The change in
PRFL-394 broke the ability to get a profile image via the entity provider as it makes a call to get the current siteId, which fails when called in an entity provider because it has no knowledge of the current site.
Suggest adding another parameter to the entityprovider URL that gives the siteId, eg:
If siteid is present, the permissions for the current user are looked up for the given site and checked against the permissions if the rest of the permissions checks fail (ie is friend, is image allowed etc)
This should not introduce any security issues.
If a user cannot normally access a user's image, say, because they are not connected, but can when in a site because they have the appropriate permission, then this is perfectly reasonable as they are expressly allowed to do this via their permissions in that site.
If a user is already connected, this will be caught earlier and they will be allowed. If a user is not connected and not allowed then they won't be allowed to see it.
If a user has permissions to see the image in one site (say, because they are an instructor) but not another (becuase they are a student) then even if they craft the URL to the site they are allowed to see the image in and get the image, this is also fine because overall, they are allowed to see the image somewhere so there should be no privacy concerns.