| Topic: | No way easy to remove pictures of deleted users |
| Severity: | Minor |
| Versions affected: | < 1.9.4, < 1.8.8 |
| Reported by: | Juan Segarra Montesinos |
| Issue no.: | MDL-17027 |
| Solution: | update to latest weeklies or replace /user/pix.php workaround is to disable upload of avatars and remove all current images ; fix was not backported into 1.7.x and 1.6.x branches |
Description:
User avatars did not have any login protection at all - intentionally. Login is now required if you enable $CFG->forcelogin (login required for all pages, disabled by default).
Note:
Exploit described in tracker. Please do not confuse this setting with $CFG->forceloginforprofiles.