Feature: Save google profile picture of the user during first login for both the new and existing users#250
Conversation
rtBot
left a comment
rtBot
left a comment
There was a problem hiding this comment.
Code analysis identified issues
action-phpcs-code-review has identified potential problems in this pull request during automated scanning. We recommend reviewing the issues noted and that they are resolved.
phpcs scanning turned up:
🚫 1 error
Powered by rtCamp's GitHub Actions Library
rtBot
dismissed
their stale review
Dismissing review as all inline comments are obsolete by now
There was a problem hiding this comment.
"You can change your profile picture on Gravatar."
Wouldn't this be confusing? Currently, the feature only updates the image during registration. We should either periodically check for updates, add a button to re-sync the image, or enhance the feature to also check the profile image during login.
I'm testing the .tmp case for download_url() and will submit feedback after some time.
| // Using larger image size. By default, profile picture has 96 width size with cropped. | ||
| $profile_picture_url = str_replace( '=s96-c', '', $user->picture ); | ||
|
|
||
| $profile_picture_filename = download_url( $profile_picture_url ); |
There was a problem hiding this comment.
Can we add a check for WPVIP? and if the site is hosted on WPVIP we directly use wpcom_vip_download_image() this function.
There was a problem hiding this comment.
@SH4LIN Yes, it can be a bit unclear—I’ll look into it further to make it more straightforward. As for re-syncing the image at each login, should we also extend this to include the First Name and Last Name, since those fields can also be updated?
There was a problem hiding this comment.
@SH4LIN Regarding vip check, that is a good catch. I will promptly implement this.
There was a problem hiding this comment.
should we also extend this to include the First Name and Last Name, since those fields can also be updated?
In WordPress, we have the option to update the first name and last name. So, if they want to customize it, they can do so from the settings. However, there is no option in the WordPress dashboard to change the image.
There was a problem hiding this comment.
Can we add a check for WPVIP? and if the site is hosted on WPVIP we directly use
wpcom_vip_download_image()this function.
I tried to use this function, it seems it won't work in our scenario. I got the following error while trying to use it .
The function was expecting a POST request, but Google calls the redirect URL using the GET method instead. We could try to change the global variables to make it work, but that would be a hacky solution. So, I decided to remove the function for now.
SH4LIN
left a comment
SH4LIN
left a comment
There was a problem hiding this comment.
Hi @mi5t4n,
From what I can see in the implementation of media_handle_sideload(), it appears to handle the .tmp file case as well. Is there a specific reason we’ve added this case explicitly?
Also, I noticed that wpcom_vip_download_image() doesn’t seem to account for this scenario—just wanted to highlight that for consistency.
Thanks!
|
@SH4LIN In my test cases, |
If that's the case then another option is this, we identify mime, and ext from our end pass it to the file array with key type and ext. Can we check whether this solution works or not. |
…g-account-creation
At the moment, I can think of two ways to make it better.
Before: After:
LMK your thoughts on this. |
I'm not sure why, but during my second test, the |
…g-account-creation
There was a problem hiding this comment.
Pull Request Overview
This PR adds functionality to save and use Google profile pictures for user avatars. When users register via Google login, their profile picture is downloaded and stored as a WordPress media attachment, then used as their avatar throughout the site.
- Adds profile picture saving during user registration with a filter to bypass the process
- Implements avatar URL override to use stored Google profile pictures instead of Gravatar
- Extracts profile picture saving logic into a reusable private method
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| src/Utils/Authenticator.php | Adds save_user_profile_picture() method to download and store Google profile pictures during registration, with filter hook to bypass |
| src/Plugin.php | Adds return_avatar_url() method hooked to get_avatar_url filter to replace Gravatar with stored profile pictures |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.
Comments suppressed due to low confidence (1)
src/Utils/Authenticator.php:224
- Security concern: The profile picture URL from Google is used directly without validation. While Google is a trusted source, it's a best practice to validate that the URL is actually from Google's domain before downloading to prevent potential SSRF (Server-Side Request Forgery) attacks if the
$user->picturefield is somehow manipulated.
Consider adding URL validation:
if ( ! isset( $user->picture ) || empty( $user->picture ) ) {
return;
}
// Validate it's a Google URL
$parsed_url = wp_parse_url( $user->picture );
if ( ! $parsed_url || ! isset( $parsed_url['host'] ) ||
! preg_match( '/^([a-z0-9-]+\.)*googleusercontent\.com$/i', $parsed_url['host'] ) ) {
return;
} if ( ! isset( $user->picture ) || empty( $user->picture ) ) {
return;
}
// Using larger image size. By default, profile picture has 96 width size with cropped.
$profile_picture_url = str_replace( '=s96-c', '', $user->picture );
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mi5t4n
changed the title
mi5t4n
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 18 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * @return integer|null | ||
| */ | ||
| public static function get_saved_google_profile_picture_id( int $user_id ): ?int { | ||
| $profile_picture_id = get_user_meta( $user_id, 'rtlwg_profile_picture_id', true ); |
There was a problem hiding this comment.
Same inconsistency in the meta key prefix. Uses rtlwg_profile_picture_id while other meta keys use rtlg_ prefix.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
rtBot
left a comment
rtBot
left a comment
There was a problem hiding this comment.
Code analysis identified issues
action-phpcs-code-review has identified potential problems in this pull request during automated scanning. We recommend reviewing the issues noted and that they are resolved.
phpcs scanning turned up:
🚫 1 error
Powered by rtCamp's GitHub Actions Library
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
rtBot
left a comment
rtBot
left a comment
There was a problem hiding this comment.
Code analysis identified issues
action-phpcs-code-review has identified potential problems in this pull request during automated scanning. We recommend reviewing the issues noted and that they are resolved.
phpcs scanning turned up:
🚫 1 error
Powered by rtCamp's GitHub Actions Library
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Description
This PR implements saving the user’s Google profile picture for both new and existing users, with slightly different handling for each case.
User Settings
Two new user options have been introduced:
New User
Profile Picture SourcetoGoogle.Kazam_screencast_00004.mp4
Existing User
Kazam_screencast_00003.mp4
Notice
If a Google profile picture already exists for a user but the Profile Picture Source is not set to Google, an admin notice is displayed:
New Filters Added
Bypass profile picture saving
login-with-google/src/Utils/Authenticator.php
Lines 202 to 212 in df906b2
Enables re-downloading the Google profile picture regardless of existing attachments.
login-with-google/src/Utils/Authenticator.php
Lines 235 to 249 in df906b2
Note
The
rtcamp.google_download_profile_picturefilter can be used to sync a user’s latest Google profile picture.Closes - #249