Announcement

  •  » Requests
  •  » Private photos are publicly accessible?

#16 2013-08-14 19:58:36

flop25
Piwigo Team
2006-07-06
7036

Re: Private photos are publicly accessible?

the ftp method doesn't touch to the filename -hopefully- so no, that way the filenames are not randomized. You can use $conf['original_url_protection'] = 'images'; and/or watermarks

Hopefully Internet hasn't been build with DRM


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#17 2013-08-14 20:41:25

Bpiwigo
Guest

Re: Private photos are publicly accessible?

Thank you, flop25.  That's kind of disappointing.  I like the regular old ftp structure because it's so much easier for me to manage, but it also makes it much easier for someone to crawl the site.  :(

I see you explained at http://piwigo.org/forum/viewtopic.php?id=21392 that "It uses an url action.php?id=xx so the script will check if the user can download the picture
To complete that put a Deny from All in a .htaccess in /upload and /galleries, and set correctly the sizes in admin panel"

I've put in a robots.txt , so I'm not too worried about legitimate search engines finding my little family site, but it would still be nice to know that images are not so easily discoverable outside the Piwigo interface.

Do I understand correctly that $conf['original_url_protection'] is set in include/config_default.inc.php but that it (a) protects only the full-size image version as damufo described and (b) is easily defeated through viewing page source or other means?

Is that why you say "Then use watermarks and/or don't set too large image size" -- because no matter what, even if the gallery itself is "protected" by that script, all the variously sized thumbnails under _data will always be accessible -- so you're advising not to make a thumbnail available that would be large enough to substitute for the original image?

Does the Piwigo development team have any plans to change that, and allow both _data/i and galleries to be protected in the same way?

 

#18 2013-08-14 20:48:01

flop25
Piwigo Team
2006-07-06
7036

Re: Private photos are publicly accessible?

Bpiwigo wrote:

Do I understand correctly that $conf['original_url_protection'] is set in include/config_default.inc.php but that it (a) protects only the full-size image version as damufo described

yes This in order to not consume to much resources of the server (like the full protection of G3)

Bpiwigo wrote:

(b) is easily defeated through viewing page source or other means?

? absolutely not The  action.php?id=xx checks if the users cans ee the image and returns the image. If you don't put the Deny from all, yes the original pictures are accessible, but if you do, no worry

Internet works in a way you download what you see, so if you display an image, that image is downloaded on your computer. SO if you display pictures big enough to be set as a wallpaper or printed, without a watermark... well that's obvious what could happen


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#19 2013-08-14 21:02:39

Bpiwigo
Guest

Re: Private photos are publicly accessible?

Thanks again, flop25.  That helps clear it up for me.

I'm still not clear on where the extra resource load would occur though.  I checked action.php, and it seems that, after checking user rights, all it really is doing is an @readfile($file); at the end of the script.  I'm not sure why that would use significantly more resources than the web server feeding out the same image file?

 

#20 2013-08-14 21:05:25

flop25
Piwigo Team
2006-07-06
7036

Re: Private photos are publicly accessible?

the extra load is checking the permissions! Piwigo has groups, users and level of permissions


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#21 2013-08-14 21:14:09

Bpiwigo
Guest

Re: Private photos are publicly accessible?

Ah I see, thank you.  To do this properly I guess I would have to stop making so many different thumbnails for each image, which I've been doing to allow better display on various sized screens.  Everything's a trade-off.  :)

 

#22 2013-08-19 21:45:24

GOPIWI
Member
2013-08-19
27

Re: Private photos are publicly accessible?

Hi,

to also write something constructive here I would like to suggest to the OP to take a look into http authentication - it is not so complicated to setup apache webserver to authenticate users, see an explanation e.g. here.

This way it is not possible to read the images without authentication, however you get all-or-nothing, so public albums are not possible with this solution, also more complicated setups with access to several groups / users to different albums will not work as expected, as long it is not directly supported by the piwigo authentication process, but you can setup a private gallery without too much hassle.

Have a nice day,
John

Offline

 

#23 2013-09-30 18:44:38

bigs38
Guest

Re: Private photos are publicly accessible?

Hello,
as damufo said, if it's possible to set the path to the folder "_data" outside www or if it's possible to protect all picture's size from non authorized users, it would be very interesting. Some friends of mine hesitate to leave gallery2 for Piwigo for this reason. If I well understand, all solutions will increase server load, but if it's possible to put it like an option, I really think that a lot of people will appreciate to have this choice.

 

#24 2013-11-04 22:42:40

Kalle
Member
2012-08-17
89

Re: Private photos are publicly accessible?

bigs38 wrote:

If I well understand, all solutions will increase server load, but if it's possible to put it like an option, I really think that a lot of people will appreciate to have this choice.

Yes, I'm the webmaster and it is my own risk to use it.

Offline

 

#25 2014-09-27 11:04:42

Kalle
Member
2012-08-17
89

Re: Private photos are publicly accessible?

Do it please, with an optional configuration.

Offline

 

#26 2014-10-15 11:26:16

Konstantin
Guest

Re: Private photos are publicly accessible?

It seems that the solution suggested here: http://piwigo.org/forum/viewtopic.php?p … 62#p154862 works. Setting configuration parameter accordingly and denying access to _data/i prevents using direct URL.

Is that the case or am I missing something?

 
  •  » Requests
  •  » Private photos are publicly accessible?

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2022 · Contact