[Building Sakai] Permission to see official photos in Roster2

Sun Aug 4 12:56:45 PDT 2013

I'll sort this when back off my hols in a week. As Steve says, it seems an
easy fix.

Cheers,
Adrian.

On 4 August 2013 15:12, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:

> Ok so the fix here is that the siteid is passed to the profile image
> provider, and if its for an official image, then the requesting user has
> their permissions checked in the supplied site before releasing the
> official image.
>
> Profile2 already caters for siteid being passed in, so we can extend it to
> this capability. Roster2 then needs to send the siteid but that is a simple
> fix.
>
> I thought we had discussed something along these lines already. Not near a
> computer to check though.
>
> Cheers,
> Steve
>
> Sent from my iPad
>
> On 04/08/2013, at 19:39, daniel.merino at unavarra.es wrote:
>
> > Sorry, I mean that this was implemented at
> > https://jira.sakaiproject.org/browse/RSTR-46
> >
> > El Dom, 4 de Agosto de 2013, 11:37, daniel.merino at unavarra.es escribió:
> >> Hi, Steve.
> >>
> >> I think that a fairly common use case is bypassing user's preferences to
> >> show all the official photos in Roster to teachers.
> >>
> >> This was implemented at https://jira.sakaiproject.org/browse/RSTR-58but
> >> IMHO is incomplete (and it has serious privacy issues, at least under
> >> spanish laws) while is not role aware. Any user can see everyone
> official
> >> photo just adding that user to their site.
> >>
> >> I don't know if RSTR-58 is added to any branch, but I would revert it if
> >> this issue can not be fixed in a short/middle term.
> >>
> >> I took a look on Roster2 code and I saw that roster.viewofficialphoto
> >> permission is not included in the list of permissions retrieved by JSON
> >> call. I don't know too much about JSON. Could it be added?
> >>
> >> Thanks.
> >> Best regards.
> >>
> >> El Dom, 4 de Agosto de 2013, 1:22, Steve Swinsburg escribió:
> >>> Hi Daniel,
> >>>
> >>> Profile2 will show whatever image the user has configured or the
> >>> preferences dictate.
> >>>
> >>> If a user has an official image, who can currently see it?
> >>>
> >>> The permissions in profile2 don't support site or role based
> >>> restrictions
> >>> to images. There may be some work to do in this area if that was to be
> >>> supported or required, probably not too tricky though.
> >>>
> >>> Cheers,
> >>> S
> >>>
> >>> Sent from my iPad
> >>>
> >>> On 03/08/2013, at 19:23, daniel.merino at unavarra.es wrote:
> >>>
> >>>> Hi Steve,
> >>>>
> >>>> I am not at work right now, but I think that we have mostly the
> default
> >>>> settings for Profile2.
> >>>>
> >>>> Do you know if there is some combination of settings in Profile2 that
> >>>> hides official photos for everybody but teachers?
> >>>>
> >>>> Thanks.
> >>>> Best regards.
> >>>>
> >>>> El Sab, 3 de Agosto de 2013, 0:34, Steve Swinsburg escribiÃ³:
> >>>>> Hi Daniel,
> >>>>>
> >>>>> Roster2 delegates permissions for images over to Profile2, so check
> >>>>> what
> >>>>> settings you have there.
> >>>>>
> >>>>> Cheers,
> >>>>> Steve
> >>>>>
> >>>>> Sent from my iPad
> >>>>>
> >>>>> On 02/08/2013, at 22:26, Daniel Merino <daniel.merino at unavarra.es>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi everybody.
> >>>>>>
> >>>>>> As it seems that Roster tool does not support official photos from
> >>>>>> Profile2 API and is not in its agenda neither, we have tested Roster
> >>>>>> 2
> >>>>>> tool to use official photos as it was implemented in RTSR-46 (1).
> >>>>>> Finally we use the URL approach and storing URLs in
> >>>>>> PROFILE_IMAGES_OFFICIAL_T works fine.
> >>>>>>
> >>>>>> However, we have discovered that Roster2 does not support old
> >>>>>> roster.viewofficialphotos permission, so it is not possible AFAIK to
> >>>>>> allow seeing official photos only to Teacher role. As as
> consequence,
> >>>>>> any user could add other users to their site and could see their
> >>>>>> official photos. We think that this is a big privacy issue.
> >>>>>>
> >>>>>> I have documented this in RSTR-58 (2) but we are in a hurry because
> >>>>>> we
> >>>>>> are going to 2.9 next week and I wonder if somebody has done this
> >>>>>> anywhere and could share their work with us.
> >>>>>>
> >>>>>> Also, if somebody is using Roster tool with official photos loaded
> >>>>>> from
> >>>>>> URL and there is a patch somewhere, using Roster could be also a
> >>>>>> valid
> >>>>>> option for us.
> >>>>>>
> >>>>>> I would be really grateful if somebody could help me with this.
> >>>>>>
> >>>>>> Thanks in advance.
> >>>>>> Best regards.
> >>>>>>
> >>>>>> (1) https://jira.sakaiproject.org/browse/RSTR-46
> >>>>>> (2) https://jira.sakaiproject.org/browse/RSTR-58
> >>>>>> --
> >>>>>> Daniel Merino EcheverrÃƒÂa
> >>>>>> daniel.merino at unavarra.es
> >>>>>> Gestor de teleformaciÃƒÂ³n - Centro Superior de InnovaciÃƒÂ³n
> >>>>>> Educativa.
> >>>>>> Tfno: 948-168489 - Universidad PÃƒÂºblica de Navarra.
> >>>>>> _______________________________________________
> >>>>>> sakai-dev mailing list
> >>>>>> sakai-dev at collab.sakaiproject.org
> >>>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> >>>>>>
> >>>>>> TO UNSUBSCRIBE: send email to
> >>>>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> >>>>>> "unsubscribe"
> >>
> >>
> >> _______________________________________________
> >> sakai-dev mailing list
> >> sakai-dev at collab.sakaiproject.org
> >> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> >>
> >> TO UNSUBSCRIBE: send email to
> >> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> >> "unsubscribe"
> >
> >
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130804/e720def9/attachment.html 