Tech Blog

Secure way of displaying user photos in Alma

The students photos in the Technion are managed in several folders and in different formats. Access to the images was granted to the library after close privacy inspection. It is a major concern to keep the students privacy and not to expose the photos to unauthorized users.

The solution is based on PHP code running on local server. Alma is invoking the service which  retrieve the required photo upon request based on unique identifier.

The request to the PHP service is performed from the client side. It means that the IP from which the call is made can be any IP. This eliminates the option of restricting access to the service by IP.

Also, using API-KEY is not ab option because the call is made from the client and the API-KEY will be available to all.

The Technion solution was to create additional random unique identifier for each user that is sent from Alma in order to retrieve the photo. The PHP service invokes Alma API in order to convert the random unique identifier with real student identifier, for example student Id.
The student Id is then used to access the image and return it to Alma.

Implementation steps:

Steps 1 – create user unique identifier

Using SIS (student information service) synchronization daily service, create additional unique identifier for each user.

</a >

The PHP code we used to generate the identifier:

function generateRandomString($length = 31) {
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    return $randomString;

Steps 2 – Alma configuration

Setup Alma configuration:

Alma –> Configuration –> User Management –> General –> Other Settings

</a >

  • photo_identifier_type – the random unique identifier field number
    Alma will automatically concatonate the unique identifier specified in this filed after the URL configrued in the next field.
  • photo_server_url – URL to your local PHP (or any other language) that retrives the photo
  • photo_suffix – “onerror=”$(‘.submitableIconsInForm>img’).attr(‘src’,’/infra/images/userDefault.png’);//
    The photo_suffix is not required to indicate the image type (e.g.”.png” or “.jpg”) because the PHP service is retrieving the photo. Instead it is used to display default photo in case the required photo is not found. 

More information in alma documentation:

Steps 3 – PHP service to retrieve the image

The service is open to the web with no retriction and gets as a parameter the random unique identifier as part of the URL, for example:$a$$poiwsfdgmlkjdfgaqkjdsevFmxUtSVRZcjfkbAi

The code invokes Alma API to retrieve the real unique identifier and use it to read the image.
In the Technion the image is retrieved using additional service that is restricted according to the srever IP. It is possible to use different method to read the image for example:

  • Invoke internal service
  • Access to Database
  • Access specified folder with images

The following is the PHP service code:

header('Content-Type: image/jpeg');
function getAlmaUserDetails($secondary_id) {
    $ch = curl_init();
    $url = '{user_id}';
    $url = str_replace('{user_id}', $secondary_id, $url);
    $queryParams = '?apikey=' . urlencode('XXXX-replace-with-valid-API-KEY-XXXX') . '&format=json';
    curl_setopt($ch, CURLOPT_URL, $url . $queryParams);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_HEADER, FALSE);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $response = curl_exec($ch);
    $details = array();
  if (strpos($response, 'errorsExist') == false) {
        // no error
    $query_arr = json_decode($response,true);
    $details["user_group"] = $query_arr["user_group"]["desc"];
    $len = sizeof($query_arr["user_identifier"]);
    for ($i=0;$i<$len;$i++) {
      if ($query_arr["user_identifier"][$i]["id_type"]["value"] == "02" && $query_arr["user_identifier"][$i]["status"] == "ACTIVE") {
        $details["primary_identifier"] = $query_arr["user_identifier"][$i]["value"];
    return $details;

$url = "";
if (!empty($_GET['id'])) {
    $no_digits = preg_replace('/[0-9]+/', '', $_GET['id']);
    if ($_GET['id'] == $no_digits) {
    $no_point = trim($_GET['id'], '.');
        $details = getAlmaUserDetails($no_point);
        if (sizeof($details) > 0 && (strpos($details["user_group"], 'Student') !== false)) {
            $url = "" . $details["primary_identifier"];

Leave a Reply