 Zenphoto
ZenphotoThe simpler media website CMS
Hello, 
There is a bug with unpublished albums and registered users : they can access pictures under certain circumstances  (pictures are published within the hidden album) :
with a dynamic album showing newest pictures
with the search function, if they type a matching word.
Comments
That would happen if you have allowed unpublished results on creating the dynamic album.
There is currently no interface to modify all settings after wards but it's just a text field within the
/albumsfolder. Open it via FTP and it should look a like this (parameters may vary):If you have
unpublished=1set it to0. A bug with that setting not being set correctly on dynamic album creation was fixed in 1.5.5 and of course does not re-apply itself to albums created earlier.Also if your registered users have "View unpublished" rights they would see them.
Thanks acrylian.
I checked all my dynamic albums.
All of them show unpublished=0
My registered users do not have access to unpublished items.
Problem is with search function : it shows unpublished items to registered users. Not to other users.
Did you clear the search cache or have it disable? Please try that before I try to reproduce this.
Also please tell the exact rights these users have. They might have some type of rights that includes viewing unpublished items. That would be the case if they have admin rights or management rights to the items in question.
Search cache is disabled (parameter set to 0). I did clear the search cache: same problem.
Registered user parameter :
Actualités : accès intégral
Albums : accès intégral
Galerie : Voir la galerie & Voir la recherche
General : Nothing
Pages : accès intégral
Albums gérés : nothing
Pages gérées : nothing
Catégories gérées : nothing
I use Chrome and my user account to check what my users can see.
I use Firefox and my admin account to set parameters and manage my site...
Ok, I will try to reproduce that. Generally anyone can access unpublished items by direct link unless they are password protected. But they should not be listed by search or elsewhere.
Please next time switch the site to the native English when posting something as that makes it a bit easier for me even if I roughly can understand it ;-) Thanks!
yes, I will - easy language swich in general options page.
Same problem with unpublished AND password protected album.
Hm, this is really weird because when we fixed the bug that search returned those elements in 1.5.5. we tested this all in and out.
Btw, for password protected albums or other items they would be generally listed unless unpublished.
I will try to reproduce this.
I made some test. besides that I indeed found a bug regarding returning unpublished items. The fix is in the support build.
However it is correct in your case. Your user should not have "Access all right" to not see these. I had to look myself as our rights system is a bit of a mess und a bit counter intuitive in the code. But this behaviour is actually documented:
https://www.zenphoto.org/news/an-overview-of-zenphoto-users/
Thank you very much for the bug fix. I will download and install support build tomorrow.
Access all : Access all albums without a password, this is what I understood before !
With your 1.57b support build : same problem.
Inside an unpunlished album, pictures and subalbums are published and not hidden.
If a registered user (see below) searches for a word contained in a title of a picture (inside this hidden album), he will find it.
user : rights :

As discussed above you need to disable "All access" rights if you don't want this. "Access" here means he can see them as they are listed on the gallery and in search results.
Anyone can "access" an unpublished item by direct link, even if password protected (on the latter a vistor cannot see the actual content).
If I disable "All acces rights" then a registered user cannot access all protected albums as I use different logins to protect these albums.
Because, doing so, I can give a specific album login to someone : he (she) will not be able to enter other protected albums. This is very useful.
To sum up : hidden albums mean
I will manage my registered users differently.
Perhaps you could try to define managed albums for these users but only with view rights and no edit rights. Then you should not need separate logins for albums. However that only works for top level including all sub levels.
Btw, we don't have/use the term "hidden albums", they are "unpublished albums".
Thank you very much (again !) acrylian.
2 days to fully understand all you explained and what I should have done.
I followed your help : now, I'm using 3 Zenphoto accounts:
And of course simple visitors who can see all unprotected and published albums.
Friends cannot search anymore inside family albums
(this album is unpublished, protected, located at the root of "albums" folder).
Zenphoto ?
Waouh ! (in french)