.bw | alpha.bw | www.bw Participate: download | get involved

Ticket #65 (new bug)

Opened 11 months ago

Last modified 3 weeks ago

Hide non-public usernames and photos from public availability (route avatar pics through a rox application)

Reported by: steinwinde Assigned to:
Priority: major Milestone: unassigned
Component: BW General Version: all
Keywords: security photo profile data username symlink Cc:
Follow up needed: test Frequently reported: 1
Announce on BW: 0

Description

Profile data as usernames and member photos should only be available for non-logged in users, if the member explicitly wished this. Right now, both are available to everybody. The existence of usernames can be checked by

http://www.bewelcome.org/myphotos.php?PictForMember=steinwinde

The URL for the photo from the private profile is returned. Eg.

http://www.bewelcome.org/memberphotos/steinwinde_1180302455.jpg

Change History

10/07/07 19:10:33 changed by matrixpoint

  • owner set to matrixpoint.

10/07/07 19:13:48 changed by matrixpoint

  • status changed from new to closed.
  • resolution set to fixed.

http://www.bewelcome.org/myphotos.php?PictForMember=steinwinde

will no longer return a photo link if the public profile preference is 'no'.

The backup behavior is to return a photo belonging to 'admin', unless 'admin' also has the public profile preference set to 'no'. Then only the hostname is returned.

12/07/07 02:08:53 changed by tobixen

  • follow_up set to none.
  • priority changed from critical to minor.
  • status changed from closed to reopened.
  • resolution deleted.
  • milestone changed from 0.1-outreach-release to 0.1.1-outreach-bugfixing.

http://www.bewelcome.org/memberphotos/steinwinde_1180302455.jpg is still available for the public. I don't think that's optimal.

12/09/07 18:00:51 changed by matrixpoint

  • owner deleted.
  • status changed from reopened to new.

01/06/08 00:30:20 changed by steinwinde

  • keywords changed from security photo profile data username to security photo profile data username symlink.
  • priority changed from minor to major.

Ticket #210 was closed, because (according to Philipp) #65 has to include a fix for #210 too. I don't know why all this. But if the person in charge for #65 doesn't fix #210, she/he has to reopen this ticket.

01/07/08 14:03:25 changed by micha

  • milestone changed from 0.1.1-outreach-bugfixing to 0.1.2 - more improvements & bugfixing.

I would strongly vote to create a function in TB fast that handles user-pictures and only makes them available in case the image-requesting user is logged in.

02/04/08 01:01:56 changed by lemon-head

  • follow_up changed from none to test.

[3950], [3951], [3952] - MOD_layoutbits now does the job on test.bw for avatars (still need to check for the bw part and gallery)

02/16/08 23:03:58 changed by fake51

  • freq_reported set to 1.
  • show_on_bw changed.

The point raised by Felix is still valid - you can access everything in the images folders with a direct url, logged in or not. This goes for avatars and gallery alike. The image directories should probably be off-limits to the general public or at the very least we should have some redirecting in place, to deny direct urls to images.

02/17/08 00:59:40 changed by lemon-head

In fact TB does already have a possibility to return images on a request, without using direct urls.

Currently this happens in the application "User", and will look for avatar images in the TB folders. So in the current state the mechanic is useless for us, because the member pics are stored somewhere else.

I would prefer to have a separate application "images" or "image", that would return avatars and gallery pictures. I began some work in this direction, but then moved to other things.

02/27/08 14:18:47 changed by philipp

  • milestone changed from 0.1.4 - improving userinterface for members and volunteers and start work on big 0.2 tasks to 0.1.5 - short - xxx.

04/23/08 11:49:12 changed by philipp

  • milestone changed from 0.1.5 - short - xxx to 0.2 - community.

Milestone 0.1.5 - short - xxx deleted

07/17/08 14:29:43 changed by lemon-head

  • summary changed from Hide non-public usernames and photos from public availability to Hide non-public usernames and photos from public availability (route avatar pics through a rox application).

08/07/08 18:54:14 changed by midsch

What's to be tested here? In alpha and production non-public pictures are still visible if you know the url, at test it can't be tested, because there are no pics (and none can be uploaded).

08/08/08 08:18:54 changed by micha

Hi midsch,

pictures can be uploaded on test: test.bewelcome.org/gallery/upload

I don't know much more about this ticket though. Micha

08/08/08 10:50:26 changed by midsch

We're talking about memberpictures, the ones on your profile. they can't be uploaded via gallery. Uploading of profile pictures doesn't work on test for me.

Trac Customization: trac stylesheet
SourceForge.net Logo