gallery private albums , Prevent people giving a direct link to the file gallery private albums , Prevent people giving a direct link to the file
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

gallery private albums , Prevent people giving a direct link to the file

Started by sidlovestina, November 13, 2006, 08:52:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sidlovestina

Hi.....
Have searched on this forum but didn't find what i was looking for ( or i didn't look good enough............)

i have the following......

I have albums all people can view
i have albums some users can see ( with the groups resstriction )
now.....

for example....

Let's say ......if i have a private album with .....( example ) www.URL.com/gallery/albums/private/photo1.jpg

when they are logged in and have acces to the album they can see the complete URL to the photo....
now.....if they would share that link to the file .......for NON registered users....
everybody can see it then , even if it's from a private album.

Is there a way i can restrict that?
when they give the direct link to the photo ( url ) they would see nothing or something else?
( i'm not referring to hotlinking it on ohter sites .........)

Thanks in advance for your help

Sidney


lamama

Search the forums (or better: the web) for "hotlink protection" via .htaccess


sidlovestina

i don't want to prevent hotlinking..........
only prevent that people go directlly to the link........
just when i would go to a topic in this forum ...but a topic that can only be seen by a user that is logged in........

some files on the server are being linked onto another website of mine so i don't want to prevent that.......

anybody have a solution?


sid

Joachim Müller

Hotlink protection means exactly what you describe. People can link to your Coppermine-driven pages, but they can't embed your pics directly into their pages nor send users directly to pics without the embedding Coppermine output around it. You can set up hotlink protection to allow hotlinks from particular domains (ie.e the domains you own yourself). Do as suggested and google for "hotlink protection".

lamama

Quote from: sidlovestina on November 14, 2006, 06:13:22 PM
only prevent that people go directlly to the link........

With htaccess based hotlink-protection you can restrict the access to selected folders (where you put a proper htaccess file into).

It's not 100% safe, because there are ways to get around this hotlink-protection (there are nice Firefox plugins...).

If you're looking for better protection, you'll need something like 'temporary' links to each picture file. Maybe someone might be able to code this (i am not), but I fear this might increase the server load and slows cpg down a lot.



sidlovestina

Hi

thanks for the reply(s)
I know about the .htaccess and have set it up that way...
didn't know i could give acces to specific server(s)........i've set it up that way now......

But i had read that if i block it with .htacces it is possible that i also block people that are behind a firewall.?
well i mean...
QuoteAllow Blank Referers
Some surfers uses a personal firewall or antivirus program, that deletes the page referer information sent by the web browser. Hotlink protection is based on this information. So if you choose not to allow blank referers, you will block these surfers

would that affect them when the would be logged in?

Thanks again

sid

Joachim Müller

Yes, they would be affected to a certain extent, but not in coppermine. However, I consider those settings (mostly to be found in pseudo-security apps like "Norton Internet Security" and similar crap that is meant to lure newbies into believing that privacy means security and that technology could protect you against all evils that lurk in the internet) to be paranoid. Those who have those silly apps in place will have issues visiting many websites, as many sites have .htaccess hotlink protection settings in place.
But: hotlink protection actually works differently: your pics are suppossed to be embedded into the HTML pages the coppermine script creates: your webserver (which doesn't have referers turned off) is allowed to embed those pics, so nothing bad will happen.

Nibbler

Quote from: GauGau on November 15, 2006, 10:32:59 PM
Yes, they would be affected to a certain extent, but not in coppermine.

That is not correct, it would have exactly the same effect in Coppermine as on any other web page.

Quote from: GauGau on November 15, 2006, 10:32:59 PM
But: hotlink protection actually works differently: your pics are suppossed to be embedded into the HTML pages the coppermine script creates: your webserver (which doesn't have referers turned off) is allowed to embed those pics, so nothing bad will happen.

The webserver does not request the embedded images - the client does.

I think there are mods posted that send all requests for images through a php script that checks permissions, I would advise you to use one of those.

reindeer

I belive the function of preventing access from un-authorized users into image albums, through direct URL links,
should be one of the core features of Coppermine Photo Gallery.
What is the usefullness of users/passwords and groups, if a direct link is all that is needed to get access to an image?

The development of this Mod seems to be quite low, at least the links to the modified files are dead.

I have made a new post to restart the conversation for this mod, here

SoftDux

I agree, this is something that should be added to the core functions of Coppermine. How many ppl use coppermine, and don't know about this?

And to create / copy a .htaccess file for each new album you create can become veru tedious, especially if you have gallery admins, who know nothing about Linux, servers, SSH, ftp, etc.

Nibbler

It's not a core feature because it has significant performance implications and the solution discussed here is specific to apache. A single .htaccess file in the albums folder should be sufficient, no need to create one for each album.