Modification to create image download link - Page 2 Modification to create image download link - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Modification to create image download link

Started by adrianbj, July 05, 2005, 02:26:28 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

FIREBOX

1.
its a great mod i am on cpg 135 when i installed the code the link download the preview not the full size image

2.
also is there a mod for only allowing registered users to use the link



thanks

Nallan

Quote from: EtaBeta on January 21, 2006, 05:52:02 PM
Is it possible to allow ONLY registerd users to download? How??? I am very iterested to this modification because iI don' want all the visitors be able to download pictures from my gallery.

I'm also very interested in this issue!!

adrianbj

Well I just tried this and it seems to work fine - now only logged in users will see the download link

Add the if statement and the corresponding close } around the download link - like this:

if (USER_ID){
$pic_html .= "<center><a href=\"download.php?getfile=$picturefs_url\">Click here to save the fullsize ($filesizecorr KB) image directly to your hard drive<br /></a><br /><br /></center>";
}



As for the issue of downloading the preview - sorry I have no idea

While I am here, I thought I may as well also post the revised version of the download file which includes the chunked file issue brought up long ago:

<?php
     
if ($_REQUEST ['getfile']){
        
$file $_REQUEST ['getfile'];
     
     }

$save_as_name basename($file);   
ini_set('session.cache_limiter''');
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
header("Content-Type: application/octet-stream");
header("Content-Disposition: disposition-type=attachment; filename=\"$save_as_name\"");

function 
readfile_chunked($filename,$retbytes=true) {
  
$chunksize 1*(1024*1024); // how many bytes per chunk
  
$buffer '';
  
$cnt =0;
  
// $handle = fopen($filename, 'rb');
  
$handle fopen($filename'rb');
  if (
$handle === false) {
      return 
false;
  }
  while (!
feof($handle)) {
      
$buffer fread($handle$chunksize);
      echo 
$buffer;
       
ob_flush();
      
flush();
      if (
$retbytes) {
          
$cnt += strlen($buffer);
      }
  }
      
$status fclose($handle);
  if (
$retbytes && $status) {
      return 
$cnt// return num. bytes delivered like readfile() does.
  
}
  return 
$status;

}

readfile_chunked($file);
//readfile($file);

?>


Hope that helps someone.

Cheers,
Adrian

Darkwoods

very nice mod  :) is it possible to have the full link on the thumbnails page? instead of having it on displayimage.php
Freedom

adrianbj

Quote from: Darkwoods on March 01, 2006, 09:38:43 PM
very nice mod  :) is it possible to have the full link on the thumbnails page? instead of having it on displayimage.php

OK - here's a quick hack to get what you want:

In the functions.inc.php file in the includes directory, find the build_caption at around line 801. In the code below, notice the 4 most indented lines which are also comment with '//download link' at the end. These are the 4 new lines of code that need to be added.
Hope that does what you are looking for.


function build_caption(&$rowset,$must_have=array())
{
    global $CONFIG, $THEME_DIR;
    global $album_date_fmt, $lastcom_date_fmt, $lastup_date_fmt, $lasthit_date_fmt, $cat;
    global $lang_get_pic_data, $lang_meta_album_names, $lang_errors;

    foreach ($rowset as $key => $row) {
        $caption='';
$pic_url =  get_pic_url($row, 'thumb'); //download link
$downloadfilename = str_replace("thumb_", "", $pic_url); //download link
$filesizecorr = $row['filesize'] >> 10 . $lang_byte_units[1]; //download link
$caption .= "<span class=\"thumb_title\"><a href=\"download.php?getfile=$downloadfilename\">Save fullsize ($filesizecorr KB) image to your HDD</a></span>"; //download link
        if ($CONFIG['display_filename']) {
          $caption .='<span class="thumb_filename">' . $row['filename'] . '</span>';
        }


Darkwoods

thanks its working   ;D you maked my day

thx
Freedom

Darkwoods

does this work on all type of files? because its just work with image files not mp3 or others files  :-[
Freedom

adrianbj

Quote from: Darkwoods on March 02, 2006, 07:31:10 PM
does this work on all type of files? because its just work with image files not mp3 or others files  :-[

Good point - I don't have anything but images in my library so it hasn't been an issue.

I see two major problems here:

1) thumbnails for mp3's and other none image files are not relative to the file in question, they are simply a generic image, so i have to figure out a different way to find the filename.
2) the download script has a Content-Type: application/octet-stream which I thought might handle most things, but obviously not. I have this part sorted already, but I will have to work on the first bit.

Will get back to you when I have something that is working.

adrianbj

Hi All,

I am afraid I have noticed a VERY serious security issue with the download.php script. Here is my quick hack to prevent any misuse.

