[Fixed] Private shown 'users can have private album'=off

MisterTea · December 09, 2003, 11:08:43 PM

Are private albums visible to everyone and not just displayed on the main page or can they be modified so that they cannot be viewed by any other members?

Thanks in advance

Joachim Müller · December 10, 2003, 12:03:32 AM

private albums are (as the name suggests) private - only the user group you configured can view them. You can find out about this by creating two test user accounts: one who is a member of the "privileged" group that is supposed to see the private album, one that doesn't belong to this privileged group.
There is although no absolute security on this: if a non-privileged visitor of your site manages to guess the url of a filename he'll be able to access the pic directly, but this is a general rule of thumb on the internet: don't publish it if it really, really has to be absolutely private.
If you want to test this, try accessing a private album on my gallery: http://gaugau.de/galerie/thumbnails.php?album=11&lang=english (it's there, I promise; and no: registering on my site won't let you see it - you have to belong to a certain group to access the page...).

GauGau

MisterTea · December 10, 2003, 12:27:17 AM

Ah ok, I was making it more confusing than it actually is. Thanks for that quick reply and the awesome program

thekingster · December 23, 2003, 09:38:16 PM

Hi

Is this possible.

I currently have a site, with a coppermine install working on v1.2 RC3 with over 1000 pictures, all is well.

However I want to add some more photos, mainly more private family history ones in different albums, that only certain users can see, eg only other members of my family and close friends.

Is there a way to do this? I have been told you can do it in the properties of an album and select a group to restrict it to, but that option isnt there on mine. I would also like it so that if new pics are adding to the private albums, they dont get added to my frontpage blocks, which is why I was thinking of the different install.

thekingster · December 23, 2003, 09:41:12 PM

Found it! Needed to turn on "users can have private albums!"

Is this the best way to do it tho?

Oasis · December 23, 2003, 09:45:37 PM

You can edit an album's properties and set it so that it is only visible to certain groups. Fiddle around with the program and you will get the hang of it.

thekingster · December 23, 2003, 10:05:26 PM

At the moment when you set rights to an album, and upload some pics into a album, its stil seen in the last uploads, top rated etc.

then users can still get into the albums by clickin on the thumbs.

Sort of defeats the point of rights.

thekingster · December 23, 2003, 10:10:38 PM

I have got the hang of it, been using it for months and monts and done tons of upgrades, just couldnt find the setting but thanks anyway...

just a problem now with the permissions backdoor, eg when u click on a top rated pic that u dont have permission to, it still takes u into the album?

thekingster · December 23, 2003, 10:32:06 PM

But what if someone gets the url by looking at the top rated or newest uploads lists?

Oasis · December 24, 2003, 05:32:35 AM

That's impossible unless you have made your own alterations to the code. The only reason those pictures are showing in Last Uploaded and Toprated is because you are logged in as a user who is authorized to see those pictures. Log out and as a guest, private pictures will not appear.

thekingster · December 24, 2003, 09:30:41 AM

er...I've done that...

In fact I went to my brothers pc who is just a registered user, and I could still see in the last uploads the thumbs from an album that only has rights to admins. Clicking on the thumbs then of course supplied me with the url to the pic and allowed me into it.

I have also got a few other of my normal members to try and its the same for them.

I have made NO alterations to the code.

Do you know when 1.2.2 will be out? I could upgrade to that and still see if it happens.

Casper · December 24, 2003, 10:03:01 AM

Hi,

I have seen this discussed before. I don't know if it was fixed in the latest version, which you should upgrade to.
But the only fix I saw was to actually remove the link for top rated pics.

all it requires is to edit out the link in themes/yourtheme/theme.php.

It is near the top, in the section '// HTML template for main menu'. Look for

Code Select

<a href="{TOPRATED_TGT}">{TOPRATED_LNK}</a>

and comment it out like this

Code Select



Depending on the theme you use, you may need to include the cell (<td>) it is in.

Casper · December 24, 2003, 10:10:48 AM

I have posted the answer to the top rated question on your post about it. In the latest version, the last-up only includes pics that you are entitled to see. Try it. Log out, and see that the last up does not show pics from private albums.
If it does in yours, you should upgrade to the latest version.

