Currently, images are only allowed on drupal.org to users with the "documentation team" role or higher (a role that is manually assigned). This creates the following problems:
- The masses not having images cripples our collaboration opportunities. We block participation of designers to play "Photoshop ping-pong", new members of our community adding helpful screenshots to our documentation, users are prevented from posting screenshots of errors they're experiencing, and module developers can't add screenshots to their own documentation.
- Our documentation has a reputation for generally looking like ass, because only a handful of people can put pictures in it. And once they do put pictures in it, only a very small group of people can edit it. Yet another lost collaboration opportunity.
- Because the "documentation team" role grants access to a "Documentation" input format with <img> turned on, membership in that role is almost entirely bogus. It's overloaded with people who do absolutely nothing on the docs team, but needed to post a screenshot somewhere at some point. This is problematic for the docs team in figuring out who's who.
Opening image posting up more has traditionally been opposed by the security and infrastructure teams, because:
- We want to switch Drupal.org to HTTPS at some point soon, and we don't want to deal with mixed content errors.
- Not-nice people can spy on drupal.org visitors by linking to remote images on their servers.
- People can upload not-nice images, such as porn.
Luckily, sun has worked out a solution for #1 and #2 (and we always have users.status = 0 for #3).
The Local image input filter module, which provides an input filter to munge img srcs to ensure that images are only rendered if they point to a locally hosted image. See http://drupal.org/node/528682#comment-4968978 for the full "spec" we came up with in IRC.
Here's a screenshot of it in action:
Mainly what we need now are code reviews and testing. There is a test site set up at:
Apache user/pass: drupal/drupal
Drupal user/pass: bananas/bananas
We need all kinds of scenarios of image posting to be tested, especially nefarious things. We are having a lot of fun with this at http://issue-summaries-drupal.redesign.devdrupal.org/node/1237686 ;) Security team sign-off of Local image input filter module.Done! http://drupal.org/node/1281194#comment-5037238 The following patches need to be reviewed on the Local image input filter module: The one-line patch against Drupal.org module atneeds to be reviewed. Need resolution of what to do about big images that break layout. See #65For now, we're punting on this. If it becomes a problem in the future, will need a server-side solution to it (e.g. imagecache) Roll a 1.0 release of http://drupal.org/project/filter_html_image_secure:
- Add Local image input filter module to BZR.
- Commit and deploy the patch in against the Drupal.org customizations project.
- Enable the Local image input filter module.
- Go to admin/settings/filters/1 and turn on the "Restrict images to this site" filter.
- Go to admin/settings/filters/1/order and move "Restrict images to this site" just above "HTML corrector"
- Go to admin/settings/filters/1/configure and add <img> to the list of allowed tags.
- Go to admin/project/project-issue-settings and blank out the field for "Issue directory".
- Sing, dance, and rejoice! :D
User interface changes
- Images that are referenced by the input format without a local, relative path, would turn into red Xs.
- Book nodes would un-hide the "File attachments" fieldset on the add/edit form.
- A new filter tip would appear in the "Input format" fieldset, describing this filter.
Original report by mfer
Users can upload images to a comment on a issue. But, they aren't displayed. You need to be a site admin or on the documentation team to add the html to the body of the comment for it to display. This isn't a great workflow and you have to rely on the person inputting the image to be concerned with size, etc.
In an effort to work with design/UX people who do upload images and work visually can we get a different workflow that's better for images.
Here is what I envision.
- A new upload field on issues and comments for images (gif, jpg, png).
- These images are displayed as thumbnail at the bottom of the issue/comment.
- When clicked the images are displayed in a modal/pop-up.