🌍
English
Announcement
- [2024-04-17] Piwigo 14.4.0
- [2024-04-01] Piwigo in Hobbit runes
- [2024-03-01] Piwigo 14.3.0
- [2024-01-30] Piwigo 14.2.0
- [2023-12-29] Piwigo 14.1.0
#1 2012-08-06 20:15:51
- e.steuber
- Guest
Access Rights Circumvention
Hi,
i'm observing following behavior and wanted to know if this is "Functions As Designed".
If you know the URL of a picture in original size (http://Server/Gallery/img.jpg)
then it does't matter what accessrights you set for the gallery or the picture (e.g. group member / family / etc.)
You gain direct access to the picture.
Piwigo 2.4.3
OS: Gentoo Linux
PHP: 5.3.15-pl0-gentoo [2012-08-06 20:13:32]
mysql: 5.1.56-log [2012-08-06 20:13:32]
Grafikbibliothek: ImageMagick 6.7.5-3
#2 2012-08-06 21:05:30
- geoffschultz
- Member
- Marlborough, MA, USA
- 2012-07-01
- 148
Re: Access Rights Circumvention
While I am not a developer, if someone knows the URL of the actual file (i.e. xxxx.JPG), then no piwigo code runs to access the file and it's served to you via the web server. If they can get to it via http://domain/pwigo_dir/picture/xxxx, then that's a different matter. If you're really worried about that, I would set
$conf['category_url_style'] = 'id';
in your local config so that no one knows the file name.
-- Geoff
Last edited by geoffschultz (2012-08-07 00:18:19)
Offline