[Building Sakai] Permission to see official photos in Roster2
Daniel Merino
daniel.merino at unavarra.es
Wed Aug 7 03:56:16 PDT 2013
Hi Steve,
I have also applied a piece of Texas State University's code to serve
Profile2 image URLs as binary streams so image URLs are not exposed to
users.
This feature was included in PRFL-789 general patch for adding official
photos to Roster, but even if using Roster2 or no Roster at all, I think
that it is unvaluable for privacy and security reasons.
I have attached a patch only for this in
https://jira.sakaiproject.org/browse/PRFL-790
If you think that the code is technically correct, I encourage you to
add it to Profile2 trunk.
Thanks.
Best regards.
El 07/08/2013 12:41, Steve Swinsburg escribió:
> Great news!
>
> cheers,
> Steve
>
>
> On Wed, Aug 7, 2013 at 5:52 PM, Daniel Merino
> <daniel.merino at unavarra.es <mailto:daniel.merino at unavarra.es>> wrote:
>
> Hi Steve,
>
> I have applied both fixes and they work nice. So it seems that we
> are in time to start with this.
>
> A thousand thanks for your help.
> Best regards.
>
> El 06/08/2013 15:41, Steve Swinsburg escribió:
>> Hi Daniel,
>>
>> You are in luck - I just wrote the fixes for both Profile2 and
>> Roster2.
>>
>> https://jira.sakaiproject.org/browse/PRFL-839
>> https://jira.sakaiproject.org/browse/RSTR-59
>>
>> With this, to see the official image, you need the
>> roster.viewofficialphoto permission.
>>
>> cheers,
>> Steve
>>
>>
>> On Tue, Aug 6, 2013 at 10:59 PM, Daniel Merino
>> <daniel.merino at unavarra.es <mailto:daniel.merino at unavarra.es>> wrote:
>>
>> Hi Steve.
>>
>> I don't really mind using one or another Roster, but as I
>> have a patch for Roster I'm trying to make it work because I
>> would be really happy if we get this running before we jump
>> to 2.9.
>>
>> This is my fault for not having detected this issue before.
>>
>> I'm afraid I'm not skilled enough to develop your solution,
>> but I will be glad to apply it and test it when it's done.
>>
>> Thanks.
>> Best regards.
>>
>> El 06/08/2013 14:34, Steve Swinsburg escribió:
>>> Hi Daniel,
>>>
>>> I think you are better off using Roster2 and we can resolve
>>> the issues there. What did you think of the solution I
>>> posted the other day?
>>>
>>> thanks,
>>> Steve
>>>
>>>
>>> On Tue, Aug 6, 2013 at 10:26 PM, Daniel Merino
>>> <daniel.merino at unavarra.es
>>> <mailto:daniel.merino at unavarra.es>> wrote:
>>>
>>> Hello again.
>>>
>>> I am not being able to do this patch work because I have
>>> a local error.
>>> There is a Profile2 preference that is always true in
>>> Roster, no matter
>>> the real value that is stored in database for that
>>> preference.
>>>
>>> In Roster tool, in pictures.jsp, there are several
>>> conditions to allow
>>> showing official images:
>>>
>>> rendered="#{
>>> (
>>> ! pictures.officialPhotosAvailableToCurrentUser &&
>>> participant.profilePhotoPublic &&
>>> ! empty participant.profile.pictureUrl &&
>>> ! participant.officialPhotoPublicAndPreferred
>>> ) ||
>>> (
>>> pictures.officialPhotosAvailableToCurrentUser &&
>>> prefs.displayProfilePhotos &&
>>> ! participant.officialPhotoPreferred &&
>>> ! empty participant.profile.pictureUrl
>>> )
>>> }"
>>>
>>> I don't know the reason but
>>> participant.officialPhotoPreferred and
>>> participant.officialPhotoPublicAndPreferred are always
>>> true for every
>>> user. They are not getting the values in
>>> PROFILE_PREFERENCES_T.USE_OFFICIAL_IMAGE field, that are
>>> mostly false.
>>>
>>> I have searched in code and I have not found any place
>>> where this value
>>> could set to true accidentally.
>>>
>>> I am using Profile2 1.5.2 and Roster 2.9.2, without
>>> changes except this
>>> patch.
