User's avatars shouldn't be fetched from thirdparty URLs #68
Labels
No Label
#19
Bad Style
Broken
Bug
Legacy
Migration
Network
Priority: High
Priority: Low
Priority: Normal
Priority: URGENT
Suggestion
ToDo
nofun
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: root/threadr.lostcave.ddnss.de#68
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
On our current implementation, we fetch users avatars by setting a direct URL for the image.
You should already know, but that's a really bad practice, and a security risk itself.
Let's uhhh, fix that.
As suggested by @BodgeMaster :
<img src="/file_endpoint?id=1337" alt="Username's Avatar">
I do think that storing pfps as blobs on the database itself is also a viable option.
re: storing files in a database: That would work for pfps because they’re relatively small but I was thinking a few steps ahead.
Generally, databases are not that great for file storage. ThreadR will need infra for file storage one way or the other to support attachments, so that system might as well serve as a backbone for pfps.
I see. Makes sense.
Fixed on
7b0528ef36
.Still a very rough implementation, but should work.