Joachim Müller · December 24, 2003, 10:19:11 AM

I don't understand what you mean - be carefull by shouting "bug" each and every time you don't understand how a software works! Pics belonging to a private album will only show in "toprated" or any other meta-album if you're allowed to view it. If you're browsing your gallery being logged in as admin it's small wonder you can see those private pics - going into user mode won't help either. Just log out and see if the thumbnail of a pic belonging to a private album is still there in the toprated section. If yes: copy and paste the url here, so we can have a look at it. If no (and I'm rather sure it'll be "no"): it's not a bug, but expected behaviour.

GauGau

Joachim Müller · December 24, 2003, 10:26:15 AM

as there has been some amount of cross-posting I merged 3 threads together, all dealing with privacy issues - please do not start new threads on the very same issue, but reply to existing threads!

Hope this clarifies things a bit.

GauGau

Tarique Sani · December 24, 2003, 11:35:22 AM

Since everyone missed it - let me put in my 2paise

If really want your pictures to be private do not put them on web would be my answer - but hey thats politically rude for the exhibitionist amongst us

Second answer would be to use .htaccess and check for the referer (search old board for this solution) - but do remember that referer can be spoofed up easily

So my answer would be use a gallery which does not put the images inside the web document root (Coppermine does) this is a slightly better method but not foolproof either if that directory is on a shared server (most of us have shared servers) because it will have to be readable by Apache. So anyone with an ounce of brain would be able to write a script to read stuff out of your directory and view them....

thekingster · December 24, 2003, 11:36:27 AM

Quote from: "gaugau"I don't understand what you mean - be carefull by shouting "bug" each and every time you don't understand how a software works! Pics belonging to a private album will only show in "toprated" or any other meta-album if you're allowed to view it. If you're browsing your gallery being logged in as admin it's small wonder you can see those private pics - going into user mode won't help either. Just log out and see if the thumbnail of a pic belonging to a private album is still there in the toprated section. If yes: copy and paste the url here, so we can have a look at it. If no (and I'm rather sure it'll be "no"): it's not a bug, but expected behaviour.

GauGau

OK let me clear things up.

I am logged in as admin. I make an album viewable to admins only.

I walk into the next room and goto my brothers pc. A machine that has never ever been logged in as admin in coppermine before. I can still see in the toprated and last uploads albums the thumbs that I have just put to admin only.

I do understand the software, I have installed it and upgraded it enough times. However as stated I am on 1.2.0 (should it work on this version?), and will upgrade, but I will wait until 1.2.2 is released (will this be soon?).

If it should still work on 1.2.0 just let me know and I'll paste a link in here.

Thanks.

Oasis · December 24, 2003, 11:39:22 AM

@thekingster: the behaviour you have described is impossible. Coppermine checks your rights for every album before it shows you the pics inside it. If you aren't authorised, you are not going to be able to see it in ANY meta album, whether it be toprated, last uploaded or topn, because that picture is not even accessible to you, no matter how you get to the URL. It will just give you a Image/Album does not exist error.

My guess is that you did not set it to private correctly (i.e. the album is not private or you chose the wrong group) or you have not logged out. Please post a link

arbel · January 05, 2004, 01:37:45 AM

I believe that I'm suffering from the same problem:

I have a series of albums that only "Family" group members can see BUT whenever a non-registered user clicks the "Last uploads", "Last comments", "Most viewed" or "Top Rated" buttons, then the family pictures are displayed.

Am I doing something incorrectly or is this a known issue with the script? If it is a known issue, I would appericiate if someone could point me to the heart of the code that selects the pictures to display so I can modify it myself.

[/list]

Joachim Müller · January 05, 2004, 09:32:51 AM

like oasis said: this is not a known issue, but rather impossible. To help you on this, we need a link to your gallery (and a description which albums are supposed to be private).

GauGau

coppermine-gallery.com/forum

News:

[Fixed] Private shown 'users can have private album'=off

MisterTea

Joachim Müller

MisterTea

thekingster

thekingster

Oasis

thekingster

thekingster

thekingster

Oasis

thekingster

Casper

Casper

Joachim Müller

Joachim Müller

Tarique Sani

thekingster

Oasis

arbel

Joachim Müller