From f8e94a721ff9b9690333aaf1b04df38ad8795999 Mon Sep 17 00:00:00 2001
From: Patrick Jentsch <p.jentsch@uni-bielefeld.de>
Date: Thu, 16 Mar 2023 09:54:48 +0100
Subject: [PATCH] Change how the user avatar is exchanged between client und
 server

---
 app/models.py                           | 5 +----
 app/static/js/ResourceLists/UserList.js | 2 +-
 app/users/routes.py                     | 4 ++--
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/app/models.py b/app/models.py
index de995a5c..1ed18ada 100644
--- a/app/models.py
+++ b/app/models.py
@@ -838,6 +838,7 @@ class User(HashidMixin, UserMixin, db.Model):
         json_serializeable = {
             'id': self.hashid,
             'confirmed': self.confirmed,
+            'avatar': url_for('users.profile_avatar', user_id=self.id),
             'email': self.email,
             'last_seen': (
                 None if self.last_seen is None
@@ -857,10 +858,6 @@ class User(HashidMixin, UserMixin, db.Model):
             'show_last_seen': self.has_profile_privacy_setting(ProfilePrivacySettings.SHOW_LAST_SEEN),
             'show_member_since': self.has_profile_privacy_setting(ProfilePrivacySettings.SHOW_MEMBER_SINCE)
         }
-        json_serializeable['avatar'] = (
-            None if self.avatar is None
-            else self.avatar.to_json_serializeable(relationships=True)
-        )
         if backrefs:
             json_serializeable['role'] = \
                 self.role.to_json_serializeable(backrefs=True)
diff --git a/app/static/js/ResourceLists/UserList.js b/app/static/js/ResourceLists/UserList.js
index 8d0e590f..2ba4dc19 100644
--- a/app/static/js/ResourceLists/UserList.js
+++ b/app/static/js/ResourceLists/UserList.js
@@ -72,7 +72,7 @@ class UserList extends ResourceList {
     return {
       'id': user.id,
       'member-since': user.member_since,
-      'avatar': user.avatar ? `/users/${user.id}/avatar` : '/static/images/user_avatar.png',
+      'avatar': user.avatar,
       'username': user.username,
       'full-name': user.full_name ? user.full_name : '',
       'location': user.location ? user.location : '',
diff --git a/app/users/routes.py b/app/users/routes.py
index bb1e25c6..52e25f18 100644
--- a/app/users/routes.py
+++ b/app/users/routes.py
@@ -64,10 +64,10 @@ def user(user_id):
 @login_required
 def profile_avatar(user_id):
     user = User.query.get_or_404(user_id)
+    if not (user.is_public or user == current_user or current_user.is_administrator()):
+        abort(403)
     if user.avatar is None:
         return redirect(url_for('static', filename='images/user_avatar.png'))
-    if not user.is_public and not (user == current_user or current_user.is_administrator()):
-        abort(403)
     return send_from_directory(
         os.path.dirname(user.avatar.path),
         os.path.basename(user.avatar.path),