walterrowe
commented
2 years ago Think I found the ref in private/system/classes/oauthconsumer.class.php.
Open leegarner opened 2 years ago
walterrowe
commented
2 years ago Think I found the ref in private/system/classes/oauthconsumer.class.php.
leegarner
commented
2 years ago I've traced the issue to the part starting on line 221 in private/system/classes/oauthconsumer.class.php
if ($userRow !== false && $userRow !== null) { // existing user...
$uid = $userRow['uid'];
$status = $userRow['status'];
$retval = true;
$this->_DBupdate_users($uid, $users);
$this->_DBupdate_userinfo($uid, $userinfo);
} else {
// new userIn _DBupdate_users(), the user's remoteservice, remoteusername, email, fullname, homepage and image are updated from the oauth provider, if they're in the response. I suppose remoteservice and remoteusername make sense but don't see the need to update anything else for existing users.
leegarner
commented
2 years ago For now I've commented out the call to _DBupdate_users(). In a perfect world glFusion would know if each field was updated from the remote service or overridden by the user, and update the non-overridden ones from remote during login. That's a whole lot to keep track of though so it's probably sufficient to update from remote when creating an account, otherwise leaving it alone.
Logging in via remote service, e.g. Google, replaces the user's profile image with the remote service image.
I've started looking but haven't found yet where the image is updated from the remote authenticator.
Recommended fix, get the image from Google et al only if the profile image field is empty for the user.