user[avatar][url] used to work, but no longer. Using curl and python, separately, I can change other user variables, but not the avatar url. Has the api changed?
I realized that my initial test wasn't great -- I was using a gravatar URL, and gravatar URLs are allowed. The PNG that I tried failed because it wasn't a gravatar URL, not because it was a PNG. I haven't turned up any documentation confirming this, but the Canvas source code indicates that avatar URLs can only point to a specific set of allowed hostnames. Hostnames matching *.instructure.com and *.gravatar.com are allowed by default, and it appears that additional hostnames can be added via configuration (though I believe this would need to be done by changing config files on the servers; as far as I know there's no UI to do this).
If you're curious, here's the section of code that handles the avatar URL:
canvas-lms/user.rb at 1030fa037111dadfbd24efa58f274e5981923a23 · instructure/canvas-lms · GitHub
I expect that this limitation exists for security reasons. In our own Canvas instance, we populate user photos by uploading an image file for each user rather than pointing to an external URL.
Hope this helps!
Hi Iver --
I am able to change a user's avatar URL as you describe above, but I did notice that it only seemed to work when I pointed to a JPEG; when I pointed to a PNG it seemed to revert to the placeholder image. I poked around in the APIdocumentation for any mention what image format(s) are supported but didn't turn anything up. Maybe there's something in the Admin guide.
Thank you, Colin.
What the script has done successfully in the past is use an encrypted string to point to a jpg file. Suddenly it's not working. I have tried to point directly to a jpg file, again without success. Any help is greatly appreciated.
Thank you, Colin! It's a relief to understand what's going on, though I see I have more work ahead of me to fix our situation. I appreciate your help.
Our ITS team noticed the same thing last week - we import profile photos via API but updates are no longer working.
If you're hosting the profile photos, it might be worth checking with your CSM to see if your server's hostname can be added to the whitelist.
Colin Murtaugh and Natalie Norton were either of you successful in getting the server's hostname whitelisted? We've been working on doing this with little luck.
Hi Sara --
We actually upload the avatar images to Canvas, so we didn't need to get an external server whitelisted.
Retrieving data ...