Failing to set trivial permission for albums

tale

Joined: 2014-04-17
Posts: 6

Posted: Thu, 2014-04-17 15:21

Hi everyone,

I just installed the current Gallery3 version on my webspace. Works pretty nicely for me... with one exception: the permission management!

At first glance my usecase seems to be quite trivial:

+- root gallery -> should be visible for registered users
|
+- public album -> dito
+- secret album -> should only be visible for user A of a specific group "secretGroup"

To get there I tried the following:

1. step: deny "Everyone" from viewing "gallery" and thus "secret album" => only registered users are able to enter => works great!
2. step: allow "secretGroup" for "secret album" and deny "Registered Users" => only the admin is able to enter anymore (user A cannot) => not good!
3. step: let's try it the other way around: create a new group "publicGroup" for a User B
4. step: allow "Registered Users" to "secretGroup" and deny "publicGroup" => User B is STILL able to enter the album => wtf?

So... "Registered Users" will backfire either way on me?

I obviously cannot:
* Deny everyone, include only "secretGroup"
* Allow everyone with the exception of "publicGroup"

Well, I'm pretty confused right now and I would really appreciate some help on this issue.

Regards,
tale

spags

Joined: 2010-03-26
Posts: 120

Posted: Thu, 2014-04-17 22:17

I'd try something like the following. For the Root album, give Everybody, SecretGroup and Registered Users view access. Your Public album will then inherit those same permissions. Then for your Secret album, Deny access for Everybody. I suspect if you have other groups besides SecretGroup, you would have to deny them from your Secret album as well (otherwise they get access as well).

You can't really deny Registered Users because anyone in any group will be a registered user so you are denying access to all groups. Similarly for publicGroup in your step 4 - if they are in publicGroup, then they are also in Registered Users (hence why User B still had access). I guess the Everybody and Registered Users groups are special compared to user defined groups, so if possible use them in lieu of your own groups.

tale

Joined: 2014-04-17
Posts: 6

Posted: Fri, 2014-04-18 13:01

Thank you very much, spags, for your suggestion. Unfortunately, this doesn't seem to work.

First step:
* User A is not part of any group, with the exception of "Everybody" and "Registered Users".
* Root is set to "Can View (Fullsize)" for: Everybody, Registered, SecretGroup
* SecretAlbum inherits all of those, but explicitly prohibits "Everybody" from "Can View (Fullsize)"
=> Result: User A can still see and enter the SecretAlbum

Second step:
* Moved User A to SecretGroup
=> Same result, User A can still enter

Third step:
* Also denied access to Registered Users
=> More or less out of curiousity: you said it wouldn't work and yeah, it didn't => User A can't see the group anymore, although he's part of SecretGroup.

Fourth step:
There is no fourth step, yet .

Please take a look at my attachments. Those show my current settings.

spags

Joined: 2010-03-26
Posts: 120

Posted: Fri, 2014-04-18 13:16

I might have a bit of an experiment tomorrow. I'm sure I've got something similar set up in my gallery (but not using a specific group).

In the meantime, you might want to look at the Hide module - which looks like it probably does exactly what you want anyway.

tale

Joined: 2014-04-17
Posts: 6

Posted: Fri, 2014-04-18 16:41

Thanks for your effort, spags. Much appreciated!

If I understand the plugin correctly, "hide" would work nicely as long as it's just one "secret" group and just one kind of secret albums.

To be honest, I simplified my usecase a little bit. In the end I hope to be able to make certain albums available only to certain groups.

For example:
* Album "event1" for "group1"
* Album "event2" for "group2"
* Album "assignment1" for all registered users
* Album "event3" for "group1" and also "group2"
and so on.

Kind of... let's see... like a forum software where you can allow different members via their corresponding groups to different subareas.

Should have maybe told this earlier

(But I'm going to test "hide" anyway, just to be sure.)

spags

Joined: 2010-03-26
Posts: 120

Posted: Sat, 2014-04-19 00:09

Experimenting shows something like the following would get the desired result:

Root Album: Everybody, Registered Users and SecretGroup all get View permissions
Any Public Albums: Inherit the Root Album permissions from above
Normal (Registered Users only) Albums: Deny for Everybody but Allow for Registered Users and SecretGroup
Secret Album: Deny for Everybody and Registered Users but Allow for SecretGroup

The permissions for Secret Album were contrary to what I initially thought (in regards to Registered Users), but it gives the desired result.

In your case, I guess you are going to have multiple "SecretGroups" so for each secret album you would need to give Allow access for the applicable secret group.

tale

Joined: 2014-04-17
Posts: 6

Posted: Sat, 2014-04-19 12:24

I reproduced your exact steps, at first to no avail. Then I got a little desparate and started deactivating all surplus modules. When I disabled the "register"-plugin it suddenly worked! Nice!

