Are private albums visible to everyone and not just displayed on the main page or can they be modified so that they cannot be viewed by any other members?
Thanks in advance
private albums are (as the name suggests) private - only the user group you configured can view them. You can find out about this by creating two test user accounts: one who is a member of the "privileged" group that is supposed to see the private album, one that doesn't belong to this privileged group.
There is although no absolute security on this: if a non-privileged visitor of your site manages to guess the url of a filename he'll be able to access the pic directly, but this is a general rule of thumb on the internet: don't publish it if it really, really has to be absolutely private.
If you want to test this, try accessing a private album on my gallery: http://gaugau.de/galerie/thumbnails.php?album=11&lang=english (it's there, I promise; and no: registering on my site won't let you see it - you have to belong to a certain group to access the page...).
GauGau
Ah ok, I was making it more confusing than it actually is. Thanks for that quick reply and the awesome program :)
Hi
Is this possible.
I currently have a site, with a coppermine install working on v1.2 RC3 with over 1000 pictures, all is well.
However I want to add some more photos, mainly more private family history ones in different albums, that only certain users can see, eg only other members of my family and close friends.
Is there a way to do this? I have been told you can do it in the properties of an album and select a group to restrict it to, but that option isnt there on mine. I would also like it so that if new pics are adding to the private albums, they dont get added to my frontpage blocks, which is why I was thinking of the different install.
Found it! Needed to turn on "users can have private albums!"
Is this the best way to do it tho?
You can edit an album's properties and set it so that it is only visible to certain groups. Fiddle around with the program and you will get the hang of it.
At the moment when you set rights to an album, and upload some pics into a album, its stil seen in the last uploads, top rated etc.
then users can still get into the albums by clickin on the thumbs.
Sort of defeats the point of rights.
I have got the hang of it, been using it for months and monts and done tons of upgrades, just couldnt find the setting but thanks anyway...
just a problem now with the permissions backdoor, eg when u click on a top rated pic that u dont have permission to, it still takes u into the album?
But what if someone gets the url by looking at the top rated or newest uploads lists?
That's impossible unless you have made your own alterations to the code. The only reason those pictures are showing in Last Uploaded and Toprated is because you are logged in as a user who is authorized to see those pictures. Log out and as a guest, private pictures will not appear.
er...I've done that...
In fact I went to my brothers pc who is just a registered user, and I could still see in the last uploads the thumbs from an album that only has rights to admins. Clicking on the thumbs then of course supplied me with the url to the pic and allowed me into it.
I have also got a few other of my normal members to try and its the same for them.
I have made NO alterations to the code.
Do you know when 1.2.2 will be out? I could upgrade to that and still see if it happens.
Hi,
I have seen this discussed before. I don't know if it was fixed in the latest version, which you should upgrade to.
But the only fix I saw was to actually remove the link for top rated pics.
all it requires is to edit out the link in themes/yourtheme/theme.php.
It is near the top, in the section '// HTML template for main menu'. Look for
<a href="{TOPRATED_TGT}">{TOPRATED_LNK}</a>
and comment it out like this
<!-- <a href="{TOPRATED_TGT}">{TOPRATED_LNK}</a> -->
Depending on the theme you use, you may need to include the cell (<td>) it is in.
I have posted the answer to the top rated question on your post about it. In the latest version, the last-up only includes pics that you are entitled to see. Try it. Log out, and see that the last up does not show pics from private albums.
If it does in yours, you should upgrade to the latest version.
I don't understand what you mean - be carefull by shouting "bug" each and every time you don't understand how a software works! Pics belonging to a private album will only show in "toprated" or any other meta-album if you're allowed to view it. If you're browsing your gallery being logged in as admin it's small wonder you can see those private pics - going into user mode won't help either. Just log out and see if the thumbnail of a pic belonging to a private album is still there in the toprated section. If yes: copy and paste the url here, so we can have a look at it. If no (and I'm rather sure it'll be "no"): it's not a bug, but expected behaviour.
GauGau
as there has been some amount of cross-posting I merged 3 threads together, all dealing with privacy issues - please do not start new threads on the very same issue, but reply to existing threads!
Hope this clarifies things a bit.
