Gallery Plugin and Userrights does not work for me

Harald Weingaertner · Post by **Harald Weingaertner** » Thu Aug 10, 2006 7:37 pm

Hello,

i use the gallery plugin v1.9 and i have one public and one private media folder.

The public folder is set to readable for all usergroups.
The private folder is set to readable only for admins.

But everyone can read my images in the Private folder.

Shouldn't the private folder be invisible and not readable for guests and other authors?

Regards, Harald

mgroeninger · Post by **mgroeninger** » Thu Aug 10, 2006 11:16 pm

Hey Harald,
I responded to your private message about this, but I wanted to follow up here.

I'm not sure what you mean by:

The public folder is set to readable for all usergroups.
The private folder is set to readable only for admins.

Basically, the gallery plugin just uses the directories of the media library, which (as far as I know) haven't been linked to user or access rights, or categories. (I could be wrong, I have been paying much attention to checkins on the 1.1 branch lately.)

My understanding is that the media gallery uses directories to organize media, without having anyway to assign categories to specific media. If that has changed I can certainly update the gallery plugin to support new functionality, but I would caution you that because media are files and sit in the webserver directory tree, access rights are simply security through obscurity. Anyone who knows the files name would be able to read it.

Harald Weingaertner · Thu Aug 10, 2006 11:32 pm

Thanks Matt, (i also responded private)

i have the chance to setup my media directories with

Manage Directories

With that i can manage the directories

READ PERMISSIONS
and
WRITE PERMISSIONS

And now i don't understand why i can set those settings if anyone can read those directories.

Regards, Harald

mgroeninger · Post by **mgroeninger** » Thu Aug 10, 2006 11:55 pm

Ahhh! I do have that in my 1.1 install... (but not in my production site running 1.0, so it is a new feature).

Garvin, would you like to weigh in here with an idea of what those access rights will be used for?

And I would like to complain that the settings do not appear when you create a new directory, only when you edit an existing one.

Depending on how those rights are implemented I should be able to use them for the plugin gallery. Unfortunately, I do not see a right which corresponds with anonymouse read, which might mean it is a little goofy.

Please note, my plugin work usually always lag behind the main development. I usually try to wait until the core release is in a beta cycle to incorporate new functionality, just to keep the plugin stable and relatively static.

Since this release changes the media gallery extensively, the usergallery is going to take a major release to get it working fully. I would love it if you would be willing to help me beta test the new plugin, but I am probably not going to commit a fully compatiable plugin until 1.1 is almost ready for release. Of course, any patches or changes are always welcome!

Post by **garvinhicking** » Fri Aug 11, 2006 10:02 am

Hi!

First off, Harald are you using a very recent 1.1 alpha version? I remember that something in this regard needed changing 1 or 2 weeks ago.

Garvin, would you like to weigh in here with an idea of what those access rights will be used for?

Actually those permissions should be applied on ever serendipity_traversePath() and serendipity_fetchImages() function call automatically, behind the scenes. Serendipity traverses the ACL for media directories and removes all files and directories from the result set where you don't have access to.

The code is located in the functions_images.inc.php file, but it's all rather complex.

And I would like to complain that the settings do not appear when you create a new directory, only when you edit an existing one.

Yes, that's a good complaint - however the creation interface is completely different frmo the editing interface, so it would've taken much work to unify those two. Thus I thought it'd be better to move permission maintaining to a single edit section..

Depending on how those rights are implemented I should be able to use them for the plugin gallery. Unfortunately, I do not see a right which corresponds with anonymouse read, which might mean it is a little goofy.

The Anonymous read should be "ALL_AUTHORS" which corresponds to an authorid #0

If there is anything else specific I could explain, please let me know!

Best regards,
Garvin

Harald Weingaertner · Post by **Harald Weingaertner** » Fri Aug 11, 2006 2:54 pm

garvinhicking wrote:Hi!

First off, Harald are you using a very recent 1.1 alpha version? I remember that something in this regard needed changing 1 or 2 weeks ago.

Yes, my alpha is from 6th august. And i will update tomorrow to the most actual version.

Regards, Harald

mgroeninger · Post by **mgroeninger** » Fri Aug 11, 2006 7:15 pm

I actually think we used a custom version of fetchImages in the plugin... The old fetchImages used a "LIKE" statement in the SQL, so we couldn't restrict the query to just one directory.

It sounds like the new fetchImages won't do that, so that makes it a lot easier for me to convert the plugin over (just a version check and a call to core!). I might have a little time today to look at it (it is 11 in the morning and my boss hasn't called me with anything yet, so it might be a quiet day!)

mgroeninger · Post by **mgroeninger** » Fri Aug 11, 2006 8:05 pm

*sigh* Garvin, you still use that silly LIKE statement...

I can't blame you, it works well for the admin interface...

I'll have to do some thinking about what makes sense... Would you be receptive to a patch to add a boolean variable like $strict to the serendipity_fetchImagesFromDatabase calls? Default it to false, and add an if decision to change the sql query in a couple of places?

And this might be a little important:
Should serendipity_fetchImages use the permissions hooks? Right now it doesn't touch the database at all, it is just building a list directly from the filesystem.

Harald Weingaertner · Post by **Harald Weingaertner** » Fri Aug 11, 2006 8:35 pm

It sounds, that there will be an updated gallery plugin soon?

Post by **garvinhicking** » Sun Aug 13, 2006 1:25 pm

Hi Matt!

mgroeninger wrote:*sigh* Garvin, you still use that silly LIKE statement...

Could you tell me which one you mean? I am sure we could unify/fix this for the 1.1 release somehow. Even if it's another option or so.

I'll have to do some thinking about what makes sense... Would you be receptive to a patch to add a boolean variable like $strict to the serendipity_fetchImagesFromDatabase calls? Default it to false, and add an if decision to change the sql query in a couple of places?

Yeah, I would have no issues with that.

And this might be a little important:
Should serendipity_fetchImages use the permissions hooks? Right now it doesn't touch the database at all, it is just building a list directly from the filesystem.

Could you explain more detailed what you mean with that?

Best regards,
Garvin