Comment 1 for bug 598990

Here's my idea for a simple solution:

1- uploaded images end up in /uploaded/ but don't make it to the database at all
2- the image hash is passed to the cropping page
3- the cropping page reads from /uploaded/ and writes to /ready/
4- the cropping page then deletes the image from /uploaded/
5- the cropped photo gets an entry in the DB pointing to /ready/<hash>.jpg
6- the "assign_photo" controller only looks for images that are in /ready/

Then we also have a cronjob that periodically deletes all files in /uploaded/ that are older than 1 hour ago.

That way, the only place that raw user data gets displayed is on the crop page.