New user icon seems to be auto grabbed from facebook #663
Comments
|
um what? jellyseerr in no way interacts with facebook. The profile photo comes from gravatar for local users..... |
Thank you you that information and your reply, i was a bit alarmed by the fact it added the facebook profile photo to the user account automatically, as far as we know facebook is the only place that photo is used so it was concerning, ill have to figure out how exactly it is linked to gravatar. (Might have made an account and forgot or something im not sure as its not my email) |
you can just go to gravatar.com and type in your email |
Is there a way to disable gravatar image pulling? I really do not want any information leaving the server about users and making the request to gravatar is basically reporting email’s associated with this instance |
Just change your avatar on gravatar or delete your gravatar account. It is not reporting any email to out if you dont have a gravatar account It seems you have a slight misunderstanding on how gravatar works. Jellyseerr DOES NOT request gravatar WITH ANY INFORMATION (like emails and shit) to outside of your server. Your gravatar picture is a public avatar. That anyone can visit if they just do https://gravatar.com/ {youremail without the @} so for example if your email is [email protected] then your gravatar link is https://gravatar.com/johnDoe. This picture is directly displayed as your profile picture fromcthe hashed link. This link is generated locally by gravatarUrl package so youre still not requesting with your email. No information about your server leaves your server. Its public information. Because you have a gravatar account anyone can go to that link. AND THATS what is displayed as your avatar. IT IS NOT REQUESTING gravatar with your information. There is no information about the server/users leaving your server. Its the same as you writing the direct link to your github avatar in your local jellyfin server as a profile picture. |
That would be the same would it not? Just for privacy concerns, the server searching x user its pretty easy to tell x instance searched for x accounts so the people who own those accounts are probably linked to x instance Is it possible to edit a file to remove the gravatar search for an icon? |
|
I still dont understand what you mean here:
NO your server information is NOT REACHING GRAVATAR. All its doing is fetching the pic. From a public link. There is no requests done to gravatar leaking your users information and server information. There is no api used (this would yes send information about your server to whaterver service). There is no server details leaked. I REPEAT ONCE AGAIN, There is no server details/user details leaked or sent to gravatar. That is not how it works. The only privacy concern is, you being able to see your user's avatars. BUT THEN AGAIN THERE IS NO AVATAR IF THEY DONT HAVE A GRAVATAR ACCOUNT. IT JUST USES A PLACEHOLDER. YOUR EMAIL IS NOT LEAKED OR SENT TO GRAVATAR OR ANYWHERE. here is an example of the url: That is my email. Can you tell it is? no. Does gravatar know that i just copied that link and added to this comment? no. |
|
If a random server/ip saves the picture from github it has to be requested or it wouldn’t save the picture, it has to connect from the server to get the picture. That does leak data in a small way because it is possible to see that an ip saved that picture. it just seems a bit irrelevant to me, so I don’t really want jellyseerr to save the photo from a remote server at all, ideally id like to just be able to specify a random username and password without adding email at all but it says emails required to make a new user (which is also pointless for local accounts where the email isnt used for anything. ) is there any way to just disable the email requirement or disable it from saving the image at all? |
Once again. That is not how its working. There is no saving. Its literally a link. So no no ip is sent to them. |
|
If its a link to the image live that pings the server every time its loaded thats even worse really |
There is no information leaked. If its worse, then that makes no sense? youre already pinging several stuff, like tmdb, github and stuff. When you use jellyfin or plex or emby and you have an avatar youre literally pinging them for the direct link. But those are api calls. There is no api call or request involved in gravatar. There is no information or ip leaked. I cannot emphasise that enough. If you dont believe me, the code is open source. Check it. if youre that concerned just delete your gravatar account. It will not use anything then. It will just use a placeholder. |
|
Anyone could be loading images from random content but why would someone else be loading your user icon? Thats my point. I dont want it to load the user icon at all. It is also impossible for it to just magic onto the jellyseerr instance it has to have been requested at some point and if its just a link requesting it every time its loaded that would be worse because its then loading the image over and over from gravatar and deleting gravatar (again its not my email so not my account) wouldn’t stop it from making the request? Gravatar doesn’t just magically know who wants that image. But either way, i just would like to disable it because i am uncomfortable with anything related to users leaving the server in any way even if its just jellyseerr looking up the user icon, regardless of if we agree on whether its a risk is irrelevant, could you tell me what file i would need to edit to remove it or remove the email requirement so i can just use a username? it should be fairly simple to just remove that line of code i would think |
|
If you still insist your server details are being leaked (even though it is not), feel free to fork jellyseerr and remove any gravatar related code. It's licensed as MIT. |
I know it's not magic. That is not what I meant. I mean sure any Internet exchange has minimal request headers. But when I'm talking about "requesting" there is no request to return the avatar of your gravatar email. Gravatar doesn't get the request as "please give me the gravatar link for this email" that is not how it works. It's not making the request as your email that is what i meant. It's not leaking any server info. From that argument, you should also remove tmdb api, and github api, because they are also getting information about your server and ip. But I digress. And if that user doesn't have gravatar account it uses the placeholder image. Jellyseerr does not request gravatar to return the link for the email. Jellyseerr figures out the gravatar link by using the gravatarUrl package it hashes and just adds the link. So no email is leaked. No server details are leaked. And you're misunderstanding about the request when gravatar account is deleted. Deleting your gravatar account, it won't be making requests to gravatar as your email? It will be a nonsense hash to gravatar. Which will just return the placeholder image. You're leaking more information about your server from the tmdb api tbh. |
|
You can remove the gravatarUrl generation for local users in server > routes > user. Just replace the avatar in there with any images. |
|
I am just worried about user information being exposed as its making external requests for user icons which are specific to the users and that is identifiable information, unlike the icons and content related to random media anyone in the world could be loading and while thats not leaking server information it is exposing users of the server in a very small and obscure way. How does the tmbd api leak information? |
|
Tmdb api requests, github api requests, all these would log everytime you request them. When you make requests to the TMDB API, your IP address is typically included in the request headers. This is a standard practice for web APIs to identify and respond to client requests. However, TMDB, like most reputable services do not log them. In the case of gravatar you're not even requesting them to return the avatar link for your email. Because that is generated locally and just adding it. So if you don't have a gravatar account, what gravatar receives is a nonsense hash that returns a placeholder image. If a user does not want their emails/pictures to be public information, they wouldn't create a gravatar account. As simple as that. But anyways, I have given you information on how you can edit the code to remove gravatarURLs. Goodluck! |
|
@AncientMystic also you can use jellyfin/emby users as users. It doesn't have any emails to begin with. And it uses your jellyfin/emby set avatar. Instead of local users I mean. Easier that way than to edit the codebase If that user doesn't have a jellyfin/emby avatar, it will just use the jellyseerr logo as a placeholder. |
Description
Okay so i just started using jellyseerr and i added a new user filling in their email/password and jellyseerr automatically added a photo only used on their facebook account?
Not sure why this happened but I absolutely do not want jellyseerr interacting with facebook or pinging facebook telling them a user has been made on my server.
The last thing i want to do is link jellyfin to facebook in any way….. (personally i dont use facebook and do not appreciate their abuse of privacy / peoples data )
How do i stop this from happening? I dont want any lookup or reporting to remote servers when an email/user is added
Version
1.7.0
Steps to Reproduce
Users>create local user>create
Screenshots
No response
Logs
No response
Platform
desktop
Device
Laptop
Operating System
Windows 10
Browser
Librewolf
Additional Context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: