Hidden album bug.

Hello,
There is a bug with unpublished albums and registered users : they can access pictures under certain circumstances (pictures are published within the hidden album) :
with a dynamic album showing newest pictures
with the search function, if they type a matching word.

Comments

  • acrylian Administrator, Developer
    edited December 2019

    That would happen if you have allowed unpublished results on creating the dynamic album.

    There is currently no interface to modify all settings after wards but it's just a text field within the /albums folder. Open it via FTP and it should look a like this (parameters may vary):

    WORDS=yoursearchterm
    THUMB=1
    FIELDS=tags
    CONSTRAINTS=inalbums=1&inimages=1&unpublished=0
    

    If you have unpublished=1 set it to 0. A bug with that setting not being set correctly on dynamic album creation was fixed in 1.5.5 and of course does not re-apply itself to albums created earlier.

    Also if your registered users have "View unpublished" rights they would see them.

  • Thanks acrylian.

    I checked all my dynamic albums.
    All of them show unpublished=0

    My registered users do not have access to unpublished items.

    Problem is with search function : it shows unpublished items to registered users. Not to other users.

  • acrylian Administrator, Developer

    Did you clear the search cache or have it disable? Please try that before I try to reproduce this.

    Also please tell the exact rights these users have. They might have some type of rights that includes viewing unpublished items. That would be the case if they have admin rights or management rights to the items in question.

  • Search cache is disabled (parameter set to 0). I did clear the search cache: same problem.

    Registered user parameter :
    Actualités : accès intégral
    Albums : accès intégral
    Galerie : Voir la galerie & Voir la recherche
    General : Nothing
    Pages : accès intégral
    Albums gérés : nothing
    Pages gérées : nothing
    Catégories gérées : nothing

    I use Chrome and my user account to check what my users can see.
    I use Firefox and my admin account to set parameters and manage my site...

  • acrylian Administrator, Developer

    Ok, I will try to reproduce that. Generally anyone can access unpublished items by direct link unless they are password protected. But they should not be listed by search or elsewhere.

    Please next time switch the site to the native English when posting something as that makes it a bit easier for me even if I roughly can understand it ;-) Thanks!

  • yes, I will - easy language swich in general options page.

    Same problem with unpublished AND password protected album.

  • acrylian Administrator, Developer

    Hm, this is really weird because when we fixed the bug that search returned those elements in 1.5.5. we tested this all in and out.

    Btw, for password protected albums or other items they would be generally listed unless unpublished.

    I will try to reproduce this.

  • acrylian Administrator, Developer
    edited December 2019

    I made some test. besides that I indeed found a bug regarding returning unpublished items. The fix is in the support build.

    However it is correct in your case. Your user should not have "Access all right" to not see these. I had to look myself as our rights system is a bit of a mess und a bit counter intuitive in the code. But this behaviour is actually documented:

    Access all: Access all albums without a password. Without this right, a user can access only public ones and those checked in his managed object lists. (front and back end)

    https://www.zenphoto.org/news/an-overview-of-zenphoto-users/

  • Thank you very much for the bug fix. I will download and install support build tomorrow.

    Access all : Access all albums without a password, this is what I understood before !

  • ctdlg Member
    edited December 2019

    With your 1.57b support build : same problem.
    Inside an unpunlished album, pictures and subalbums are published and not hidden.

    If a registered user (see below) searches for a word contained in a title of a picture (inside this hidden album), he will find it.

    user : rights :
    User rights

  • acrylian Administrator, Developer
    edited December 2019

    As discussed above you need to disable "All access" rights if you don't want this. "Access" here means he can see them as they are listed on the gallery and in search results.

    Anyone can "access" an unpublished item by direct link, even if password protected (on the latter a vistor cannot see the actual content).

  • If I disable "All acces rights" then a registered user cannot access all protected albums as I use different logins to protect these albums.
    Because, doing so, I can give a specific album login to someone : he (she) will not be able to enter other protected albums. This is very useful.

    To sum up : hidden albums mean

    • nobody (exept admins) can see them
    • registered users can search inside those hidden albums, visitors cannot.

    I will manage my registered users differently.

  • acrylian Administrator, Developer
    edited December 2019

    Perhaps you could try to define managed albums for these users but only with view rights and no edit rights. Then you should not need separate logins for albums. However that only works for top level including all sub levels.

    Btw, we don't have/use the term "hidden albums", they are "unpublished albums".

  • Thank you very much (again !) acrylian.
    2 days to fully understand all you explained and what I should have done.

    I followed your help : now, I'm using 3 Zenphoto accounts:

    • admin
    • family - members can see all albums
    • friends - members can see all albums except family albums

    And of course simple visitors who can see all unprotected and published albums.

    Friends cannot search anymore inside family albums
    (this album is unpublished, protected, located at the root of "albums" folder).

    Zenphoto ?
    Waouh ! (in french)

Sign In or Register to comment.