Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-73528

User profile picture visibility settings not respected in Connect Apps for Confluence

    XMLWordPrintable

Details

    Description

      Status Update

      Based on further investigation we have concluded that this is not a privacy issue.

      We are not leaking any photos of other users. Their privacy settings are being properly respected.

      The difference between confluence and Jira lies in how we return URLs for the photos. Confluence returns a URL back to the user within our own system, which then gets called to fetch the photo, behind the scenes we then call the avatar management service to get the user's photo and return this URL to the browser for it to be rendered. JIRA directly returns this URL for the avatar management service.

      The difference is then in the fact that Jira hardcodes these URLs into the response, and since to GET the user data it was the APP making the request, the profile photo is also assumed to be the APP calling it, and thus the APP shouldn't have access.

      In confluence, we return a URL that then gets evaluated in our system and turned into a redirect. The difference is this URL in our system gets called at page display time from the BROWSER itself (as the logged-in user).

      Issue Summary

      According to the Profile Visibility documentation page for app developers:

      •  Avatar shows a masked avatar (the user's initials) rather than the profile picture, if it is restricted.

       
      This is working as documented in connect apps for Jira Cloud, while the user profile picture is always displayed in Confluence Cloud connect apps, even when this is actually restricted in the profile visibility settings for the user.

      Steps to Reproduce

      1. Update your Profile Visibility settings so that the profile picture is only visible to you (or only to you and the organization)
      2. Install Whiteboards for Jira: team collaboration
      3. Create a new board, in the upper right corner see that your initials are displayed as the user avatar instead of the Profile Picture:
      4. Now repeat the same test using the Confluence app Whiteboards: collaborative flows and diagrams in Confluence 

      Expected Results

      As in Jira, your initials are displayed as the user avatar instead of the Profile Picture

      Actual Results

      The profile picture is displayed:

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

      Attachments

        Issue Links

          has a derivative of

          Bug - A problem which impairs or prevents the functions of the product. ECO-29 Connect apps for Jira always show masked avatars (the user's initials) while the the visibility settings are respected in apps for Confluence

          • Low - Low priority issues
          • Gathering Impact
          relates to

          Suggestion - JRACLOUD-76911 Apps should be allowed to access restricted user profile information if the user provided consent

          • Gathering Interest
          is derived by

          BYND-208 Loading...

          is resolved by

          HOT-98126 Loading...

          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              dbonotto Dario B
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: