Users and password protected albums Users and password protected albums
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Users and password protected albums

Started by zac, August 28, 2005, 10:25:44 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

zac

Hello.. I am delving into a new realm of coppermine and trying to figure out the user controls.  I want to use them in such way that they are just controlling who can see which albums.  If I have like 20 albums up, I only want user A to be able to see album A.  Is this possible?  The only options I can find are to make the albums visible to either everyone or only regestired, banned, etc... If this does not work is there a way to password protect each individual album?

Thanks for any help!

Zac

oops.. i just noticed this should be in the permissions and access rights board.... sorry.

zac

Ack... I figured it out.  Have to go into groups in the admin mode and create new ones.

amol

I have a follow up question...
Lets say coppermine root is domain.com/photos

And I setup album A such that it is only accessible to group A, in which there is only one user, user A.
So only user A should be able to see this album.
If unregistered user or some other user logs in, they cannot see album A in the list of albums. So far so good.

BUT...if they point to a url like
domain.com/photos/albums/userpics/10001/photoname.jpg, anyone can view the photos.

Which is something that I dont want.

Question: Is there any way to _really_ restrict access to photos and albums?

Joachim Müller

has been discussed many times, please search the board. There's no absolute safety though: if a determined user who knows his way around in coppermine is able to guess the url of an individual pic, he'll be able to see it. However, there are several methods (discussed on the other threads that I told you to search for) to make it harder (or nearly impossible) to do so. Additionally, there's a method outlined in a thread on how a complete protection could be achieved (by storing the pics outside the webroot and serving it only on the "legitimate" page), but don't expect code ready for copy'n paste - you have to be an expert to accomplish this sort of protection.