Can't change avatar url via api

Jump to solution
idavidson
Community Novice

user[avatar][url] used to work, but no longer. Using curl and python, separately, I can change other user variables, but not the avatar url. Has the api changed?

1 Solution

I realized that my initial test wasn't great -- I was using a gravatar URL, and gravatar URLs are allowed.  The PNG that I tried failed because it wasn't a gravatar URL, not because it was a PNG.  I haven't turned up any documentation confirming this, but the Canvas source code indicates that avatar URLs can only point to a specific set of allowed hostnames.  Hostnames matching *.instructure.com and *.gravatar.com are allowed by default, and it appears that additional hostnames can be added via configuration (though I believe this would need to be done by changing config files on the servers; as far as I know there's no UI to do this). 

If you're curious, here's the section of code that handles the avatar URL:

canvas-lms/user.rb at 1030fa037111dadfbd24efa58f274e5981923a23 · instructure/canvas-lms · GitHub 

I expect that this limitation exists for security reasons. In our own Canvas instance, we populate user photos by uploading an image file for each user rather than pointing to an external URL. 

Hope this helps!

--Colin

View solution in original post