Suspended user, not verified user are able to change image avatar

peopleinside

I'm using the latest Flarum version.

If an user is registered but need to confirm his email address, should be not able to upload or change his avatar. Actualy is so this is not good.
If an user is suspended is able to change avatar, this should be not happen.

clarkwinkelmann

That feature is unfortunately not protected by a permission at the moment, it's just a hard-coded check whether the actor is the same as the target user.

My readonly extension hooks into it but it disables the feature completely rather than fixing the missing permission https://discuss.flarum.org/d/30633-readonly-profile

A PR on core to replace the hard-coded check with a gated permission would be nice. It could be a good idea to introduce a named permission to go with it in the admin panel, but it's not absolutely necessary.

Currently I think Flarum only uses gated permissions when a permission actually exists in the admin panel for it. Other features that don't have a permission in the admin panel are hard-coded. But we should replace those with named gated permissions even if they don't exist in the admin panel so extensions can hook into them via the gate.

peopleinside

clarkwinkelmann this extension allow to disable a single user profile or all profiles?
I cannot see how this extension looks as there is no screenshots.

My readonly extension hooks into it but it disables the feature completely

For all user or allow to do it for a single user? Will be a control in the user profile to disable a specific user?

That feature is unfortunately not protected by a permission at the moment, it's just a hard-coded check whether the actor is the same as the target user.

A PR on core to replace the hard-coded check with a gated permission would be nice. It could be a good idea to introduce a named permission to go with it in the admin panel, but it's not absolutely necessary.

The bad is that any spam profile can register than upload illegal pictures.
Admin cannot do nothing because if the profile is deleted is not yet banned.
If is suspended user still be able to upload illegal pictures.

This is very bad to not have control of users.

peopleinside

We are on 2023 and still have the issue that suspended user can upload image profile also covered by copyright or porno images.

Today I installed the extension Profile Cover and discovered that extension respect the suspended user state that will be not able to remove or upload a cover.

The issue will still be present in the Flarum user avatar that can be always be edited by the user.
There is a GitHub issue about this problem?
Where I can track the progression of this? I hope this will be fixed.

https://discuss.flarum.org/d/32505-flag-user-profile

SychO

I remember this being already logged in the issue archive, so we'll get to it when we can get to it.

Nearata

ref:

flarum/issue-archive214
flarum/issue-archive48