>>>
>>> I am really stuck with this. Could somebody give me any
>>> idea?
>>>
>>> Thanks.
>>>
>>> El 05/08/2013 18:36, Qu, Yuanhua escribió:
>>> > Hi Daniel
>>> >
>>> > You might want to do some changes according to your
>>> local requirement. I
>>> > hereby reply you under each of your comment below.
>>> > -Qu
>>> >
>>> > On 8/5/13 6:32 AM, "Daniel Merino"
>>> <daniel.merino at unavarra.es
>>> <mailto:daniel.merino at unavarra.es>> wrote:
>>> >
>>> >> Hi, Qu.
>>> >>
>>> >> I have applied your patch over our 2.9.2 and as you
>>> said, official
>>> >> images can be viewed now by teachers when
>>> viewofficialphotos is
>>> >> configured.
>>> >>
>>> >> However, I think that this patch lacks of some
>>> additional change over
>>> >> Roster tool, as it doesn't work as I expected:
>>> >>
>>> >> - If user has not viewofficialphotos permission,
>>> user can see
>>> >> profile uploaded pictures of other users.
>>> > If user has not viewofficialphotos permission, they
>>> won't be able to have
>>> > "Pictures" link to click to see the photos. If they have
>>> > viewofficialphotos and also oster.viewallmembers, they
>>> will be able to
>>> > have "Pictures" link and see photos of others too.
>>> >
>>> >> - But if user has viewofficialphotos permission,
>>> user sees always
>>> >> official photos, no matter what radio button (profile
>>> or official
>>> >> photos) has been chosen.
>>> > In Texas state, instructors like to see only official
>>> photos to identify
>>> > students easily. Therefore,we have local changes for
>>> the logic of showing
>>> > photos: We want to show only bofficial photos to
>>> instructors if user has
>>> > an official photo; otherwise, profile photo will be
>>> seen instead if
>>> > official photo is not avaialbe for that user.
>>> >
>>> > We basically, removed the show profile option in
>>> roster tool due to local
>>> > requirement.
>>> >
>>> >> I think that the key could be in
>>> >> roster/roster-app/src/webapp/roster/pictures.jsp .
>>> Please, could you
>>> >> tell me if you changed also Roster to make this work?
>>> >>
>>> >> Many thanks.
>>> >> Best regards.
>>> >>
>>> >> El 02/08/2013 18:03, Qu, Yuanhua escribió:
>>> >>> Hi Daniel
>>> >>>
>>> >>> We, Texas State University, also use profile2 tool
>>> and roster tool to
>>> >>> show
>>> >>> official photos in roster tool with official photos
>>> loaded from URL.
>>> >>>
>>> >>> It has been working for our sakai 282 and also 292
>>> instance. Here is
>>> >>> the
>>> >>> patch I put in the JIRA you might want to look and
>>> apply to profile2 to
>>> >>> support this feature in old roster tool.
>>> >>>
>>> >>> https://jira.sakaiproject.org/browse/PRFL-789
>>> >>>
>>> >>>
>>> >>> Hope it works for you. Good luck.
>>> >>>
>>> >>> -Qu
>>> >>>
>>> >>>
>>> >>> On 8/2/13 7:26 AM, "Daniel Merino"
>>> <daniel.merino at unavarra.es
>>> <mailto:daniel.merino at unavarra.es>> wrote:
>>> >>>
>>> >>>> Hi everybody.
>>> >>>>
>>> >>>> As it seems that Roster tool does not support
>>> official photos from
>>> >>>> Profile2 API and is not in its agenda neither, we
>>> have tested Roster 2
>>> >>>> tool to use official photos as it was implemented
>>> in RTSR-46 (1).
>>> >>>> Finally we use the URL approach and storing URLs in
>>> >>>> PROFILE_IMAGES_OFFICIAL_T works fine.
>>> >>>>
>>> >>>> However, we have discovered that Roster2 does not
>>> support old
>>> >>>> roster.viewofficialphotos permission, so it is not
>>> possible AFAIK to
>>> >>>> allow seeing official photos only to Teacher role.
>>> As as consequence,
>>> >>>> any user could add other users to their site and
>>> could see their
>>> >>>> official photos. We think that this is a big
>>> privacy issue.
