Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Profile pictures #662

Open
CHTJonas opened this issue May 20, 2019 · 6 comments

Comments

Projects
None yet
3 participants
@CHTJonas
Copy link
Member

commented May 20, 2019

I had this idea today and thought I'd open an issue for discussion. If someone has linked their user account with their public 'person' profile and their user account has a profile picture URL then that image could be displayed on their public page. This could be logically extended so that the user could customise this field with any URL from an external website (currently it is only set when they login with certain OAuth providers), and further extended to allow people to upload pictures to Camdram (although this may result in storage issues).

This would involve a pretty big change in the privacy policy as I don't think you could reasonably expect users to know their profile picture would get published. There are only 13 users who would be affected by this so it would be easy enough to contact them if we decide to move forwards with this.

SELECT * FROM acts_users WHERE person_id IS NOT NULL AND profile_picture_url IS NOT NULL;

Related tickets: #323 #660

@GKFX

This comment has been minimized.

Copy link
Member

commented May 20, 2019

I'm not convinced about allowing all URLs: hotlinking has a number of downsides. Most links eventually rot and so in a few years' time there would be a number of broken images. It would also expose all users to potential tracking by the hotlinked site, which would be difficult to justify in the privacy policy; for this reason images from random URLs are currently blocked by CSP. As you say if a significant proportion of people end up displaying a profile picture that would eat into our storage significantly: there are about 15000 people on Camdram!

Database-wise, I would put the images in the people table rather than the users table if that was where we intended to make the most use of them.

@philosophicles

This comment has been minimized.

Copy link
Member

commented Jun 1, 2019

I quite like this idea, provided we handle the privacy policy changes / notifications properly; and to be honest we should probably make it a specific opt-in feature anyway, not on-by-default if there's a person<-->user link established.

I think we should only support profile pics served by one of the OAuth providers, not random URLs or uploads direct to Camdram. That prevents a lot of potential abuse angles. We could maybe add support for Gravatar I guess, as one extra image source.

At the moment, if somebody uses multiple OAuth providers, I think we don't offer any way for them to choose which provider's profile pic is used for their Camdram user account. If adding this Person usage, we should probably offer that choice - e.g. someone has a very informal Facebook profile pic, and a professional headshot on their Twitter that they'd want to use.

@philosophicles

This comment has been minimized.

Copy link
Member

commented Jun 1, 2019

Storage wise, so long as we can spare a bit of disk space, I wouldn't worry too much. We should appropriately downscale images before storing, if applicable. We might have 15k people, but not quite 4800 users, so that's the lower bound that matters more. Even if all of them had a 20 kB image in our database, that's under 100MB.

@CHTJonas

This comment has been minimized.

Copy link
Member Author

commented Jun 5, 2019

Okay let's stick to known sites then; that way we can avoid uploads and manage CSP. At a glance it looks like Facebook and (the now defunct) Google+ are the only OAuth providers that are storing profile picture URLs in the database. Gravatar should be easy enough to support but worth checking to see if Twitter has a similar picture feature.

@philosophicles

This comment has been minimized.

@philosophicles

This comment has been minimized.

Copy link
Member

commented Jun 15, 2019

☝️ have raised a new ticket for implementing retrieval of profile picture (URLs) from Twitter, since that's a rather different (and less controversial?) thing to this suggested feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.