GauGau
Since everyone missed it - let me put in my 2paise :D
If really want your pictures to be private do not put them on web would be my answer - but hey thats politically rude for the exhibitionist amongst us ;)
Second answer would be to use .htaccess and check for the referer (search old board for this solution) - but do remember that referer can be spoofed up easily
So my answer would be use a gallery which does not put the images inside the web document root (Coppermine does) this is a slightly better method but not foolproof either if that directory is on a shared server (most of us have shared servers) because it will have to be readable by Apache. So anyone with an ounce of brain would be able to write a script to read stuff out of your directory and view them....
Quote from: "gaugau"I don't understand what you mean - be carefull by shouting "bug" each and every time you don't understand how a software works! Pics belonging to a private album will only show in "toprated" or any other meta-album if you're allowed to view it. If you're browsing your gallery being logged in as admin it's small wonder you can see those private pics - going into user mode won't help either. Just log out and see if the thumbnail of a pic belonging to a private album is still there in the toprated section. If yes: copy and paste the url here, so we can have a look at it. If no (and I'm rather sure it'll be "no"): it's not a bug, but expected behaviour.
GauGau
OK let me clear things up.
I am logged in as admin. I make an album viewable to admins only.
I walk into the next room and goto my brothers pc. A machine that has never ever been logged in as admin in coppermine before. I can still see in the toprated and last uploads albums the thumbs that I have just put to admin only.
I do understand the software, I have installed it and upgraded it enough times. However as stated I am on 1.2.0 (should it work on this version?), and will upgrade, but I will wait until 1.2.2 is released (will this be soon?).
If it should still work on 1.2.0 just let me know and I'll paste a link in here.
Thanks.
@thekingster: the behaviour you have described is impossible. Coppermine checks your rights for every album before it shows you the pics inside it. If you aren't authorised, you are not going to be able to see it in ANY meta album, whether it be toprated, last uploaded or topn, because that picture is not even accessible to you, no matter how you get to the URL. It will just give you a Image/Album does not exist error.
My guess is that you did not set it to private correctly (i.e. the album is not private or you chose the wrong group) or you have not logged out. Please post a link
I believe that I'm suffering from the same problem:
I have a series of albums that only "Family" group members can see BUT whenever a non-registered user clicks the "Last uploads", "Last comments", "Most viewed" or "Top Rated" buttons, then the family pictures are displayed.
Am I doing something incorrectly or is this a known issue with the script? If it is a known issue, I would appericiate if someone could point me to the heart of the code that selects the pictures to display so I can modify it myself.
[/list]
like oasis said: this is not a known issue, but rather impossible. To help you on this, we need a link to your gallery (and a description which albums are supposed to be private).
GauGau
Thank you for the response.
The website URL is http://gallery.arbel.info.
There are three albums, all of which are accessible only by the "Family" group members. Nevertheless, an unregistered surfer can click the "Last Uploads" button and see all the pictures.
FYI, A family group login is family/coppermine.
Thank you.
This should not be happening. It seems you have an error in your displayimage.php.
Unregistered visitors can see the thumbs, not just by the 'last up' link, but by the 'most viewed', and also by the album icon.
But they can only see the thumbs. When a visitor clicks on the thumb, they get this error;
Fatal error: Call to undefined function: theme_get_album_category() in /hsphere/local/home/eranarbe/gallery.arbel.info/displayimage.php on line 594
Have you modified the code? The displayimage.php that comes with the 1.2.0Final or 1.2.1 package does not go up to 594 lines, and does not contain this function 'theme_get_album_category'.
Casper, you are correct. I did modify the code in displayimage.php, along with a theme. I've replaced the theme to one of the defaults, without resetting displayimage.php as well.
Anyway, now I've resetted the script back to default, and the gallery still misbehaves in terms of the backdoor.
Thank you.
Yes, I can now visit the pics, even though not logged in, or even a member.
When you created the group 'family', did you alter the group 'anonymous' in any way?
No, I don't think so.
Let me know if administrator access to the gallery and MySQL access to the database would be of any help.
to be honest, I'm no expert in php or mysql, so if you have set everything properly, I doubt if I will be much use.
You would be better helped by one of the dev team, such as gaugau, but I will give it a go if you want. You can im me the details if you like, and I'll have a look.
@casper: dealing with such support questions will actually make you an expert on such issues, so I'm confident you'll be able to help. If you should really be stuck, please contact me by pm (this means only casper can pm me, not everyone! Please understand this...) or reply to this posting.
GauGau
@gaugau, thanks for the vote of confidence :D
@arbel, ok, pm me an admin log on details, and MySql access details, and I'll have a look. If I can't help, I'll take up gaugau's offer. :wink:
Guys, thank you for the support.
