-
Notifications
You must be signed in to change notification settings - Fork 637
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow existing assets for user photo #12160
base: 5.x
Are you sure you want to change the base?
Conversation
Just skimming over this, it seems like there might be some security implications. A bad actor could assign any arbitrary photo asset as their photo ID. Once they've taken ownership of the photo asset, they can delete that asset with the The extreme example here is that a ne'er-do-well could iterate over all elements, attempt to set them as a profile photo, and then delete the asset when they succeed. Eventually, they could delete all website imagery. Here's another example - I could set my user photo to an asset ID used on the homepage and then replace my photo (without deleting) with a photo of my cat. Now the site homepage features a photo of my cat. Sorry if I missed something that prevents this, but I felt like I should say something just in case! |
@Mosnar What a buzzkill! Going to flip the PR to draft for now.
I'm pretty sure this is already somewhat possible prior to this PR. Once the photo is saved to the user, it's just an asset in the "User Photo Location" volume, so there's nothing preventing another field from selecting that asset, and then replacing it from the user, assets index, or the field.
For further restriction, we could:
Apart from the replaceability issue that already exists, it seems like these additional restrictions would nullify any bad-actor concerns, I think? Anything I'm missing? |
This is currently possible, but only if you configure Craft improperly by allowing content authors to select from volumes designated for untrusted user uploads. This PR would remove the opportunity to prevent it via configuration since it doesn't check which volume the user can select an asset from. Personally, I don't like the idea of users being able to establish a relationship with existing assets, as it creates a lot of opportunities for problems. I think you'd want these restrictions:
This is why I don't get invited to parties... |
Those sound reasonable! FWIW – this change was to support a frontend where the user profile form is a more traditional "changes don't save until you click save" form, which becomes awkward when the photo field applies immediately, so I'm up for anything that achieves that. |
Description
With the current controller, the only way to update a user photo is with an upload.
This allows you to set it with an existing asset via the
photoId
body param.