I was looking trough the documentation and forum posts, but could not find a reference to the user profile picture upload. Is it possible to deactivate the upload option?
I can confirm that there's no way to prevent users from uploading their profile pictures. The way it works is that admins can change any user's profile picture and anyone can change his/her own picture.
Could you explain why you'd like to disable it?
Hi @Andrey and thanks for the reply.
our University's GDPR person sees an issue with it if we store profile pictures, even if it is optional and students upload them on their own. So we would have to create a form for students to sign where they allow us to store a profile picture if they upload a profile picture in order to use DSS in class.
Is there an option to add a kind of agreement message after the first login that they have to confirm?
No DSS doesn't support the customization of a login form in that way.
Since it's not supported out of the box I think there could be several solutions:
1. Considering that profile pictures are stored in DATADIR/config/user-pictures and DATADIR/caches/user-pictures you can safely delete its contents. I'm not very familiar with GDPR rules, but if they allow very short time storage you could regularly clear those directories using a CRON job
2. I haven't tried it myself, but it seems that NullFS could do the job if you mounted it and created symlinks between the 2 directories in the answer #1 and the mounted directory.
3. (More complex) You could probably put DSS behind a proxy that would either show a consent message or redirect to DSS depending on a certain cookie.
thanks for the solutions, 1 and 2 sound good to me. I shall forward those to our GDPR and I will see what I get back.
What whould happen if restrict the writing priviliges to the folders you mentioned in (1)?
ok, I just locked the directories for user images using "chattr +i *" and this prohibits upload of profile pictures. DSS does not crash, but the turning icon keeps turning. So, together with a warning not to upload a profile picture this works well enough as a workaround for now.
Yes, you could try making those directories read only, it'll make profile picture requests fail, but the rest should work fine.
Also be aware that project pictures may also be uploaded by users if that's regulated by GDPR as well.