I have ZenPhoto set up with a single base album that contains all the other albums. I set up a password so only registered users can see any of the pictures. Everything works great, but I have one problem. If you know (or figure out or guess) the direct link to a photo you can actually access any picture on the server. This includes anything in the "albums" or "cache" folders.

Even though it is unlikely, this mean that all my pictures are available to anyone. I searched the forums and couldn't find anyone else with this problem. Could I have set something up wrong? Or is this a security issue?

You will have to set the permissions on those folder correctly so noone can access theme directly. Also it is a good idea to disable folder listing (ask your host) so no one can list the contents of a folder by directly accessing it.

I also recommend seaching the web for htaccess and hotlinking prevention.

Thanks for the quick response. I don't have directory listing on so that's not a problem, and if someone tries to enter an album folder directly ZenPhoto's password dialog kicks in no problem. My issue is if you put the exact URL to the photo. I don't quite understand why this isn't taken care of by ZenPhoto as well?

eg. On my site if you use the following links it works ok:
http://www.minchinton.net/zenphoto/albums/ourphotos/blogpics/
http://www.minchinton.net/zenphoto/ourphotos/blogpics/Samsung_Galaxy_Spica_Black_Front.jpg.php
But if I use the exact link, I can see the photo
http://www.minchinton.net/zenphoto/albums/ourphotos/blogpics/Samsung_Galaxy_Spica_Black_Front.jpg

Note that if you disable access to the cache folder and you have images set to be cached, then you'll get missing images and thumbnails as a result. You can disable access to the albums folder, but you'll either need to allow access to the cache (though disabling indexing is a good idea), or disable the use of the cache.

Zenphoto needs access to the full image as that is where the cached versions are generated from. Also some colorbox scripts require that to display the full image in an overlay. As said you can disable direct access to images from outside using htaccess. Here a quickly searched link: http://www.htaccesstools.com/hotlink-protection/

You could even put your "albums" folder outside the normal html part of your server so no one can access it. Drawback on that is that multimedia files like mp3s or movies will not work then.

@blue dragonfly: You actually can't disable image caching at all.

In theory, it would be possible to disable caching in Zenphoto. Then each time the image was "viewed" the scaled/cropped version would be generated. I doubt that this would have acceptable performance, though. Short of that, you simply cannot view an image unless the browser can access it.

Your best line of defense is to relocate the album folder outside the browser paths as suggested by acrylian and to watermark your displayed images. Be warned that using the external album features is frought with peril. Do not attempt this unless you are quite comfortable with how file access works with server scripts.

Thanks again for your replies.

I figured out a work around (read hack ) but if I leave the album folder where it is in the html part of the server, then set the full path to it in $conf['album_folder'] and set it as an 'external' path, I can then place a .htaccess file in the album folder that then completely locks out direct URL to the files in it. Something like below which is what I took from the Gallery data folder:

DirectoryIndex .htaccess
SetHandler Gallery_Security_Do_Not_Remove
Options None

RewriteEngine off

Order allow,deny
Deny from all

This still leaves the cache folder exposed of course. I'm not quite sure why you say there needs to be access to the cache with direct urls files since this solution works for items in the album folder, wouldn't it work for the cache too? And Gallery seems to use all it's albums and cache data from a folder protected this way.

I could change the name of the cache folder to something random which would effectively hide it I believe.

Quote: I'm not quite sure why you say there needs to be access to the cache with direct urls files since this solution works for items in the album folder, wouldn't it work for the cache too? And Gallery seems to use all it's albums and cache data from a folder protected this way.
I did say it was possible not to use the cache. But I also said that the performance would most likely be an issue. As to why you cannot block the direct access of the cache. Take a look at the links that are used for your images. You block those links and no one sees the images. Of course, that would solve your problem

My final solution has the album folder set to external and protected by the htaccess file, and the cache folder renamed to something random to keep it hidden.

This solution also has the advantage I can use protected photos on the public blog (zenpage) as they will be copied into the cache which is hidden but public, but the original files cannot be accessed without a login.

Thanks for the help again.