Custom Guest Authorization Method

Hello everyone,

I'm relatively new to Zenphoto, but I have created my own theme here.
(Might submit it for a showcase when complete...)

It's my understanding that the only way guest users may view a protected album is through one and only one password. However, I would like to use a challenge-response system which allows users to submit a keyword, have Zenphoto check it against an album-specific list of keywords (such as that album's tags, or even a json file in that album directory) and provide that guest with rights to viewing.

An example scenario would be guest(s) want to view an album with photos of them in it. Instead of having to remember a password, they only would have to enter their last name. At the link above―at the time of writing―I have an example set where one album is public and another password protected. With the latter case, Zenphoto prints an html form that is displayed when you click on it, but currently has no action or method.

So, my question is how exactly should I implement code to auth a guest user. Do I extend lib-auth.php or external_auth.php with a plugin? I'm continuing to learn how exactly Zenphoto's user auth system works, though I want to make sure I don't end up breaking ZP's fundamental operation and cause potential security issues.

Regards,
Matthew

Comments

  • acrylian Administrator, Developer

    It's my understanding that the only way guest users may view a protected album is through one and only one password.

    Yes, that refers to users without an account on your site. Wouldn't perhaps user accounts be a way for you? Then you could even limit access to specific (top level) albums. If you haven't found this article take a read here:
    https://www.zenphoto.org/news/an-overview-of-zenphoto-users/

    If you want to create a custom user accoun system not extending lib-auth.php but replacing it by your own would be the way. There are in-file comments in the file that explain how (Disclaimer: I never did use this myself).

    Since guest users are not actual "user accounts" those are actually handled elsewhere. I would have to take a look at the code myself how you possible could hook into those via a filter possible to extend that.

    Instead of having to remember a password, they only would have to enter their last name.

    This sounds not that "secure" since last names are often widely shared (if you take mine for example, one of the most used over here ;)). A password is the way better way IMHO.

    There is of course always the way that you just block the display of content on the theme side with a custom solution competely outside of an official user login.

  • Acrylian,

    I agree that this isn't a very secure method, so I would use the normal auth system if needed. And yes, I would probably use different keywords than last name "Smith" or "Adams" (or "acrylian" as you mentioned above -- ha ha!) as those are so easily predictable.

    Any way, my best case seems to be a simple plugin that checks for album "protection" (enabled on per-album basis) and requires valid HTTP POST data to load the page, else redirect to parent album or index. This will likely run with the theme_head() filter.

    If you or anyone else have any more elaborate solutions, I'm all ears. I know there is an external_auth.php under core files, which provides a base class for this scenario, though I just don't have enough php experience to know how to implement it.

    Matt

  • acrylian Administrator, Developer

    So the question is are your users known users? Then why not create user accounts for them?

    I am not sure I understand the benefit over an general guest password ;)

  • matt Member
    edited February 2021

    In my scenario, I might take pictures for a group of people, and I would want the resulting album to be viewable by only them. While I could share a guest password, it could be forgotten after a while by me or anyone else. That would therefore require me to reset it, and now people who knew the previous password would have to be shared the new one. Yes, I could create individual user accounts but that also takes more time and management.

    Maybe that's just me. I'm just trying to think of a way I can be both efficient (no user login required) and flexible (multiple valid keywords) for people, while still offering an element of privacy. Think of it as a captcha--just a moderate security question that permits the ability to view an album. Sorry if that still isn't very convincing...

    And if I had to guess how exactly I would do this, it would be a plugin that uses this class. But I just don't know how exactly it works.

  • acrylian Administrator, Developer
    edited February 2021

    Okay, I did understand the "keywords" part. But what would be different to just create user accounts then? That's a "keyword" as well. You could go the "insecure" way and just use a "generic" password… Then you would not have to "remember" anything.

    I never used this legacy external_auth but it is really meant for external authentification.

    The easiest for your purpose probably would be to create a simple switch on the theme itself. Create a form thant matches the submission with your keywords, if they match set a cookie and then if that is set allow the content to display.

    if(yourcookieisset) {
       show content
    } else { 
       show form for the keywords
    }
    
  • Acrylian,

    I seem to have gotten the idea working based on what you recommended (obviously, much more complex). Thank you for the tip!

    I should mention that part of this idea involved XMLHTTPRequest so that the user would not have to leave the page. Albums listed as private provide a text input field when clicked on. The keyword would be sent without loading a new document, and a valid keyword would admit the user. (Trying to go to that link directly redirects back to the first non-private parent). This design intent is why I wanted to part from the standard gallery password form, if that makes any sense...

  • acrylian Administrator, Developer

    I see, just wanted to help not to reinvent the wheel when not necessary ;)

    There is an older unsupported http_auth plugin: https://www.zenphoto.org/news/http_auth/

    I never used it and have no idea if it still works but perhaps if helps you as a base.

Sign In or Register to comment.