I am looking at using ZenPhoto for a website for colleges and universities. The issue I am facing is that colleges use IP authentication. The way this works is that an account is created for an administrator at a college on the website. The IP address or range that the administrator provided are then mapped to the user account. Students at that college do not need to create an individual account or login to the website as long as they are on their college network. If the student is off-campus, they need to login to their college network before they can get access.
Is there a possibility to do the same with Zen Photo? Is this feature possible?
By the way, Open Journal System already has the IP authentication built in. If there is a way to connect OJS and ZenPhoto, that will be great.
Any comments?
Zenphoto
Comments
I am looking at using Zen Photo for a subscription website for colleges and universities. The issue I am facing now is that colleges use IP authentication. It is the standard method of granting colleges/universities access to content. The reason that IP authentication is used is because it would be impossible and daunting to create an individual user account for each student and faculty at the college given that some schools have 5,000 plus students. IP authentication is used as a way of providing access to online content to a large groups of people.
The way IP authentication works is that an account is created for the college administrator on the website. The IP address or range of the college is then mapped to the administrator's user account. By map, I mean that the website webmaster can choose two ways to authenticate access for the college. They can authenticate access via domain OR by IP address (or IP range). This IP authentication feature is already built in Open Journal System, which is used for peer-reviewed journals.
Students at that college do not need to create an individual account or login to the website as long as they are logged into their college network. For example, students at library can access the materials after they have logged into any of their college computers in the library or the lab. Now, if the student is off-campus and want to access the contents of the website, they need to login to their college network before they can get access to read the contents of the website.
Is there a possibility for this functionality in ZenPhoto?
I would be happy to get feedback from the ZenPhoto community about IP authentication.
Anyway, it is generally possible to develope a custom authentification. You will have to make your own version of `zp-core/lib-auth.php`. See the instructions on the file comments itself.
Alternatively you could try the development svn/nightly which already features a plugin called "federated_logon" which you possibly can extent/customize for your purpose.
I am sure my collegue sbillard will be able to tell more later.
It is also not clear how the student login works when the student is off network.
But, a simple gateway that passes access from users within a specific IP range would be pretty straight forware, it perhaps also significantly insecure. Such could be custom built for something in the range of $500. But I am not at all convinced that it would be acceptable given how easy it is to spoof IP addresses.
You should go back to the school network administrators and find out if they have a OpenID provider facility of some sort. If so, the Federated Logon facility that is in development will work out of the box but will probably be a little less user friendly than the student's normal logon. If the provider supports a Discovery interface the Student authorizaton for Zenphoto devolves to simply clicking on an icon.
At any rate, providing a custom OpenID handler for the school provider would normally run about $100. However, testing may be an issue since we are not school members. That could increase the development costs.
With IP authentication, the student NEVER logs in or creates an account. They are simply authenticated once they are on the universiy network. Usually at a university, students are already logged into the university network, which allows them to search their library collection, print over a network, and much more
Open Journal System does do authentication. People that use OJS use it to provide institutional access to colleges and universities.
I am sending you the relevant page number of the information about IP authentication form OJS Documentation. The documentation includes description and screenshoots.
http://pkp.sfu.ca/ojs/docs/userguide/2.3.3/userguide.pdf
Authentication Sources - page 37
Shows the screen for entering the IP ranges - page 120
Subscription Types - page 103
Institutional - page 116
I have users who can test it.
By default, OJS authenticates users against its internal database. It is possible, however, to use other methods
of authentication, such as LDAP. Additional authentication sources are implemented as OJS plugins; refer to the
documentation shipped with each plugin for details."
Just for your education, what this says is that OJS has an internal mechanism for authentication. It is NOT an authentication server. Likewise, Zenphoto has an internal mechanism for authentication and does not play a role in authenticating for other applications. It does say that other sources are supported via plugins, so you shoule ascertain if OJS supports OpenID authentication and if your University provides such an authentication server.
The document also clearly shows a logon page which makes no mention of IP addresses. It also describes "changing your user profile" which to initiate you "log in and click the Edit My Profile link from your User Home page."
I do not have the time to carefully study this document. (And should I do so, it would obviously be "on your dime".) But I suspect that something else is going on under the hood here that you are not aware of.
As I have mentioned before, ip address is simply not secure enought to be used for any serious authenitication. Also it does not a-priori link to any specific identification. So if students are really using this system with real, human identities, then some other logon mechanism is taking place.
Again, you should speak to your network administrator to find out how things really work. You would be wasting your money contracting for one of us to learn all of this without even knowing if anything is feasible.
What I am trying to find out now is if an authentication plugin (or the federated login mentioned earlier) can be extended to give university access to the contents of a ZenPhoto website?
If you have a better and secure solution than IP authentication, I would like to hear about it.
Take a look at page 114 (should say 114 at the footer) on the PDF document. It shows a screenshot and it says "Domain" or "IP Ranges".
It is possible to enhance Zenphoto to filter access by IP address. If you wish to go forward, this is the first estimate I provided you.
I am not in the business to do free research on a project. If you wish to go forward you have two choices--your best choice is to create a statement of requirements. From that we can give you a project estimate. If you need us to do the research of the requirements that would be done on a time and materials basis at $80 an hour.
Most users that use ZenPhoto might use it for personal or business purposes. When you are dealing with academic instutitons (colleges and universities), they have very different needs and require a very different way of accessing content. For universities, you are not dealing with each individual student, you are dealing with the entire campus, the entire campus becomes one user. I am not sure how to explain this, but you do have my email, should you wish to get in touch with me offline and discuss matters.
There are no new features in Zenphoto 1.4.0.4. That is what is meant by a bug fix release. New features will come when Zenphoto 1.4.1 is released.
@zenPhotoCharles - I did not realize it was posted twice because I hit the stop loading this page icon so I can add the version number.
@sbillard - I never said that I was not interested. I have been swamped with work, and have not had time to do anything or write up a project spec as your required.
It would be great to do the project in ZenPhoto. My only concern now is that I will need a way to hide the images and their location. It is hard to do subscription if users and search engine can find your "subscribed images." If the images can be installed above the public directory, that would be great.
Is there a limit to the number of images in ZenPhoto?
To your two questions:
1. You can store the main albums folder with the full images outside the webroot (Note: Multimedia files will not work) but not the cache folder (if someone views it he got it already anyway). You can protect all using proper robot.txt and htaccess though. Or just htaccess password protect the whole page.
2. There are two plugins "quota_manager" and "image_upload_limiter".
"You can protect all using proper robot.txt"
Could you give an example of proper robot.txt?
"Or just htaccess password protect the whole page."
Do you mean password protect the whole page? Or password protect the htaccess?
I meant using a htaccess password which is the only way to really protect a site. You then need a password to access the site itself. The Zenphoto password blocks only the access via the site itself, not the access direclty or to images.
Recommended read: http://httpd.apache.org/docs/1.3/howto/htaccess.html
That is the last I heard from you. I doubt that your response got put in the spam bin since none of your previous mails did, and I do peruse the spam file for false positives. But maybe you changed you email address and used a spam sounding subject. If so, resend your last communication.