[Building Sakai] Permission to see official photos in Roster2

Sun Aug 4 07:12:37 PDT 2013

Ok so the fix here is that the siteid is passed to the profile image provider, and if its for an official image, then the requesting user has their permissions checked in the supplied site before releasing the official image. 

Profile2 already caters for siteid being passed in, so we can extend it to this capability. Roster2 then needs to send the siteid but that is a simple fix.

I thought we had discussed something along these lines already. Not near a computer to check though.

Cheers,
Steve

Sent from my iPad

On 04/08/2013, at 19:39, daniel.merino at unavarra.es wrote:

> Sorry, I mean that this was implemented at
> https://jira.sakaiproject.org/browse/RSTR-46
> 
> El Dom, 4 de Agosto de 2013, 11:37, daniel.merino at unavarra.es escribió:
>> Hi, Steve.
>> 
>> I think that a fairly common use case is bypassing user's preferences to
>> show all the official photos in Roster to teachers.
>> 
>> This was implemented at https://jira.sakaiproject.org/browse/RSTR-58 but
>> IMHO is incomplete (and it has serious privacy issues, at least under
>> spanish laws) while is not role aware. Any user can see everyone official
>> photo just adding that user to their site.
>> 
>> I don't know if RSTR-58 is added to any branch, but I would revert it if
>> this issue can not be fixed in a short/middle term.
>> 
>> I took a look on Roster2 code and I saw that roster.viewofficialphoto
>> permission is not included in the list of permissions retrieved by JSON
>> call. I don't know too much about JSON. Could it be added?
>> 
>> Thanks.
>> Best regards.
>> 
>> El Dom, 4 de Agosto de 2013, 1:22, Steve Swinsburg escribió:
>>> Hi Daniel,
>>> 
>>> Profile2 will show whatever image the user has configured or the
>>> preferences dictate.
>>> 
>>> If a user has an official image, who can currently see it?
>>> 
>>> The permissions in profile2 don't support site or role based
>>> restrictions
>>> to images. There may be some work to do in this area if that was to be
>>> supported or required, probably not too tricky though.
>>> 
>>> Cheers,
>>> S
>>> 
>>> Sent from my iPad
>>> 
>>> On 03/08/2013, at 19:23, daniel.merino at unavarra.es wrote:
>>> 
>>>> Hi Steve,
>>>> 
>>>> I am not at work right now, but I think that we have mostly the default
>>>> settings for Profile2.
>>>> 
>>>> Do you know if there is some combination of settings in Profile2 that
>>>> hides official photos for everybody but teachers?
>>>> 
>>>> Thanks.
>>>> Best regards.
>>>> 
>>>> El Sab, 3 de Agosto de 2013, 0:34, Steve Swinsburg escribiÃ³:
>>>>> Hi Daniel,
>>>>> 
>>>>> Roster2 delegates permissions for images over to Profile2, so check
>>>>> what
>>>>> settings you have there.
>>>>> 
>>>>> Cheers,
>>>>> Steve
>>>>> 
>>>>> Sent from my iPad
>>>>> 
>>>>> On 02/08/2013, at 22:26, Daniel Merino <daniel.merino at unavarra.es>
>>>>> wrote:
>>>>> 
>>>>>> Hi everybody.
>>>>>> 
>>>>>> As it seems that Roster tool does not support official photos from
>>>>>> Profile2 API and is not in its agenda neither, we have tested Roster
>>>>>> 2
>>>>>> tool to use official photos as it was implemented in RTSR-46 (1).
>>>>>> Finally we use the URL approach and storing URLs in
>>>>>> PROFILE_IMAGES_OFFICIAL_T works fine.
>>>>>> 
>>>>>> However, we have discovered that Roster2 does not support old
>>>>>> roster.viewofficialphotos permission, so it is not possible AFAIK to
>>>>>> allow seeing official photos only to Teacher role. As as consequence,
>>>>>> any user could add other users to their site and could see their
>>>>>> official photos. We think that this is a big privacy issue.
>>>>>> 
>>>>>> I have documented this in RSTR-58 (2) but we are in a hurry because
>>>>>> we
>>>>>> are going to 2.9 next week and I wonder if somebody has done this
>>>>>> anywhere and could share their work with us.
>>>>>> 
>>>>>> Also, if somebody is using Roster tool with official photos loaded
>>>>>> from
>>>>>> URL and there is a patch somewhere, using Roster could be also a
>>>>>> valid
>>>>>> option for us.
>>>>>> 
>>>>>> I would be really grateful if somebody could help me with this.
>>>>>> 
>>>>>> Thanks in advance.
>>>>>> Best regards.
>>>>>> 
>>>>>> (1) https://jira.sakaiproject.org/browse/RSTR-46
>>>>>> (2) https://jira.sakaiproject.org/browse/RSTR-58
>>>>>> --
>>>>>> Daniel Merino EcheverrÃƒÂa
>>>>>> daniel.merino at unavarra.es
>>>>>> Gestor de teleformaciÃƒÂ³n - Centro Superior de InnovaciÃƒÂ³n
>>>>>> Educativa.
>>>>>> Tfno: 948-168489 - Universidad PÃƒÂºblica de Navarra.
>>>>>> _______________________________________________
>>>>>> sakai-dev mailing list
>>>>>> sakai-dev at collab.sakaiproject.org
>>>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>>>> 
>>>>>> TO UNSUBSCRIBE: send email to
>>>>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>>>>> "unsubscribe"
>> 
>> 
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> 
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
> 
> 