GDPR : why avatar image is public and not protected ?

Question

GDPR : why avatar image is public and not protected ?

Closed this issue 4 years ago · 4 comments

Hello, attached avatar image is stored in public storage.
To be GDPR compliant, could it be stored in protected directory ?
When storing a blob image with :
$user->avatar = Input::file('avatar');
I can't change attribute is_public. Thanks

Answer 1 · 2021-02-19T23:52:12.000Z

The RainLab.User plugin is for frontend users, and protected files are locked to being viewed by backend users only. Thus this request makes no sense, and saying that it would need to be protected files "for GDPR compliance" also makes no sense.

Answer 2 · 2021-02-20T11:25:22.000Z

Luke I missed that protected files can only being viewed by backend users.
But when I connect to /storage/app/uploads/public/ I can browse all avatars

Answer 3 · 2021-02-20T21:49:51.000Z

@Incremental92 that's the fault of your server configuration then, you shouldn't be allowing automatic directory listings.

Answer 4 · 2021-02-22T10:46:38.000Z

You're right. I'm developing on local and the Nginx default conf was set to autoindex on;
Thanks, you can delete or close this post.