[Closed]: Control Access

w000f · June 12, 2008, 10:08:16 PM

Hello,

Is there a way to not allow anyone to get to pictures by knowing the filename and the directory it is in? My galleries are only viewable by having to login (no public access). However, if you view it once and know the directory and filename, you can get to it by typing in the url, bypassing the login. Is there a way to prevent that?

Example - if you know the url:

http://xxx.com/albums/userpics/1000x/img001.jpg

You can type it in to view the pictures.

Thanks.

Fabricio Ferrero · June 13, 2008, 12:12:32 AM

Yes, there is.

But it's not coppermine related. Google for hotlink protection.

w000f · June 14, 2008, 10:24:16 AM

I found more info but it appears that hotlinking protection via .htaccess is the next best thing at the moment since files access control is not part of the core.

Is this a correct way?

Code Select

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gallery.chipmunkfamily.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Image still viewable - http://gallery.chipmunkfamily.com/albums/Acura%20TSX%20-%20March%202004/etsx01.jpg

I know I'm not doing it right. What is wrong? Appreciate any help I can get. Host do support rewrite - even list it on the hosting FAQs.

just_some_guy · June 14, 2008, 10:45:23 AM

Seems to be working fine for me - I get a 403 Forbidden error.

w000f · June 14, 2008, 11:06:09 AM

Hmm... well I initially thought it was the browser cache but I cleared it many times already.

Let me try again.

w000f · June 14, 2008, 04:42:53 PM

I see how it works now.

Click on the link it says forbidden. Copy, paste the URL and you will see the pictures. Any other codes I can put in the .htaccess to disallow that? Please know that I understand the argument of - if you want your pictures to be secure, do not put it on the Internet. With the availability of users and groups, this should not happen.

Thanks.

Nibbler · June 14, 2008, 06:04:35 PM

Remove this line.

Code Select

RewriteCond %{HTTP_REFERER} !^$

It's not a good solution though. There is nothing you can do about direct linking since it bypasses Coppermine entirely.

w000f · June 15, 2008, 05:01:40 AM

Thank you Nibbler. Removing that line now shows the forbidden page as well when you past the URL into another browser window. Is this something that will be worked into version 1.6.x? Just curious.

Thanks.

Joachim Müller · June 22, 2008, 11:07:10 AM

Quote from: w000f on June 15, 2008, 05:01:40 AM
Is this something that will be worked into version 1.6.x?

Next version will be cpg1.5.x, not cpg1.6.x. As Nibbler pointed out, this can not be built into Coppermine, since it bypasses Coppermine. You'd have to store the pics outside of the webroot (one level up) and dynamically generate a temporary copy of the file the legitimate visitor can see that needs to be purged after a certain time if you wanted to accomplish what you're up to. This would cause a huge performace penalty and will make Coppermine very hard to set up and will therefor not go into coppermine any time soon. This has been discussed in detail in previous threads already, so I won't explain this any further - search the board for details if you want to find out more.

w000f · June 25, 2008, 04:39:10 PM

Thank you.

W.

coppermine-gallery.com/forum

News:

[Closed]: Control Access

w000f

Fabricio Ferrero

w000f

just_some_guy

w000f

w000f

Nibbler

w000f

Joachim Müller

w000f