User cannot add e.g. alt text to a picture in his profile

anon77445132 · April 17, 2020, 7:09pm

I have installed a fresh installed Kirby starterkit 3.3.5.

Then I have added the blueprint site\blueprints\users\editor.yml:

// site\blueprints\users\editor.yml
title: Editor
permissions:
  access:
    panel: true
    site: true
    settings: false
    users: false
  files:
    create: true
    changeName: true
    delete: true
    replace: true
    update: TRUE
  site:
    update: false
  pages:
    create: true
    changeTemplate: true
    changeTitle: true
    changeSlug: true
    delete: false
    hide: true
    sort: true
    update: true
  user:
    create: false # how can a user create **himself** ???
    changeName: TRUE
    changeEmail: TRUE
    changeLanguage: FALSE
    changePassword: false
    changeRole: false
    delete: false
    update: TRUE

sections:
  meta:
    type: fields
    fields:
      phone:
        label: Telefon
        type: tel
        width: 1/3
        placeholder: +49 000 00000000-000
      mobile:
        label: mobile Phone
        type: tel
        width: 1/3
        placeholder: +49 000 00000000
      website:
        label: Website
        type: url
        width: 1/3

  documents:
    type: files
    empty: "No documents yet"
    headline: My files
    layout: cards
    size: small
    template: image

Then as admin I have added a new user Editor with this role Editor.

Then I have logged in using another browser as this user Editor.
He added a picture in his profile in the area “My files” of the panel.
If he clicks on this new picture he gets the error:

editor_files_error_EN

and the panel redirectes to the sites root.

As admin I can doubleclick that picture of the user and e.g. add the “alt text”. But not as Editor himself.

Something is wrong.

texnixe · April 17, 2020, 7:33pm

The problem is that the files are accessible under the panel/users/... URL. So if you set

permissions:
  access:
     users: false

your user cannot access files. It’s a bit unfortunate, because this way users will still be able to see the user list, unless you create your own users view (which is still not really possible but will hopefully be fixed soon).

anon77445132 · April 17, 2020, 7:44pm

But then I must add

  users:
    create: false
    changeEmail: false
    changeLanguage: false
    changeName: false
    changePassword: false
    changeRole: false
    delete: false
    update: false

yes I hope too.

anon77445132 · April 17, 2020, 7:48pm

I suggest that there should be additional permissions for the files in the user and users profiles.

anon77445132 · April 17, 2020, 8:00pm

Now the Editor can see all fields and their content of all other users.

Data protection according to DSGVO-/GDPR is therefore not possible with the latest Kirby version 3.3.5, if we need such fields…

texnixe · April 17, 2020, 9:14pm

You can probably solved this with some workarounds like a before hook and some conditional style sheets to hide stuff away.

The place to post ideas is here: https://github.com/getkirby/ideas/

(And yes, I know you don’t have an account).

texnixe · April 17, 2020, 10:18pm

I wouldn’t call this a data protection problem, your use case is just not supported at the moment. If you don’t want to allow access to users, don’t use files with meta data in the user profiles.

The tone of your post is not what we want to have here on the forum. This is a nice and friendly place, and we want to keep it this way.

anon77445132 · April 20, 2020, 9:55am

@texnixe:

Thank you very much for the issue at Github: Expose user files via the account route #2580.