Merge pull request #105 from barbuza/master

`EXPOSE_USERNAMES` prevents sensitive information leakage

avatar/conf.py

@@ -20,11 +20,16 @@ class AvatarConf(AppConf):
     THUMB_QUALITY = 85
     HASH_FILENAMES = False
     HASH_USERDIRNAMES = False
+    EXPOSE_USERNAMES = True
     ALLOWED_FILE_EXTS = None
     CACHE_TIMEOUT = 60 * 60
     STORAGE = settings.DEFAULT_FILE_STORAGE
     CLEANUP_DELETED = False
     AUTO_GENERATE_SIZES = (DEFAULT_SIZE,)
+    FACEBOOK_BACKUP = False
+    FACEBOOK_GET_ID = None
+    DISABLE_CACHE = False
+    RANDOMIZE_HASHES = False
 
     def configure_auto_generate_avatar_sizes(self, value):
         return value or getattr(settings, 'AVATAR_AUTO_GENERATE_SIZES',

avatar/models.py

@@ -1,3 +1,4 @@
+import binascii
 import datetime
 import os
 import hashlib
@@ -9,6 +10,7 @@ from django.core.files.base import ContentFile
 from django.core.files.storage import get_storage_class
 from django.utils.module_loading import import_string
 from django.utils.translation import ugettext as _
+from django.utils.encoding import force_text
 from django.utils import six
 from django.db.models import signals
 
@@ -26,10 +28,12 @@ avatar_storage = get_storage_class(settings.AVATAR_STORAGE)()
 def avatar_path_handler(instance=None, filename=None, size=None, ext=None):
     tmppath = [settings.AVATAR_STORAGE_DIR]
     if settings.AVATAR_HASH_USERDIRNAMES:
-        tmp = hashlib.md5(get_username(instance.user)).hexdigest()
-        tmppath.extend([tmp[0], tmp[1], get_username(instance.user)])
-    else:
+        tmp = hashlib.md5(force_bytes(get_username(instance.user))).hexdigest()
+        tmppath.extend(tmp[0:2])
+    if settings.AVATAR_EXPOSE_USERNAMES:
         tmppath.append(get_username(instance.user))
+    else:
+        tmppath.append(force_text(instance.user.pk))
     if not filename:
         # Filename already stored in database
         filename = instance.avatar.name
@@ -44,7 +48,10 @@ def avatar_path_handler(instance=None, filename=None, size=None, ext=None):
         # File doesn't exist yet
         if settings.AVATAR_HASH_FILENAMES:
             (root, ext) = os.path.splitext(filename)
-            filename = hashlib.md5(force_bytes(filename)).hexdigest()
+            if settings.AVATAR_RANDOMIZE_HASHES:
+                filename = binascii.hexlify(os.urandom(16)).decode('ascii')
+            else:
+                filename = hashlib.md5(force_bytes(filename)).hexdigest()
             filename = filename + ext
     if size:
         tmppath.extend(['resized', str(size)])

avatar/templatetags/avatar_tags.py

@@ -11,6 +11,7 @@ from django.core.urlresolvers import reverse
 from django.template.loader import render_to_string
 from django.utils import six
 from django.utils.translation import ugettext as _
+from django.utils.module_loading import import_string
 
 from avatar.conf import settings
 from avatar.util import (get_primary_avatar, get_default_avatar_url,
@@ -19,6 +20,14 @@ from avatar.models import Avatar
 
 register = template.Library()
 
+get_facebook_id = None
+
+if settings.AVATAR_FACEBOOK_BACKUP:
+    if callable(settings.AVATAR_FACEBOOK_GET_ID):
+        get_facebook_id = settings.AVATAR_FACEBOOK_GET_ID
+    else:
+        get_facebook_id = import_string(settings.AVATAR_FACEBOOK_GET_ID)
+
 
 @cache_result()
 @register.simple_tag
@@ -27,6 +36,13 @@ def avatar_url(user, size=settings.AVATAR_DEFAULT_SIZE):
     if avatar:
         return avatar.avatar_url(size)
 
+    if settings.AVATAR_FACEBOOK_BACKUP:
+        fb_id = get_facebook_id(user)
+        if fb_id:
+            return 'https://graph.facebook.com/{fb_id}/picture?type=square&width={size}&height={size}'.format(
+                fb_id=fb_id, size=size
+            )
+
     if settings.AVATAR_GRAVATAR_BACKUP:
         params = {'s': str(size)}
         if settings.AVATAR_GRAVATAR_DEFAULT:

avatar/util.py

@@ -51,6 +51,12 @@ def cache_result(default_size=settings.AVATAR_DEFAULT_SIZE):
     Decorator to cache the result of functions that take a ``user`` and a
     ``size`` value.
     """
+
+    if settings.AVATAR_DISABLE_CACHE:
+        def decorator(func):
+            return func
+        return decorator
+
     def decorator(func):
         def cached_func(user, size=None):
             prefix = func.__name__