I have sent Casper all the login details.
Another intersting thing I noticed, is that once I create new albums, I can no longer see the controls that allow you to set the permissions for the album. I have a feeling that this might be related.
Hi Arbel,
I found this to be related to the fact that you had set 'users can have private albums' to NO. For some reason, this removes the view permissions, and although the 'Private' icon is shown, the actual albums are visible.
@gaugau, this appears to be a bug. I tested it on my own gallery, and the same thing happened.
@ Arbel, I looked at your settings, and found you do not allow registration, and the 'family and friends' group only has view permissions,and cannot upload, so the change I made to your config should not matter.
I did not go to your mysql database. Hope this all helps. You should now delete my accounts, particularly to your database.
Casper, you are THE KING.
Thank you very much, and I'm happy that this bug was finally nailed down.
Cheers!
started tracker #872746 (http://sourceforge.net/tracker/index.php?func=detail&aid=872746&group_id=89658&atid=590907) on this issue...
GauGau
Had a closer look at the problem.
The actual bug is that a private Icon is shown even though 'users can have private albums' is set to NO
If 'users can have private albums' is set to NO it means that none of the users (even admin) can have a private album.
The way I am going to fix this is to show the correct Album Icon for private albums in case 'users can have private albums' is set to NO.
The second thing would be if 'users can have private albums' is set to NO the drop down to select Privacy modes should not appear in the modify album page
Fixed and committed to CVS devel
Search for the two lines similar to
if ($visibility == '0' || $visibility == (FIRST_USER_CAT + USER_ID) || $visibility == $USER_DATA['group_id'] || $USER_DATA['group_id'] == 1) { // test for visibility
Change them to
if ($visibility == '0' || $visibility == (FIRST_USER_CAT + USER_ID) || $visibility == $USER_DATA['group_id'] || $USER_DATA['group_id'] == 1 || $CONFIG['allow_private_albums']==0 ) { // test for visibility
This will prevent the Private Icon being shown when 'users can have private albums' is set to NO
Quote from: "tarique"Had a closer look at the problem.
The actual bug is that a private Icon is shown even though 'users can have private albums' is set to NO
If 'users can have private albums' is set to NO it means that none of the users (even admin) can have a private album.
The way I am going to fix this is to show the correct Album Icon for private albums in case 'users can have private albums' is set to NO.
The second thing would be if 'users can have private albums' is set to NO the drop down to select Privacy modes should not appear in the modify album page
The problem I see with this, is that when set to NO, there will be no way for admin to restrict who views the albums he makes, as the privacy modes box is not there. Surely many admin users will want to both disallow private albums for users, but still restrict who can view.
As admin is the only one who can create albums with this setting, the privacy box should still be available for him. At the moment, it is not.
But this also links with another problem. When there is no Private icon showing, Admin cannot see restricted albums set for registered groups etc, and cannot edit them. (if this has been fixed, sorry I missed it).
So my own view of what to do to fix.
as admin can set this in groups permissions anyway, remove the 'users can have private albums' from config altogether (why have it twice), but change the admin privacy settings to be always there when in admin mode (gallery admin only, not user admin).
Hope this all makes sense.
Hey I fixed a bug - you are asking for a feature ;)
BUT yes you are right...
as a workaround you can enable "users can have private albums" and remove the upload and user_admin navigation elements from your theme (works for me). A user who doesn't have in-detail knowledge of coppermine structure won't see the difference...
GauGau
@tarique, sorry, it wasn't intended as critism, just trying to point out other problems associated with it. :wink: I realise you fixed the actual bug.
If what I suggested is a feature request, as opposed to a bug fix, which would make the setup more logical and admin friendly (and stop the host of requests 'why can't admin see private albums', and 'how do I prevent so & so from seeing my albums'), then I shall post it in the relevant forum. :D
@gaugau, as I allow private albums, this doesn't affect me, but it seems to me that end users of the app should not have to fiddle with code as a workaround to something that you expect 'out of the box'.
The simple way round this is to leave the setting 'users can have private albums' and 'show private album icon to unlogged user' set to YES in config, and and use the group settings to disallow private albums. Users in groups not allowed private albums, don't get an admin area do they.
This works, admin can still set view permissions, can still see and edit private albums (if allowed) that belong to other groups.
But the current situation does cause some confusion. What is the pont of having this setting twice, in config and in groups.
As I said at the start, this isn't critism, I'm just trying to look at this from a logical view. I still think this is a great app. :wink: