When using the API to set a user's avatar_state to locked or approved, the user's avatar is reset to the default avatar.
Steps to reproduce:
Acting on a user with an avatar already set:
As an account admin, PUT https://{domain}.instructure.com/api/v1/users/{user_id}/?user[avatar][state]=locked
Observe that the user's profile picture is now missing on the Canvas website.
Observe that the URL returned when accessing GET https://{domain}.instructure.com/api/v1/users/{user_id}/ is the default avatar URL, in our case https://{domain}.instructure.com/images/messages/avatar-50.png.
Expected behavior:
The current profile picture is kept in place, and the user is prevented from changing it.
Actual behavior:
The current profile picture is changed to the default profile picture, and is locked to the default profile picture.
Additional notes:
PR #1457 may be relevant.
Including the desired user[avatar][token] in the PUT request in step 1 above does not have an effect.
Summary:
When using the API to set a user's
avatar_statetolockedorapproved, the user's avatar is reset to the default avatar.Steps to reproduce:
Acting on a user with an avatar already set:
PUT https://{domain}.instructure.com/api/v1/users/{user_id}/?user[avatar][state]=lockedGET https://{domain}.instructure.com/api/v1/users/{user_id}/is the default avatar URL, in our casehttps://{domain}.instructure.com/images/messages/avatar-50.png.Expected behavior:
The current profile picture is kept in place, and the user is prevented from changing it.
Actual behavior:
The current profile picture is changed to the default profile picture, and is locked to the default profile picture.
Additional notes:
user[avatar][token]in the PUT request in step 1 above does not have an effect.