Password Protect Albums - Theory and Practice Password Protect Albums - Theory and Practice
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Password Protect Albums - Theory and Practice

Started by Oasis, October 29, 2003, 05:10:01 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Oasis

this brings us back to the topic of password protected albums!  :D
With password protected albums this would be much simpler...

gaugau, please DO consider this..  :)
I am getting requests for this feature every few days...
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

aymeric

Quote from: "oasis"With password protected albums this would be much simpler

yes! that's a good idea :)

Oasis

gaugau, here is something that might work:

first, create a new column in the TABLE_ALBUMS called "albumpass".
When users specify a password while editing an album, then visibility becomes (FIRST_USER_CAT + USER_ID) and the password they specify is written into the albumpass column.

Then, in functions.inc.php where the script specifes which albums the user can't see
Quote$result = db_query("SELECT aid FROM {$CONFIG['TABLE_ALBUMS']} WHERE visibility != '0' AND visibility !='".(FIRST_USER_CAT + USER_ID)."' AND visibility != '".$USER_DATA['group_id']."'");
add an extra criteria
QuoteAND albumpass != '".$HTTP_POST_VARS['albumpass']."'
Then all you have to do is show a form with an input box for users to type in a password, whenever they click on a private album that has a nonempty "albumpass" field.

OK, I don't know if this is actually feasible (I recall posting before that I hardly know any php...  :) ), but from what I have learnt in the past few months fiddling around with code, it seems to me that it should work. And  it doesn't seem to compromise the original authentication system (one of the concerns pointed out in the previous post on this subject)...
What do you think? Would it work?
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

DJMaze

The password protection you mention could work if...
All options like Lasts uploads, most views, etc. also block password protected albums from showing.

So it would be some more changes as you say.
There are 2 kinds of users in this world: satisfied and complainers.
Why do we never hear something from the satisfied users?
http://coppermine-gallery.net/forum/index.php?topic=24315.0

Oasis

OK I've tried it out, but I had to use HTTP_GET_VARS instead of POST because I don't know where to change the code to add the password box.

Anyway, here are the results of my test:

QuoteThe password protection you mention could work if...
All options like Lasts uploads, most views, etc. also block password protected albums from showing

It seems to do that automatically, since it is just processing that extra criteria. To show you what is happening, I created a new user called passwordtest.
Its user albums are at http://photo.enctu.org/passwordtest
There are two albums, both set to private (show only to owner). One of them has the albumpass set to "hello", the other is set to "world".

Now look at this:
http://photo.enctu.org/passwordtest&albumpass=hello
http://photo.enctu.org/passwordtest&albumpass=world
(Note the topviewed toprated random and lastuploaded pictures)

The same thing goes with the thumbnails:
No albumpass varible
http://photo.enctu.org/thumbnails.php?album=1630
Specified albumpass
http://photo.enctu.org/thumbnails.php?album=1630&albumpass=hello

So it seems that it could work, but it still needs an interface to type the password that only appears when it should... And maybe the variable could be kept accross pages, so if you entered it once it will be active throughout the session.

By the way, I jut found out a slight problem with my original idea. That is if no albumpass is specified, all albums with no password will be viewable (because the password matches...both blank). So I added a line so that if $albumpass is blank it will  be replaced by "hahahanoonewilleverusethispassword". I'm sure there is abetter way though.  :lol:
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

Oasis

OK so is anyone going to give me a clue on how to display the password box? I really can't find the place.
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

hyperion

For a start, you should just be able to detect no password and then redirect to a password form. The use of empty instead of isset will also screen for blank password entries. This will output the form with the action to return to the same script.

-----------------------------------------------------

if (empty($_POST['password'])) {

    pageheader('Password Protected Album');
    print "<form action=\"$_SERVER['PHP_SELF']\" method=\"post\">";    
    print "Password:</td><td><input type=\"password\" name=\"password\"><br><input type=\"submit\" value=\"Log in\">";
    print "</form>";
    pagefooter();  
}

-----------------------------------------------------

Also, you could make it more elegant by adding another field to the album database.


Password_Protected             Password
        Y                        flip
        N
        Y                        flop
        N
        N


-Hyperion
&quot;Then, Fletch,&quot; that bright creature said to him, and the voice was very kind, &quot;let&#039;s begin with level flight . . . .&quot;

-Richard Bach, Jonathan Livingston Seagull

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.mozilla.org%2Fproducts%2Ffirefox%2Fbuttons%2Fgetfirefox_small.png&hash=9f6d645801cbc882a52f0ee76cfeda02625fc537)

Oasis

Thanks for the tip hyperion!  :)

OK I have a question... you know when we type
"index.php?lang=english"
and it is english throught the session (and even subsequent sessions)
how do I do the same do the same for $albumpass?

currently what i have managed to do is when you click into a private album, it asks you for a password. When they enter the right password, the pics in the album are shown... BUT when they click on the pictures themselves, the albumpass variable is not passed on and is lost, so the album goes back to being private, and it tells you that there are no images to display..

how do I make the variable pass on to displayimage.php?

here, you can take a look: http://photo.enctu.org/passwordtest
but the language is hardcoded, so you're gonna see only chinese but I'm sure you can guess what it's saying.
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

Oasis

OK I figured it out...  :D

in init.inc.php
Quoteif (isset($HTTP_POST_VARS['albumpass'])) {
    $USER['albumpass'] = $HTTP_POST_VARS['albumpass'];
}

and then GLOBAL $user in function get_private_album_set()

OK, I have completed the guest side of the password protection scheme (you can try it here: http://photo.enctu.org/passwordtest.the passwords should be obvious from the album names)
HOWEVER, I have had to make extensive changes to many parts of the code in various files, so it's gonna take me some time to write the changes out... Also, what I have done required changes in the theme.php, so I can see this isn't going to be an easy hack to implement...

I will now try to code the part for setting the password. I will post here if I have any news.
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

gazon_zaseyan

Hi guys,

 Can somebody tell me the whole process of installing that option? I did read the whole topic, but it looks kinda complicated... I don't wanna mess it up by changing wrong things...

is there a ready manual or something for installing this MOD?!

Thank you !

Joachim Müller

no, there's no manual or similar. This is not even considered a mod, but more a theoretical discussion. If you're not feeling comfortable with it (if you're not familiar with webserver stuff), my advice is to not play with it (i.e. not use/apply this).

GauGau

gazon_zaseyan

Quote from: "gaugau"no, there's no manual or similar. This is not even considered a mod, but more a theoretical discussion. If you're not feeling comfortable with it (if you're not familiar with webserver stuff), my advice is to not play with it (i.e. not use/apply this).

GauGau

I probably wont :) thanks.

So isn't there any other MOD for password protected albums? :( That would be a really helpfull MOD, and I think not only for me...

are you planning on writing a MOD like that?

Thanks

Joachim Müller

one step at a time: we (dev team) have our workload set up for the current dev version (that will become the next coppermine release): passwords-protected pics won't be in it I'm afraid. If the next version is being released, we'll be going through the "feature requests" board and decide on which features will go into the future release.
Usually the dev team members don't write mods, but add code to the actual releases. Maybe someone else (who needs the modification as well) will take up the task and write a password-protection-mod.

GauGau

itang

I have read this post:

http://forum.coppermine-gallery.net/index.php?topic=1112

and I have found this cpg gallery applied password protection for each album successfully. But this album is in Chinese only. I think you can guest the opperation if you are familiar with cpg.

http://www.enjoyalbum.net/main.php?cat=13730

I have an account for your test: 123456 pass: test

However, the author havn't give any information about how he did it.

Can anyone follow this and provide a helpful hand to people who really want this function?

Joachim Müller


itang

No, if it were my page I would not ask for this feature at here. :cry:

Joachim Müller

enjoyalbum uses an illegal copy of coppermine, with modifications built in that are not within the "regular" coppermine files (it's not illegal to add features, but you mustn't remove the "powered by" tag at the bottom, that's why it's illegal). Hard to say how they did this and that feature, but I'm rather sure they won't tell :wink: . Please do not contact enjoyalbum on this, the dev team already has and will take care of the copyright issue.

GauGau

itang

OK. Hope that somebody can do us a favour and get the password protection to work.

doggystyle

so oasis, can you please send the changes you did to the files to get the pw-protection work?! :(

kieranmullen

Would it be much easier than password protection to user tables that already exist?

Private Album Name would be made into a group. Admin could grant permisson to that group or the album owner could. Only album members would be able to view pictures from that album.