Hi, I need yours help. I would like secure my albums between different users. For example I have two users: A, B. I asigned Album1 for user A and Album2 for user B. I setup zenpage to not allow guest users so, to see any ablums user need to be defined under administators with only Post Comments privilages and speciifc (above) album managment. After login by user A this user see only Album1 but if user B will give him link to his album then user A after login and pasting link will be able to see Album2.
This is one hole in security on my page.
Second, would like to not see any images, thums on page when user click on Logout. Currently after logout I see still images and Login form.
Sorry for my english and please note that I don't know PHP but I am able to understand what should I do (change code).
Xoxer
Zenphoto
Comments
On the end I modify my theme with following code:
`
<?php if (!isMyAlbum($_zp_current_album->name, 'ANY') AND $_zp_current_album->get('show')==0) {
echo gettext("The page you are trying to view is password protected.");
} else { ?>
<! -- image/album html -- >
<?php } ?>
`
This works for me fine, so maybe it will help somebody else. Also I used .htaccess
`
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
`
to prevent download full image. I am not using any flash so it also works for me very well. The last part about security is cache. I saw on this forum post about using mod_rewrite module to pass access to any image by pic.php. But it was for older version and I have no idea if it is possible and how to implement it now. But idea is quite nice unless that feature slowdown website. So, if I understand it correctly it should work like:
- mod_revrite should detect any image by extension and pass it to pic.php (i.php ?) as parameter
- pic.php should check if picture (recognized by foler/album and name) is under secure area (not published and even if user can manage this album).
- if checking will be successful then redirect to picture
- otherwise show specific error html page
I am not expert in www/php and so on.. so please use it as idea only. Maybe there are different ways how to secure cache.
On the end I would like ask about Linux folder privileges. I am using ftp to upload images to my server. I have user ftpuser in ftproup. When I upload image all files have this user and 744 (album - 755). How I should set up albums folder privileges to have posibility delete images from zenphoto admin section and also full control by ftpuser. What is the best secure solution?
Best Regards,
xoxer
I don't think your hacks are actually necessary (unless I didn't get it right). The htaccess addition of course might make sense.
Regarding recommended file/folder permissions please read:
http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#29
Other problem is with cached images. I have no idea how to secure them. Maybe this is not possible.
I need a little help with privileges. My knowledge about linux is limited. How to set up ftpuser as php user. Add php user (www-data?) to ftpgoup? What command should I use to achieve this?
I don't understand the problem with the cached images, they are of course also password protected since Zenphoto always uses the cached images if they are available. If not they are created.
Regarding the privileges I have to admit I am not that expert. I use an ftp client to set them. Perhaps sbillard will know more about this.
Cache problem is simple. Logged user right click on preview image (cached 600x450 preview) choose "Show Image" in FF and then he see a link in address bar like:
http://www.mysite.com/cache/DCI1234.jpg
With this link anybody can see this image. What is strange that I also have News page to show on home page one news. This news contains one imgage from one album (called News) which I am using to store images for newsies. When user click on it then instead of cache path he has:
http://www.mysite.com/zp-core/i.php?a=News&i=welcome.jpg&s=600
and when I look at this album as administrator then I have such link to image:
http://www.mysite.com/News/image/600/welcome.jpg
I have no idea why this link not point to cache as this image is also cached.
I will investigate it more later as now I have error after upgrading zenphoto to latest nightbuild with error on admin page related to missing updateThumbPreview function.
Regarding cache protection: You know that any image a users sees has already been downloaded to the browser's cache anyway?
About cache you have right, I agree with you that in most scenario this is not worth to secure it. But if zenphoto gives me ability to disable hotlink to full image I also want disable access to picture in 640x480 size. This size is enough good to use on the another website in internet.
But overall I am very happy with that what I have now. So thank you for your help, advice and comments. I love Zenphoto as user who first saw php and linux environment