Add these lines to the download.php file, directly after the: $save_as_name = basename($file);


$dirpath = dirname($file);
$pathcheck = substr_count($dirpath, 'albums/userpics');

if($pathcheck >= 1){



and then just before the final ?> at the end of the file, add these lines:

else{
print 'You do not have permission to download that file';
}


It basically checks to make sure that the file the user is trying to download is actually in the albums/userpics folder.

I think this should prevent the security issue, but I am no expert - maybe someone else can comment on this!

Joachim Müller

having a file like download.php is a huge security issue, it must be extremely hardened against possible exploits. You might want to take a look at the code I posted in http://forum.coppermine-gallery.net/index.php?topic=28216.msg130742#msg130742 - you explicitely allow file types there.

adrianbj

GauGau - thanks for that - I was actually just thinking about doing it by file types today - seems like a good solution - might even be nice to combine the file type and folder check. I would definitely recommend to everyone using this hack to use the file type checking code that you linked to. Thanks!

Sir Doyle

hi,
This is great Mod
But it does not work for another theme
Can you please tell how can I install this Mod in Eyeball theme?

Thanks

spedmetal

Quote from: EtaBeta on January 21, 2006, 05:52:02 PM
Hi!
Nice mod!
Is it possible to allow ONLY registerd users to download? How??? I am very iterested to this modification because iI don' want all the visitors be able to download pictures from my gallery.
Thanks to all


Yes does this only work with the sample theme? Also I have cm1.4.4 installed and cant even get back to the sample theme.

@adrianbj

the code you posted on that still goes in the theme.php file in the sample folder correct? If so were?

bennettsweb

I was able to impliment this code in 1.4.4 by specifying the function theme_html_picture() in my custom theme.php.  I used the same function as the sample theme.php except for the bit of code in the first post.  I decided to keep the link to the fullsize image when the image is clicked and include the download link below the image. 

You could also modify themes.inc.php to apply the mod to all themes that do not have the function specified if I understand the code (I'm still pretty green in php)

Thanks for the help! -Bennett

ir803

this sounds like a great idea, and looks like something i can use, all i need now is to know Which logged in user downloaded which file, is that something that can be integrated in to this hack or would this have to be a separate issue??

adrianbj

ir803,

I have in fact mod my gallery to include a feature to record who has downloaded what. The mod also adds a new category called 'Most Downloaded'. Unfortunately I have also made many many other mods to my gallery since doing this, so it won't be easy to send you all the code changes, which also include changes to the database. I have also started collecting the user's country during registration, so I can see what country each image is being downloaded from. I really should put this mods together at some point, but not sure when I will get a chance to I'm afraid. I'll see what I can do though. BTW, I have also made the download script way more secure by initiating the downloads by picture ID, rather than filename.
Adrian

ir803

THAT sounds amazing mate could you send me a link to your site so I can see it in action, I wil wait for to to get a chance to see if you can put the code together coz I am very new to PHP and I wouldn't know where to start to take out the relevent bits of sode.

adrianbj

The gallery is at http://ian.umces.edu/imagelibrary/

You will see that only registered users can download the fullsize version.

Here are a list of the features that might be of interest to you.

1) When you go to register you'll notice that I collect the user's country.
2) Notice the 'Most Downloaded' option in the menu. This doesn't list who has downloaded what (I don't think this should ever be presented publicly), but the information is being collected and stored in a new database table, so I can see who has downloaded what.
3) I have also integrated the lightbox mod and made the zip download also only available to registered users.

One of the problems you would find applying my changes is that I have also applied the 'Search Engine Friendly' URL mod, as well as swapping all links over to the PID, rather than the POS and made endless other code changes, including improvements to the SEF mod and the entire search process so they all actually work.

As I said, I will see what I can do about getting together the required changes, but I think I might be beyond making that a viable option as there have been so many other changes to the code. Please don't expect anything anytime soon though. I am still finishing off the upload and automatic thumbnail generation for vector files (SVG, EPS etc) and TIFFs, PSDs etc and movies and so don't really have any spare time at the moment. At least it will give you some ideas on possible options should you decide to try to mod the code yourself.

ir803

Sounds good, I'll be patient, I'm still picking up the basics at the moment. do you privately have a record of specifically who (which user) downloaded each image as this would be the most important aspect. BTW this is the site I would be putting it on http://www.ghsimages.co.uk/

adrianbj

Quote from: ir803 on January 16, 2007, 11:35:42 PM
Sounds good, I'll be patient, I'm still picking up the basics at the moment. do you privately have a record of specifically who (which user) downloaded each image as this would be the most important aspect. BTW this is the site I would be putting it on http://www.ghsimages.co.uk/

The new table 'downloads' has these fields

pid    
user_id    
datetime    

so to answer your question, yes I do have access to who has downloaded which photos (pid), and the date/time they were downloaded. By linking the user_id to the users table I can find out their name, country and state.