Zenphoto
The simpler media website CMS
ZenphotoThe simpler media website CMS
Forum search only. You might also want to search on the main site's user guide.
Your support helps pay for this server, and helps development of zenphoto. Thank you!
Visit the donations page
Comments
http://www.zenphoto.org/news/front_end_edit
The functionality was officially removed quite some time ago because it opens the door for all kinds of security issues. Therefore it will not be re-added by us. But anyone is free to provide a third party solution of course.
Zenphoto is amazing! Soo much better than Piwigo (though I wish it had as many extension and themes as piwigo has)
Thanks, Piwigo is a good tool. I have no overview about the number of plugins and themes there but that dependends of course on users providing them. So feel free to provide some ;-)
I have seen this reason several times throughout the forum. I was wondering if it would make any difference if the tags could be added from the front end, but would always be set for admin approval before they were made public. Would this lessen or eliminate the security risks?
How is it that comments being added from the public side are not a risk and adding tags are?
On the administrative pages we have extensive protocols to detect and prevent XSRF, but these require added protocol and overhead on the server. We have chosen not to place that burden on the front end code, thus do not allow any changes to be made from those pages.
For comment postings we have protocols to cleanse the comment, but since nothing is being "modified" XSRF threat is not there.
It certainly is possible to re-add that functionality. The plugin Acrylian references does add the posting, but not the security protocols. The way that tags are presented and stored made it impossible to use a plugin to process updates to them, so that functionality is not in the plugin. Of course if you simply want to add tags (not edit ones already present) then the mechanisms used for simple fields could be adapted.
Your last sentence seems hopeful that something can be added without being a security risk. Is it selecting a tag that already exists or adding a tag that doesn't exist?
thanks
It would take a lifetime to tag photos using the admin interface, since you have to click by each photo to open more options, scroll down to check a box, then click submit.
Having a somewhat limited budget to work with, the best solution seems to implement a plugin that will allow users to submit tags safely, which go to an admin approval queue to verify spelling, accuracy, and hacking attempts. That way, not only would admin be able to tag faster, but he could get some help for others who don't need/want to be users.
I see you have a plugin info page here:
http://www.zenphoto.org/news/zenphoto-plugin-architecture
Which of the three categories listed is the appropriate one for me to work with?
thanks!
For the admin to get a tag suggest I had suggested to open a ticket to be considered. That did not happen yet. I would work on that if there would be a ticket.
For your front end ides. We are a small team so we really need to choose and set priorities what we decide work on. There are a lot of things to do and also some happen behind the scenes. All takes time and we are volunteers. I have already a few things on my list and there are lot more things I would like to do. I hove you get the impression.
Your plugin would be both a front end and a backend plugin. So you will have a front end part and a admin utility page as somewhere the admin would need to be able to approve the tags.
Do you have coding knowledge? Just asking as I am not sure if this is something for starters. You will also need to look at the object model if you want to do it right (you can do it via sql queries but that is really not recommended). This is quite advanced stuff. But that should not keep you from trying of course.
What IS NOT A PRIORITY is compromising Zenphoto's security. That was explained to you earlier in this post. Anything that allows a visitor to store data is a potential security risk. We have chosen to limit those risks to the Administrative pages in general where we have much greater control of the process.
Of course we allow visitors to post comments. We have carefully coded that process to eliminate dangerous strings and otherwise limit what can be done to actually creating a comment. Certainly you could put the same scrutiny on other front end actions. But if you choose to do so, you best be very conversant with the kinds of exploits hackers use these days (and you need to keep up on them as they get better at their "job" daily.)
So, good luck if you want to allow non-users to add tags. But do not expect us to take up the cause.
Typing messages is so full of potential for misunderstanding as opposed to sitting across the table with the beverage of one's choice. Here are two sentences that were the entire basis of that post, and both were sincere.
1. "Not a complaint, just an observation."
2. Which of the three categories listed is the appropriate one for ***me*** to work with?
I'm not criticizing anyone or anything, nor I am not trying to convince anyone to do anything. I completely understand "the needs of the many" and am just asking for help to proceed on my own - not asking anyone to rewrite zenphoto to custom fit me.
acrylian:
1. I am not complaining about tags. I need something that you don't want to offer, and I am trying to figure out how to do it myself.
2. I am not asking your team to do this. You already explained that you were busy, even for a paid mod, and I heard you.
3. I don't know coding much at all. I am trying to explain the requirements for a plugin to a programmer to create one for me. If I can explain the plugin process to her so she can do it, then that's what I want to do. If you guys think it is secure, you can use it. If not, then you don't have to.
4. Thanks for the info. I'll pass it along.
sbillard:
I am not trying to convince anybody here do do anything. I understand you don't want to do this, and am not posting to argue. I'm posting to find out how I can do this on my own. All I'm asking of anyone who cares to answer is for information, guidance, and suggestions on how to proceed.
Since you are obsessed with security (a compliment here, btw), I was wondering if the path you took for users to submit comments would be a good model ***for me*** to look at. Since comments and tags are both words, if comments have been made secure, then maybe the same process would be a good starting point for anonymous user tags. And again, this is not to argue, but to develop a strategy for the programmer to pursue.
I hope I have explained myself enough that you don't feel I am some whiney complainer trying to get you to program according to my needs. I'm merely seeking information and advice on how I can proceed on my own.
friends?
if so:
1. Would the comment submission/approval plugin be a good place for me to suggest to the programmer to start?
2. acrylian, you said this would be two mods.
--So one would be and Admin Utility?
--Would the front end be a Template Plugin or a Core Plugin?
3. sbillard, you said "including extracting the keywords from the image metadata and using those for tabs." I read about this, and still trying to figure it out. I added keywords to the ITPC Core data in Bridge, but it doesn't show up in tags. Still trying to figure that out. Not asking for help, just reporting my progress.
thanks for your understanding and help
So no problems as we all have made our position clear now. We of course apprecitate and encourage it if you want to do something you really need and want yourself. That is what open source projects like ZP live from since we can't do everything. (I could probably make a long list of things "nice to have" :-))
To the questions:
1. Probably although comments work a bit different than tags (comments have their own class, tags not). But the principle would be the same I guess but I don't remember the code offhand.
2. Your plugin will need to provide both. Off hand as an example the downloadlist plugin both provides template functions and a utility.
3. The principle but it is for items which are technically a bit differently. Items are published, tags don't have that status at all. They are there and/or assigned or not. You would have to "park" tags probably in the plugin_storage table to workaround that It would need to be adapted.
I hope you understand that since I think this an unwise thing I am not really motivated to provide much help.