Suspended users shouldn't be allowed to change avatar

[matteocontrini]

Suspended users are currently allowed to change the avatar, potentially as a workaround for spreading spam or something else.

Suspended users shouldn't be allowed to do that.

[clarkwinkelmann]

The problem is here

https://github.com/flarum/core/blob/b87c7189cc526cfc28e6eb207c8d19a2d8d14c06/src/User/Command/UploadAvatarHandler.php#L67-L69

We should create a new method on the user policy for editAvatar and move that logic there so it can be affected by other extensions.

That's actually very similar to the changes I recently made to the bio extension. It was previously hard-coded in the controller and I moved it to a policy FriendsOfFlarum/user-bio@1a2655d#diff-dfca4adbcf6b2db93354567377bf9d41

We will still need an additional ->can() call in there because that's where a suspend would actually return false. Just moving the current code to a policy isn't enough but would be best practice. We could introduce a new permission to decide which users are allowed to have an avatar or just query another permission any user should have.

[clarkwinkelmann]

This might be something to solve while we split the permissions for flarum/framework#1965

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum.
In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!

[PeopleInside]

not stale

[PeopleInside]

Will be nice if this can be fixed in Beta 16

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum.
In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!

[PeopleInside]

Not stale nice stale bot :)

[hxri]

I would Like to work on this.

[askvortsov1]

I would Like to work on this.

Great to hear! Would you also be interested in some aspects of the linked issue by any chance? Feel free to jump into that discussion 😁

[askvortsov1]

@hxri If you still want to work on this, https://github.com/flarum/core/issues/3033#issuecomment-906090910 might be a good and simple approach (pending discussion, might want to give it a few days unless there are other ideas / objections).

[hxri]

@hxri If you still want to work on this, #3033 (comment) might be a good and simple approach (pending discussion, might want to give it a few days unless there are other ideas / objections).

Sure! I will work on #3033 (comment) first.

[askvortsov1]

@hxri If you still want to work on this, #3033 (comment) might be a good and simple approach (pending discussion, might want to give it a few days unless there are other ideas / objections).

Sure! I will work on #3033 (comment) first.

Thanks! Since the current suspend implementation adds users to the "guest" group, if we don't allow guests to change their avatar, that should be enough to close that issue.

[SychO9]

flarum/framework#3890