Home General support

login for protected album not secure?

Joe Sef Member
in General support
Zenphoto-Version 1.4.11 [26c78176cf], zpminimal.

beside two public albums, I like to make one album just for a group of users.

therefor
I mark a/the NEWALBUM as "not public",
set one new user ("group") and
assign to "him" the NEWALBUM to administrate (no other hooks marked)

so the new user now sees the new album if he is logged in, ok,

but

when he logged out (frontend-website logout)
everyone still reach <domain.org/zp/zp-core/admin-edit.php>,
only when he logout from admin-edit.php self, he is realy out.

and even then: everyone still can see
<domain.org/zp/NEWALBUM/> (if knowing the path)

and who signed by rss for the gallery, get a text+thumb-notifications about every new photo, uploaded in the non-public gallery.

does I proceed in a wrong way, to realise a protect album?

best,
Joe

Comments

  • acrylian Administrator, Developer
    Not public/not published is not the same as protected. Please take a look here if that answers your questions:
    http://www.zenphoto.org/news/an-overview-of-zenphoto-users#rules-of-protection-andvisibility-for-zenphoto-obj
    when he logged out (frontend-website logout) everyone still reach <domain.org/zp/zp-core/admin-edit.php>, only when he logout from admin-edit.php self, he is realy out.

    That might be a browser issue with cookies and/or browser cache. What browser was that exactly?
  • Joe Sef Member
    hey acrylian,

    so you manage the rights by (not) setting a hook for an album 'and' for each picture.
    # After you create a user (or a group),
    # set only "view gallery" & give a hook to the one "managed album"
    - and a little hook to the albums-option "view unpublished entries".

    Thank you!

    The final problem is, that even if user is logout, the URI of the closed, protected and therefore "empty" album, e.g. "shakka", is active: <http://domain.de/zp/shakka/>. Its unaesthetic.
    You have an idea, how to disable that?

    Joe
  • acrylian Administrator, Developer
    We have only rights for top level albums (unless you protect it by password individually) including all sub albums and images within.

    The album is only protected but of course still existing so it's page can still be reached directly (as with any only unpublished album) and if it is not unpublished it will also be listed on the gallery for normal visitors.

    If you want to show something else like an 404 page on that occasion you probably could create a plugin to do so.
  • Joe Sef Member
    > ...
    > and if it is not unpublished
    the album is not published.

    if I get on <http://domain.de/zp/shakka/>, if I'm not logged in,
    I see a page with:
    Galerie-Index » shakka
    No commands
    shakka not public
    (and not images for sure, because I'm not logged in - ok)

    but thats not the 404 page,
    its any "default"-page with needless and unlovely info.

    How to link in this case (not logged in and album not published) straight to the 404?

    Joe
  • acrylian Administrator, Developer
    As the article above also tells, if you don't want an album to show on the gallery you need to unpublish it. If you know the direct link you would be presented a login form for protected albums.

    If you don't want this default behaviour and the 404 page instead you have to write a plugin to hook into the `load_theme_script` to redirect elsewhere.
    http://www.zenphoto.org/news/zenphoto-plugin-architecture
  • Joe Sef Member
    if I know the direct link of the unpublished NEWALBUM, I don't get to a login form, but to a webside (<domain.org/zp/NEWALBUM/>) without content - maybe just with the comment-form.
    A small Login is just as link in the footer-line.

    What you mean with "load_theme_script"? Thats no function but the activ Template, here zp-minimal?

    Best regards,
    Joe
  • acrylian Administrator, Developer
    If you access a protected album directly you have no rights to you should get a login form on the page. Try this on our site (example of a theme without its own password page so the generic one is used: http://www.zenphoto.org/test/
    What you mean with "load_theme_script"? Thats no function but the activ Template, here zp-minimal?

    Sorry, apparently I forgot a word. It is not a function, it is a filter hook as the link I posted above explains, too. That's of course a bit advanced theming/coding possibly.
  • Joe Sef Member
    > ... http://www.zenphoto.org/test/
    Yes, that's working,
    but I don't get this login-challenge on my installation - neither on zpminimal nor on basic-Template.
    But yet, for me, if the album is not public, it shouldn't be interesting for anyone, that he "could" login.

    So just forward to the gallery-index.
    I could take [show] => 0 for make a forward-distinction

    Album Object
    (
    [data:PersistentObject:private] => Array
    ( ...
    [show] => 0
    ... )

    But I'm not to familiar with the object-programming and "safety-packaging" with privat etc.
    and till now don't know, how to untightening this Object:private ...

    Joe
  • acrylian Administrator, Developer
    "show" is just the publish status. Sorry, you are on the wrong track here anyway, that is not going to work that way. You never use the persistentObject directly at all. You have to use the filter I mentioned via a plugin or possibly a theme function. I mean we had something like that a while ago. Maybe I find that.

    Regardless, you should get a login form on password protected albums.
  • Joe Sef Member
    hi,

    > ... you should get a login form
    maybe, but
    sorry, not with a new default installation with Zenphoto version 1.4.11 [26c78176cf], Basic-Template.
    I just tried it with a fresh TestInstallation.

    The album and the images are not public
    and the new user has just a hook for managing 'that' ProtAlbumTest-album.
    No other rights are hooked.

    when I call that:
    <http://localhost/zenphoto/index.php?album=ProtAlbumTest&gt;

    I see a page with
    # the links "Galerie | ProtAlbumTest",
    # the searchfield and
    # the footer.
    No login-calling or -form (except the "login"-link in the footer, because I activated the plugin)!

    I checked the options twice but - no way.

    what do you mean with "password protected albums"? Better "constricted albums"?
    in the backend there is no field to assign a "password" to an album,
    but you can link or bound a user to an album,
    so it has a limited or "constricted" public.

    index.php
    zp_apply_filter('load_theme_script', $_zp_script, $zp_request);
    but
    load_theme_script(_zp_script, zp_request)
    <http://www.zenphoto.org/news/zenphoto-plugin-architecture&gt;
    its a confusing spelling-incongruity?

    but
    where & how I could place something like
    "zp_apply_filter('load_theme_script', $_zp_script, $zp_request);" ...?
    so that a calling of a non-public-album or -side is simply ending up back, on the gallery-index?
    In templates index.php I think?

    Joe
  • acrylian Administrator, Developer
    Assigning users to manage an album and unpublishing that album is not "password protection". Then you would indeed not get a login form.

    There is a password form on every album edit page. It is hidden but there is written "Album password" and a lock icon next to it right below the album description field.

    You don't place `zp_apply_filter` anywhere. That is the fillter you hook into by registering a function to it. Described here: http://www.zenphoto.org/news/zenphoto-plugin-architecture#zenphoto-filters

    Very roughly written in this case something like this within a plugin of the type FEATURE_PLUGIN:
    `
    zp_register_filter('load_theme_script', 'myFilterCall');
    function myFilterCall($script) {
    global $_zp_gallery;
    $themepath = THEMEFOLDER . '/' . $_zp_gallery->getCurrentTheme() . '/';
    // Here add checks like
    // If (something) {
    // $page_to_load_instead = 'theme_page_to_load_instead.php';
    // return $themepath . '/theme_page_to_load_instead.php';
    //}
    return $script;
    }
    `
    As said this is a bit advanced and you should get a bit familiar with theming, object model and such in general first.
  • Joe Sef Member
    thanx, but sorry, I break (may be for now), I skip the album. :( #+*?\#$%

    [OT] tell me somthing like "try getAlbumLinkURL();" and ...
    always this sparely beading answers ...
    > ... Here add checks ... wherefrom:

    I tried something with rewrite_path($rewrite, $plain, $webpath = NULL) and some from <http://www.zenphoto.org/documentation/elementindex.html&gt; (Million new terms: print_r($albumdir);) nearly nothing works, I got sick! I'm sitting days about this 'stupid' basic navigation-feature, but now have not the time anymore / -lost enough, the album would becomes too bloody for me, instead having fun.

    again: thank you for your support so far and your always fast replies!

