[Closed]: Control Access [Closed]: Control Access
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

[Closed]: Control Access

Started by w000f, June 12, 2008, 10:08:16 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

w000f

Hello,

Is there a way to not allow anyone to get to pictures by knowing the filename and the directory it is in? My galleries are only viewable by having to login (no public access). However, if you view it once and know the directory and filename, you can get to it by typing in the url, bypassing the login. Is there a way to prevent that?

Example - if you know the url:

http://xxx.com/albums/userpics/1000x/img001.jpg

You can type it in to view the pictures.

Thanks.

Fabricio Ferrero

Yes, there is.  ;) But it's not coppermine related. Google for hotlink protection.
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

w000f

I found more info but it appears that hotlinking protection via .htaccess is the next best thing at the moment since files access control is not part of the core.

Is this a correct way?
Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gallery.chipmunkfamily.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]


Image still viewable - http://gallery.chipmunkfamily.com/albums/Acura%20TSX%20-%20March%202004/etsx01.jpg

I know I'm not doing it right. What is wrong? Appreciate any help I can get. Host do support rewrite - even list it on the hosting FAQs.

just_some_guy

Seems to be working fine for me - I get a 403 Forbidden error.
Tambien, Hablo Español      PHP - Achieve Anything
"The Internet is becoming the town square for the global village of tomorrow. " - Bill Gates
Windows 7 Forums

w000f

Hmm... well I initially thought it was the browser cache but I cleared it many times already.  ??? Let me try again.

w000f

I see how it works now. :( Click on the link it says forbidden. Copy, paste the URL and you will see the pictures. Any other codes I can put in the .htaccess to disallow that? Please know that I understand the argument of - if you want your pictures to be secure, do not put it on the Internet. With the availability of users and groups, this should not happen.

Thanks.

Nibbler

Remove this line.

RewriteCond %{HTTP_REFERER} !^$

It's not a good solution though. There is nothing you can do about direct linking since it bypasses Coppermine entirely.

w000f

Thank you Nibbler. Removing that line now shows the forbidden page as well when you past the URL into another browser window. Is this something that will be worked into version 1.6.x? Just curious.

Thanks.

Joachim Müller

Quote from: w000f on June 15, 2008, 05:01:40 AM
Is this something that will be worked into version 1.6.x?
Next version will be cpg1.5.x, not cpg1.6.x. As Nibbler pointed out, this can not be built into Coppermine, since it bypasses Coppermine. You'd have to store the pics outside of the webroot (one level up) and dynamically generate a temporary copy of the file the legitimate visitor can see that needs to be purged after a certain time if you wanted to accomplish what you're up to. This would cause a huge performace penalty and will make Coppermine very hard to set up and will therefor not go into coppermine any time soon. This has been discussed in detail in previous threads already, so I won't explain this any further - search the board for details if you want to find out more.

w000f