Private gallery but photos accessible through URL

blunt

Hello.

I have created a gallery and set it as private in Options->Gallery.
In Options->Image, I have enabled 'Secure Image Processor' and in Full Image Protection I have selected 'Protected View' and 'Disable Hotlinking'.

When I try to access the site without credentials, I get a login screen. If I try to access a photo with the following URL

/August-20-2016/0003.jpg

I also get a login screen. However, if I try to access the same image with

/albums/August-20-2016/0003.jpg

I can see the photo even though I am not logged in. The first link is the slideshow view for that photo, while the second link is a full size image, without the controls to move around.

Am I missing something in the configuration? Shouldn't the access be private?

fretzl

Yes, since Zenphoto is file system based, you can access images directly if you know their path.
Please see the "Important note" on the bottom of this paragraph on how to prevent that.

acrylian

I think missing on that paragraph is that you can also move the location "albums" folder above the web root. See the config file `zp-data/zenphoto.cfg.php` on info about that.

acrylian

Addtion: If you use single image page urls without a modrewrite suffix (see Options) like `/August-20-2016/0003.jpg` you are in danger that those urls are not indexed by Google. The url looks like an image that way but it is not an image so it might be rejected as "cloaking as script". We strongely suggest to use a modrewrite suffix therefore.

And no the image suffix cannot be removed because you can certainly have same name images with different suffixes Zenphoto then could not differ.