|Topic:||No way easy to remove pictures of deleted users|
|Versions affected:||< 1.9.4, < 1.8.8|
|Reported by:||Juan Segarra Montesinos|
|Solution:||update to latest weeklies or replace /user/pix.php workaround is to disable upload of avatars and remove all current images ; fix was not backported into 1.7.x and 1.6.x branches
User avatars did not have any login protection at all - intentionally. Login is now required if you enable $CFG->forcelogin (login required for all pages, disabled by default).
Exploit described in tracker. Please do not confuse this setting with $CFG->forceloginforprofiles.