Home General support

(Untitled)

System
in General support
Hi,

I am testing Zenphoto right now (most recent version). Is the following issue a bug or a "feature"?

I have setup an album that is a) not published and b) has a album password. I log-in and can view the album as intended. I click on an image to view it in its original size and it works. I log out and cannot access the album anymore. So far so good.

But: I paste the URL of the picture I just viewed in original size in the address bar of my web browser and CAN access the picture without being logged in or having to enter the password.

This makes the whole permission system of Zenphoto obsolete and is IMHO a major security leak. I am glad I figured this out just before I uploaded my first private photos.

Comments

  • acrylian Administrator, Developer
    The protection refers to the pages accessed via the Zenphoto theme pages. Zenphoto is not able to protect from accessing the original images currently. You have to do that on your server.

    To prevent search engines t ofind them, set the robot.txt file up correctly (an example is included in the root folder),

    To prevent direct linking (Called hotlinking) you have to protect that via htaccess manually. Please read here: http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#39
  • sbillard Member
    Look at the zp-config.php file. There you will find how to change the album folder so that it may be more secure. Be aware, though, that if WEB browsers cannot access the album folder some functionality is lost. Particularly Flash players that require loading the original image will fail.
  • Blue Dragonfly Member
    I have been looking into this also, and have moved my album root out of the web root. There are issues with being able to directly access images by hand-crafting the i.php URL manually, for example. I've started taking notes and looking at what would be involved to truly "secure" the images. It's a bunch of work, but I suspect that it's not a huge issue for 99% of the users.
  • sbillard Member
    i.php will work fine. It is just things like the flash players that cause problems
  • Blue Dragonfly Member
    Ahh, sorry - I didn't clearly state that the "issues" with i.php were related to making it respect album passwords, not with the album root being outside the web root. That, as you say, works just fine. :-)
Sign In or Register to comment.