Community

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
idavidson
New Member

Can't change avatar url via api

Jump to solution

user[avatar][url] used to work, but no longer. Using curl and python, separately, I can change other user variables, but not the avatar url. Has the api changed?

Tags (2)
1 Solution

Accepted Solutions

I realized that my initial test wasn't great -- I was using a gravatar URL, and gravatar URLs are allowed.  The PNG that I tried failed because it wasn't a gravatar URL, not because it was a PNG.  I haven't turned up any documentation confirming this, but the Canvas source code indicates that avatar URLs can only point to a specific set of allowed hostnames.  Hostnames matching *.instructure.com and *.gravatar.com are allowed by default, and it appears that additional hostnames can be added via configuration (though I believe this would need to be done by changing config files on the servers; as far as I know there's no UI to do this). 

If you're curious, here's the section of code that handles the avatar URL:

canvas-lms/user.rb at 1030fa037111dadfbd24efa58f274e5981923a23 · instructure/canvas-lms · GitHub 

I expect that this limitation exists for security reasons. In our own Canvas instance, we populate user photos by uploading an image file for each user rather than pointing to an external URL. 

Hope this helps!

--Colin

View solution in original post

13 Replies
ColinMurtaugh
Community Champion

Hi Iver --

I am able to change a user's avatar URL as you describe above, but I did notice that it only seemed to work when I pointed to a JPEG; when I pointed to a PNG it seemed to revert to the placeholder image.  I poked around in the APIdocumentation for any mention what image format(s) are supported but didn't turn anything up. Maybe there's something in the Admin guide.

--Colin

Thank you, Colin.

What the script has done successfully in the past is use an encrypted string to point to a jpg file. Suddenly it's not working. I have tried to point directly to a jpg file, again without success.  Any help is greatly appreciated.

--Iver

I realized that my initial test wasn't great -- I was using a gravatar URL, and gravatar URLs are allowed.  The PNG that I tried failed because it wasn't a gravatar URL, not because it was a PNG.  I haven't turned up any documentation confirming this, but the Canvas source code indicates that avatar URLs can only point to a specific set of allowed hostnames.  Hostnames matching *.instructure.com and *.gravatar.com are allowed by default, and it appears that additional hostnames can be added via configuration (though I believe this would need to be done by changing config files on the servers; as far as I know there's no UI to do this). 

If you're curious, here's the section of code that handles the avatar URL:

canvas-lms/user.rb at 1030fa037111dadfbd24efa58f274e5981923a23 · instructure/canvas-lms · GitHub 

I expect that this limitation exists for security reasons. In our own Canvas instance, we populate user photos by uploading an image file for each user rather than pointing to an external URL. 

Hope this helps!

--Colin

Thank you, Colin! It's a relief to understand what's going on, though I see I have more work ahead of me to fix our situation. I appreciate your help.

--Iver

natalie_norton1
Community Champion

Our ITS team noticed the same thing last week - we import profile photos via API but updates are no longer working. 

If you're hosting the profile photos, it might be worth checking with your CSM to see if your server's hostname can be added to the whitelist.

--Colin

udelhsar
Community Contributor

50581462‌ and  @natalie_norton1 ‌ were either of you successful in getting the server's hostname whitelisted?  We've been working on doing this with little luck. 

Sara 

Hi Sara --

We actually upload the avatar images to Canvas, so we didn't need to get an external server whitelisted.

--Colin

We are in the process right now of trying to get avatars loaded up on Canvas through API. We are hitting a snag and I think that you were on to something with it having to be gravtar or Canvas based hosting them. I am looking into what Gravatar is right now and if that is an option. We are talking to our CSM on Monday and will mention to them about whitelisting our site so we can try it that way.

Anyway, I was wondering if you had a quick rundown on how you are uploading your images. Are you uploading them to different student profiles for them? Are you using the API? We are a little lost right now and trying to find north. What we did is not working and just trying to figure out what works from someone.

Thanks,

Bill