>>> >>>>
>>> >>>> I have documented this in RSTR-58 (2) but we are in
>>> a hurry because we
>>> >>>> are going to 2.9 next week and I wonder if somebody
>>> has done this
>>> >>>> anywhere and could share their work with us.
>>> >>>>
>>> >>>> Also, if somebody is using Roster tool with
>>> official photos loaded from
>>> >>>> URL and there is a patch somewhere, using Roster
>>> could be also a valid
>>> >>>> option for us.
>>> >>>>
>>> >>>> I would be really grateful if somebody could help
>>> me with this.
>>> >>>>
>>> >>>> Thanks in advance.
>>> >>>> Best regards.
>>> >>>>
>>> >>>> (1) https://jira.sakaiproject.org/browse/RSTR-46
>>> >>>> (2) https://jira.sakaiproject.org/browse/RSTR-58
>>> >>>> --
>>> >>>> Daniel Merino Echeverría
>>> >>>> daniel.merino at unavarra.es
>>> <mailto:daniel.merino at unavarra.es>
>>> >>>> Gestor de teleformación - Centro Superior de
>>> Innovación Educativa.
>>> >>>> Tfno: 948-168489 - Universidad Pública de Navarra.
>>> >>>> _______________________________________________
>>> >>>> sakai-dev mailing list
>>> >>>> sakai-dev at collab.sakaiproject.org
>>> <mailto:sakai-dev at collab.sakaiproject.org>
>>> >>>>
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>> >>>>
>>> >>>> TO UNSUBSCRIBE: send email to
>>> >>>> sakai-dev-unsubscribe at collab.sakaiproject.org
>>> <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org>
>>> with a subject of
>>> >>>> "unsubscribe"
>>> >> --
>>> >> Daniel Merino Echeverría
>>> >> daniel.merino at unavarra.es
>>> <mailto:daniel.merino at unavarra.es>
>>> >> Gestor de teleformación - Centro Superior de
>>> Innovación Educativa.
>>> >> Tfno: 948-168489 - Universidad Pública de Navarra.
>>> >> --
>>> >> La legalización de la marihuana hubiera evitado
>>> muchas desgracias. Por
>>> >> ejemplo, después de fumarse un porro a quién le
>>> quedan ganas de invadir
>>> >> Polonia? (Darío Adanti)
>>> >
>>>
>>> --
>>> Daniel Merino Echeverría
>>> daniel.merino at unavarra.es <mailto:daniel.merino at unavarra.es>
>>> Gestor de teleformación - Centro Superior de Innovación
>>> Educativa.
>>> Tfno: 948-168489 - Universidad Pública de Navarra.
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> <mailto:sakai-dev at collab.sakaiproject.org>
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>
>>> TO UNSUBSCRIBE: send email to
>>> sakai-dev-unsubscribe at collab.sakaiproject.org
>>> <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org>
>>> with a subject of "unsubscribe"
>>>
>>>
>>
>> --
>> Daniel Merino Echeverría
>> daniel.merino at unavarra.es <mailto:daniel.merino at unavarra.es>
>> Gestor de teleformación - Centro Superior de Innovación
>> Educativa.
>> Tfno: 948-168489 - Universidad Pública de Navarra.
>> --
>> Cuanto más alto hablaba de su honor, más rápidamente
>> contábamos los cubiertos. (Ralph W. Emerson)
>>
>>
>
> --
> Daniel Merino Echeverría
> daniel.merino at unavarra.es <mailto:daniel.merino at unavarra.es>
> Gestor de teleformación - Centro Superior de Innovación Educativa.
> Tfno: 948-168489 - Universidad Pública de Navarra.
> --
> El informático competente es invisible. Los usuarios sólo se
> acuerdan de tí cuando el servicio es malo. Supéralo. (Anónimo)
>
>
--
Daniel Merino Echeverría
daniel.merino at unavarra.es
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
--
Las tres frases que te ayudarán en la vida son: No digas que fuí yo. Oh,
buena idea, jefe!. Estaba así cuando llegué. (Homer Simpson)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130807/e16cef5a/attachment.html
More information about the sakai-dev
mailing list