Opened 10 years ago

Closed 8 years ago

Last modified 5 years ago

#65 closed bug (fixed)

Hide non-public usernames and photos from public availability (route avatar pics through a rox application)

Reported by: steinwinde Owned by: micha
Priority: critical Milestone: Legacy Resolved
Component: BW General Keywords: security photo profile data username symlink
Cc:

Description

Profile data as usernames and member photos should only be available for non-logged in users, if the member explicitly wished this. Right now, both are available to everybody. The existence of usernames can be checked by

http://www.bewelcome.org/myphotos.php?PictForMember=steinwinde

The URL for the photo from the private profile is returned. Eg.

http://www.bewelcome.org/memberphotos/steinwinde_1180302455.jpg

Change History (29)

comment:1 Changed 10 years ago by matrixpoint

  • Owner set to matrixpoint

comment:2 Changed 10 years ago by matrixpoint

  • Resolution set to fixed
  • Status changed from new to closed

http://www.bewelcome.org/myphotos.php?PictForMember=steinwinde

will no longer return a photo link if the public profile preference is 'no'.

The backup behavior is to return a photo belonging to 'admin', unless 'admin' also has the public profile preference set to 'no'. Then only the hostname is returned.

comment:3 Changed 10 years ago by tobixen

  • follow_up set to none
  • Milestone changed from 0.1-outreach-release to 0.1.1-outreach-bugfixing
  • Priority changed from critical to minor
  • Resolution fixed deleted
  • Status changed from closed to reopened

http://www.bewelcome.org/memberphotos/steinwinde_1180302455.jpg is still available for the public. I don't think that's optimal.

comment:4 Changed 10 years ago by matrixpoint

  • Owner matrixpoint deleted
  • Status changed from reopened to new

comment:5 Changed 10 years ago by steinwinde

  • Keywords symlink added
  • Priority changed from minor to major

Ticket #210 was closed, because (according to Philipp) #65 has to include a fix for #210 too. I don't know why all this. But if the person in charge for #65 doesn't fix #210, she/he has to reopen this ticket.

comment:6 Changed 10 years ago by micha

  • Milestone changed from 0.1.1-outreach-bugfixing to 0.1.2 - more improvements & bugfixing

I would strongly vote to create a function in TB fast that handles user-pictures and only makes them available in case the image-requesting user is logged in.

comment:7 Changed 10 years ago by lemon-head

  • follow_up changed from none to test

[3950], [3951], [3952] - MOD_layoutbits now does the job on test.bw for avatars (still need to check for the bw part and gallery)

comment:8 Changed 10 years ago by fake51

  • freq_reported set to 1
  • show_on_bw set to 0

The point raised by Felix is still valid - you can access everything in the images folders with a direct url, logged in or not. This goes for avatars and gallery alike. The image directories should probably be off-limits to the general public or at the very least we should have some redirecting in place, to deny direct urls to images.

comment:9 Changed 10 years ago by lemon-head

In fact TB does already have a possibility to return images on a request, without using direct urls.

Currently this happens in the application "User", and will look for avatar images in the TB folders. So in the current state the mechanic is useless for us, because the member pics are stored somewhere else.

I would prefer to have a separate application "images" or "image", that would return avatars and gallery pictures. I began some work in this direction, but then moved to other things.

comment:10 Changed 10 years ago by philipp

  • Milestone changed from 0.1.4 - improving userinterface for members and volunteers and start work on big 0.2 tasks to 0.1.5 - short - xxx

comment:11 Changed 9 years ago by philipp

  • Milestone changed from 0.1.5 - short - xxx to 0.2 - community

Milestone 0.1.5 - short - xxx deleted

comment:12 Changed 9 years ago by lemon-head

  • Summary changed from Hide non-public usernames and photos from public availability to Hide non-public usernames and photos from public availability (route avatar pics through a rox application)

comment:13 Changed 9 years ago by midsch

What's to be tested here? In alpha and production non-public pictures are still visible if you know the url, at test it can't be tested, because there are no pics (and none can be uploaded).

comment:14 Changed 9 years ago by micha

Hi midsch,

pictures can be uploaded on test: test.bewelcome.org/gallery/upload

I don't know much more about this ticket though.
Micha

comment:15 Changed 9 years ago by midsch

We're talking about memberpictures, the ones on your profile. they can't be uploaded via gallery. Uploading of profile pictures doesn't work on test for me.

comment:16 Changed 9 years ago by midsch

  • follow_up changed from test to review code

comment:18 Changed 9 years ago by midsch

  • freq_reported changed from 1 to 2

On test is still nothing to test as upload fails with error message "failed to copy /tmp/phpP34OLl to /var/www/upload/images/wukk_1222715870.jpg"

comment:19 Changed 9 years ago by micha

  • follow_up changed from review code to test
  • Owner set to micha

I did a rough first version and routed the member pictures through the members application. avatars can now be accessed (for public profiles or while beeing logged in at members/avatar/[username or ID]

Could you test again if pictures can't be accessed from the 'outside' ? If it's all fine we could go for a site-wide change of the way to access member pictures.

comment:20 Changed 9 years ago by midsch

As said in my last comment: it's not possible to test it on test as there is no picture upload (on alhpa/live the pics are still accessable).

comment:21 Changed 8 years ago by midsch

  • freq_reported changed from 2 to 3

The pics are still available in the live system, here http://www.arvutifoorum.ee/viewtopic.php?tid=7564&page=2 is someone using a direkt link to my bw-pichttps://www.bewelcome.org/bw/memberphotos/thumbs/midsch_1185229035.square.100x100.jpg as his own avatar. NOTE: he's not downloading the picture for his own use, he uses it on the bw-server.

comment:22 Changed 8 years ago by midsch

A blank is missing here, sorry:

bw-pic https://www.bewelcome.org/bw/memberphotos/thumbs/midsch_1185229035.square.100x100.jpg

In a few days I'll try to delete the pic on bw or replace it with something really nasty.

comment:23 Changed 8 years ago by fake51

  • Priority changed from major to critical

I'll bump the priority level up to critical and try to fix the remaining problems before this bug can be wiped out. Sorry for the delay on it.

comment:24 follow-up: Changed 8 years ago by midsch

I wanted to stop the abuse of my pic by deleting it. The problem seems to be worse: On my profile the picture is deleted (and replace by a "new" one - i used the same pic but got a different id for it). Nevertheless the deleted pic is still accessible.

So "delete" means hide at BW but not delete? Shall I open a new bug for deletion of pics?

comment:25 Changed 8 years ago by fake51

Please do - it's pretty bad that members cannot delete their pictures.

I hope to have the external linking problem fixed by tonight - I'll update this ticket when.

comment:26 Changed 8 years ago by midsch

done: http://www.bevolunteer.org/trac/ticket/1158

BTW: Isn't it possible to avoid deeplinking to bw-pics from other servers by .htaccess?

comment:27 in reply to: ↑ 24 Changed 8 years ago by fake51

  • Resolution set to fixed
  • Status changed from new to closed

Member photos should no longer be directly accessible, please check

Also, member photos should only be available for non-public profiles when a member is logged in. This has the brilliant side effect that non-public members that send their picture along with BW messages just send the "empty profile" avatar. They'll probably figure that out at some point - though, chances are they won't be sending their image along the messages anyway.

comment:28 Changed 8 years ago by midsch

  • follow_up changed from test to none

Seems to work now. (You can still proof the existance of pics/usernames, but if you make at least one post or join a group it's somehow obvious anyway.)

comment:29 Changed 5 years ago by TimLoal

  • Milestone changed from unassigned to Legacy Resolved
Note: See TracTickets for help on using tickets.