🌍
English
Announcement
- [2024-12-20] Piwigo 15.3.0 : same as 15.2.0 but compatible with PHP 7
- [2024-12-19] Piwigo 15.2.0 : better user activation and many fixes
- [2024-11-11] Piwigo 15.1.0 : small fixes and what's new popup
- [2024-10-22] Piwigo 15
- [2024-09-23] Piwigo 15.0.0RC1, almost there
#1 2012-08-06 20:15:51
- e.steuber
- Guest
Access Rights Circumvention
Hi,
i'm observing following behavior and wanted to know if this is "Functions As Designed".
If you know the URL of a picture in original size (http://Server/Gallery/img.jpg)
then it does't matter what accessrights you set for the gallery or the picture (e.g. group member / family / etc.)
You gain direct access to the picture.
Piwigo 2.4.3
OS: Gentoo Linux
PHP: 5.3.15-pl0-gentoo [2012-08-06 20:13:32]
mysql: 5.1.56-log [2012-08-06 20:13:32]
Grafikbibliothek: ImageMagick 6.7.5-3
#2 2012-08-06 21:05:30
- geoffschultz
- Member
- Marlborough, MA, USA
- 2012-07-01
- 159
Re: Access Rights Circumvention
While I am not a developer, if someone knows the URL of the actual file (i.e. xxxx.JPG), then no piwigo code runs to access the file and it's served to you via the web server. If they can get to it via http://domain/pwigo_dir/picture/xxxx, then that's a different matter. If you're really worried about that, I would set
$conf['category_url_style'] = 'id';
in your local config so that no one knows the file name.
-- Geoff
Last edited by geoffschultz (2012-08-07 00:18:19)
Offline