Plugin Author
pepe
(@pputzer)
Hi @nathan1776, sorry for the late reply.
Avatar Privacy uses standard WordPress functions and permissions for uploading data, so only users who are allowed to upload images are allowed to upload avatar pictures.
Thread Starter
Nathan
(@nathan1776)
Got it
I am concerned because I do have thousands of users since it’s an ecommerce site. Any concerns?
Plugin Author
pepe
(@pputzer)
Unless you have given them upload capabilities. they will not be able to upload files. (I’m assuming those users have something similar to subscriber role, i.e. rather limited permissions.)
While I can offer no guarantees of any kind, there should not be any issues with the avatar caching functionality. However, I’d advise you to test the plugin in your staging environment first.
Thread Starter
Nathan
(@nathan1776)
Anyone can create an account if they place an order. Even if small.
Is there any way a user could use the upload functionality to upload a malicious file?
Plugin Author
pepe
(@pputzer)
As I said, that depends on how you have set up your site (i.e, on what user role those accounts get and what capabilities you give them). If they can upload things in Avatar Privacy, it is because your site explicitly allows them to upload files (i.e. the user has the upload_files capability).
Now if your users (all of the, including admins) should not be able to upload custom profile pictures, there is a filter hook to disable this functionality completely. Adding this line to your functions.php should do the trick:
add_filter('avatar_privacy_profile_picture_upload_disabled', '__return_true');
Plugin Author
pepe
(@pputzer)
Anything else I can help you with, @nathan1776, or can we close this topic as resolved?
