Skip to content

FEATURE: managed auth can override avatars #34123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+38 −4
Open

FEATURE: managed auth can override avatars #34123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
FEATURE: managed auth can override avatars 
This is mostly just a duplication of the equivalent DiscourseConnect
feature, but applies to managed authenticators instead.
  • Loading branch information
@lewisakura
lewisakura committed Aug 6, 2025
commit cf3e8f965251cc3e18bf6370b7f2aaa5f87377a6
3 changes: 2 additions & 1 deletion app/assets/javascripts/discourse/app/templates/preferences/account.gjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ export default RouteTemplate(
<UsernamePreference @user={{@controller.model}} />
</div>

{{#unless @controller.siteSettings.discourse_connect_overrides_avatar}}
{{#unless @controller.siteSettings.discourse_connect_overrides_avatar ||
@controller.siteSettings.auth_overrides_avatar}}
<div class="control-group pref-avatar" data-setting-name="user-avatar">
<label class="control-label" id="profile-picture">{{i18n
"user.avatar.title"
Expand Down
1 change: 1 addition & 0 deletions app/controllers/uploads_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ def create
if type == "avatar" &&
(
SiteSetting.discourse_connect_overrides_avatar ||
SiteSetting.auth_overrides_avatar ||
!me.in_any_groups?(SiteSetting.uploaded_avatars_allowed_groups_map)
)
return render json: failed_json, status: 422
Expand Down
4 changes: 3 additions & 1 deletion app/controllers/users_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1323,7 +1323,9 @@ def pick_avatar
user = fetch_user_from_params
guardian.ensure_can_edit!(user)

return render json: failed_json, status: 422 if SiteSetting.discourse_connect_overrides_avatar
if SiteSetting.discourse_connect_overrides_avatar || SiteSetting.auth_overrides_avatar
return render json: failed_json, status: 422
end

type = params[:type]

Expand Down
1 change: 1 addition & 0 deletions config/locales/server.en.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1978,6 +1978,7 @@ en:
auth_overrides_email: "Overrides local email with external site email on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to normalization of local emails)"
auth_overrides_username: "Overrides local username with external site username on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to differences in username length/requirements)"
auth_overrides_name: "Overrides local full name with external site full name on every login, and prevent local changes. Applies to all authentication providers."
auth_overrides_avatar: "Overrides local avatar with external site avatar on every login, and prevent local changes. Applies to all authentication providers."
discourse_connect_overrides_avatar: "Overrides user avatar with value from DiscourseConnect payload. If enabled, users will not be allowed to upload avatars on Discourse."
discourse_connect_overrides_location: "Overrides user location with value from DiscourseConnect payload and prevent local changes."
discourse_connect_overrides_website: "Overrides user website with value from DiscourseConnect payload and prevent local changes."
Expand Down
1 change: 1 addition & 0 deletions config/site_settings.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -704,6 +704,7 @@ login:
client: true
auth_overrides_username: false
auth_overrides_name: false
auth_overrides_avatar: false
auth_require_interaction: true
enable_discourse_connect:
client: true
Expand Down
2 changes: 1 addition & 1 deletion lib/auth/managed_authenticator.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ def find_user_by_username(auth_token)

def retrieve_avatar(user, url)
return unless user && url.present?
return if user.user_avatar.try(:custom_upload_id).present?
return if user.user_avatar.try(:custom_upload_id).present? && !SiteSetting.auth_overrides_avatar
Jobs.enqueue(:download_avatar_from_url, url: url, user_id: user.id, override_gravatar: false)
end

Expand Down
11 changes: 11 additions & 0 deletions spec/lib/auth/managed_authenticator_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,17 @@ def match_by_email
hash.deep_merge(info: { image: "https://some.domain/image.jpg" }),
)
}.not_to change { Jobs::DownloadAvatarFromUrl.jobs.count }

# User already has profile picture and settings dictate we must override it, schedule
SiteSettings.auth_overrides_avatar = true
user.user_avatar = Fabricate(:user_avatar, custom_upload: Fabricate(:upload))
user.save!
expect {
result =
authenticator.after_authenticate(
hash.deep_merge(info: { image: "https://some.domain/image.jpg" }),
)
}.to change { Jobs::DownloadAvatarFromUrl.jobs.count }.by(1)
end
end

Expand Down
6 changes: 6 additions & 0 deletions spec/requests/uploads_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,12 @@
expect(response.status).to eq(422)
end

it "ensures auth_overrides_avatar is not enabled when uploading an avatar" do
SiteSetting.auth_overrides_avatar = true
post "/uploads.json", params: { file: logo, upload_type: "avatar" }
expect(response.status).to eq(422)
end

it "allows staff to upload any file in PM" do
SiteSetting.authorized_extensions = "jpg"
SiteSetting.allow_staff_to_upload_any_file_in_pm = true
Expand Down
13 changes: 12 additions & 1 deletion spec/requests/users_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3635,7 +3635,7 @@ def enabled?
expect(response).to be_forbidden
end

it "raises an error when discourse_connect_overrides_avatar is disabled" do
it "raises an error when discourse_connect_overrides_avatar is enabled" do
SiteSetting.discourse_connect_overrides_avatar = true
put "/u/#{user1.username}/preferences/avatar/pick.json",
params: {
Expand All @@ -3646,6 +3646,17 @@ def enabled?
expect(response.status).to eq(422)
end

it "raises an error when auth_overrides_avatar is enabled" do
SiteSetting.auth_overrides_avatar = true
put "/u/#{user1.username}/preferences/avatar/pick.json",
params: {
upload_id: upload.id,
type: "custom",
}

expect(response.status).to eq(422)
end

it "raises an error when trying to pick Gravatar when gravatars are not enabled" do
SiteSetting.gravatar_enabled = false
put "/u/#{user1.username}/preferences/avatar/pick.json",
Expand Down