User presented with Upload Avatar option when no file ext whitelisted


(Sam Houston) #1

We’ve recently decided to disable file uploads, which was accomplished by removing all file types from our upload whitelist. Luckily this removed the option to upload images to posts, but it did not remove the option to upload an avatar. Users have the option to upload an avatar but no file will be allowed.

This has caused a lot of confusion for our users.


(Jeff Atwood) #2

Why? You are forcing users to upload screenshots or images with third party services. I don’t see this as a supported scenario.


(Sam Houston) #3

I’m not sure what you’re asking me.

I got the idea to not whitelist any extensions from a post of yours, where someone asked how to disable file uploads and you suggested deleting all extensions. So I did that, and figured that allowing Gravatar was a way to (relatively) safely allow people to upload images without uploading them directly to our server.

So that’s why I did what I did with our setup.


(Jeff Atwood) #4

Seems like kind of a user hostile set of decisions to me, because images and screenshots are so fundamental to modern discussion… much less support.

But I suppose you are right, if all image upload file types are disabled then custom avatar should not be presented to the user as an option in the UI. Can you add that to your list @zogstrip? More of a fail safe check, if none of the common image formats are allowed, don’t allow the user to select custom avatar.

Not sure what happens when gravatar is disabled and all image file types are removed too, but I guess that is a “hey doctor it hurts when I do this” scenario…


(Régis Hanol) #5

It’s now fixed :dog2:

https://github.com/discourse/discourse/commit/bdbcd21687d4c81634fc6a21e4f84ccbfe18fa7a


(Régis Hanol) #6