    > As said this is a bit advanced and you should get a bit familiar with theming, object model and such in general first.
    no. html & css, but not object-modelling. wherefor is a "cms"? (not for consumer but for programmers(-fun))
    keep naturally php. don't install an other cosmos...
    too much, too much for Joe

    ciao,
    Joe

    -----------------------
    some with Javascript, without login-check - its nothing!

    /**
    * @package plugins
    **/
    $plugin_is_filter = 5 | FEATURE_PLUGIN;
    $plugin_description = gettext("if no matching or public album called, coming down on gallery_indeXX or 404.");
    $plugin_version = '1.0';
    zp_register_filter('load_theme_script', 'myFilterCall');
    function myFilterCall($script) {
    if($_REQUEST['album'] == "NotShownAlbum") {
    // global $_zp_gallery; // without relevant infos
    $url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://';
    $defaultside = $url.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/index.php?p=404";
    $goto = $defaultside;
    echo '<script language="javascript"><!--
    location.href="', $goto, '";
    //--></script>';
    }

    // echo " 
    "; print_r($_zp_gallery); echo "
    "; // no ce

    return $script;
    }
  • acrylian Administrator, Developer
    Anything you do with JS is a redirection AFTER the theme page already loaded. I actually gave you a complete working solution that does work BEFORE the a theme page is loaded (that also why your JS will not be exectuted). All you need to adjust is what to check for to load another page.
    wherefor is a "cms"? (not for consumer but for programmers(-fun))

    I think you may have a wrong understanding of what a CMS is ;-) Of course it is for consumers/Normal persons to use easily. But setting up a theme with extra functionality not available is of course not and never can be. That's not that way with bigger CMS like WP (and even worse with others). Of course WP is so big that there are already (good and bad) plugins for everything by someone. We cannot compete with that.

    You mentioned a navigation feature. There is a menu_manager plugin if you don't want to use the basic menu function each item type has. Of course once again the theme used must have support for it or you need to add it. I can only give the advise to look at how the official themes do things like this.

    We sadly really can't explain everything in details That really exceeds the forum.
  • Joe Sef Member
    hi again,

    > ... (that also why your JS will not be exectuted)
    the JS is working (localhost-environment),
    but not everyone is surfing with Js-enable,
    so its for me no solution.

    ------------------

    &again
    you have three access regulations:
    -albumpassword
    -image non/-public
    -album non/-public

    therewith you are generating in the secret-situation *only* two effects
    if calling e.g. <http://domain.de/zp/secretalbum/&gt;
    (if searchengine or anyone tried the "secretalbum-"term):
    -showing the login-form
    -presenting the empty gallery-side, named "secretalbum" (incl. its descript.!!)

    there is no effect, where you present *no* content
    (and be straight forwarded to any 404- or root-side).
    On my view, its more a conceptual core- than a plugin-business?
    Isn't it a lack of a prepared or invested third effect:
    -presenting no album and forwarding straight e.g. on 404

    that should happen, if you set an album on "non-public"

    but - it could be!
    Fore sure, its work and takes time to update,
    I know ;) ...

    best, Joe
  • acrylian Administrator, Developer
    No, non public is by tradition hidden only. If you know the direct link you can access it. Password protected is just that and not hidden. If you don't want it to appear anywhere on the gallery do both.

    If you need a 404 page instead of an password protected album it can be done via a plugin using the filter hooks. The object model provides methods to check if an item is protected.
  • Joe Sef Member
    know everything is ok. Man, that took me so long!

    It is/was a little confusing, that I have to activate *all*
    and give login credentials twice: for user and for the album
    and and ...

    Thanx!
    Best regards,
    Joe
  • acrylian Administrator, Developer
    Glad we could sort it out! Forgot to mention you could also try making the whole gallery protected if that fits your needs. But for just certain albums above is the best way.
Sign In or Register to comment.