But then I got carried away and tried to built from the test environment to a some real galleries and groups. This is, where it gets interesting:

1.) I added a new group "Köln" (cologne) and a new album "birthday".
2.) I set the following permissions:
root -> Everybody, RegisteredUsers and each group may enter (view)
public -> inherits all
secret -> explicitly denies everything to all groups but the "secret group"
birthday -> explicitly denies everything to all groups but the "Köln" group

I expected the following:
- secret group should be able to see: public and secret
- Köln group should be able to see: public and birthday
- a member of both Köln AND secret group should be able to see: public, secret and birthday
- everybody else should be able to see: public

Long story short:
- everybody can see: public and secret (but is unable to enter the latter group)
- secret group can see: public and secret
- Köln group can see: public and secret (but is unable to enter the latter group, same as "everybody")
- a member of Köln AND secret can see: public and secret (same as "secret")

Frankly: I don't know what else to try anymore. I started from scratch once, but it didn't help.

Currently, I'm starting to suspect that there is more to this than my potential inability to use this feature correctly. Maybe I stumbled upon a buggy implementation or something?
It's just surprising, that no one else seems to experience my difficulties as it doesn't seem to be a very unusular usecase?

spags

Joined: 2010-03-26
Posts: 120

Posted: Tue, 2014-04-22 12:29

The fact that you could get it working in your test environment shows that it should work in your live ones as well. I don't know why it would have started working correctly when you disabled the Register module, but I guess it could have some effect if the module was controlling the Registered Users group - maybe it in fact does (I'm not sure).

The way you say you have it set up sounds like it should be working. Why those groups can see (but not navigate into) the albums I'm not sure about either.

I guess it is undesirable to start deactiviating modules in your live sites as well. Maybe you could consider backing up a live site and restoring it to your test environment for further experimentation.

tale

Joined: 2014-04-17
Posts: 6

Posted: Tue, 2014-04-22 12:47

Thank you very much for all your effort, spags, but I decided to switch over to a Coppermine gallery.

This is really quite a shame, because I do like Gallery3's looks and functionality a lot more but still... a simple, yet trustworthy permission management is essential for me.

spags

Joined: 2010-03-26
Posts: 120

Posted: Tue, 2014-04-22 12:56

Ahh how unfortunate. Good luck with Coppermine though.

tale

Joined: 2014-04-17
Posts: 6

Posted: Tue, 2014-04-22 13:04

Quote:

Ahh how unfortunate. Good luck with Coppermine though.

Thanks

tale Joined: 2014-04-17 Posts: 6	Posted: Thu, 2014-04-17 15:21
	Hi everyone, I just installed the current Gallery3 version on my webspace. Works pretty nicely for me... with one exception: the permission management! At first glance my usecase seems to be quite trivial: +- root gallery -> should be visible for registered users \| +- public album -> dito +- secret album -> should only be visible for user A of a specific group "secretGroup" To get there I tried the following: 1. step: deny "Everyone" from viewing "gallery" and thus "secret album" => only registered users are able to enter => works great! 2. step: allow "secretGroup" for "secret album" and deny "Registered Users" => only the admin is able to enter anymore (user A cannot) => not good! 3. step: let's try it the other way around: create a new group "publicGroup" for a User B 4. step: allow "Registered Users" to "secretGroup" and deny "publicGroup" => User B is STILL able to enter the album => wtf? So... "Registered Users" will backfire either way on me? I obviously cannot: * Deny everyone, include only "secretGroup" * Allow everyone with the exception of "publicGroup" Well, I'm pretty confused right now and I would really appreciate some help on this issue. Regards, tale
	XUser login Username: * Password: * Create new account Request new password
spags Joined: 2010-03-26 Posts: 120	Posted: Thu, 2014-04-17 22:17
	I'd try something like the following. For the Root album, give Everybody, SecretGroup and Registered Users view access. Your Public album will then inherit those same permissions. Then for your Secret album, Deny access for Everybody. I suspect if you have other groups besides SecretGroup, you would have to deny them from your Secret album as well (otherwise they get access as well). You can't really deny Registered Users because anyone in any group will be a registered user so you are denying access to all groups. Similarly for publicGroup in your step 4 - if they are in publicGroup, then they are also in Registered Users (hence why User B still had access). I guess the Everybody and Registered Users groups are special compared to user defined groups, so if possible use them in lieu of your own groups.

tale Joined: 2014-04-17 Posts: 6	Posted: Fri, 2014-04-18 13:01
	Thank you very much, spags, for your suggestion. Unfortunately, this doesn't seem to work. First step: * User A is not part of any group, with the exception of "Everybody" and "Registered Users". * Root is set to "Can View (Fullsize)" for: Everybody, Registered, SecretGroup * SecretAlbum inherits all of those, but explicitly prohibits "Everybody" from "Can View (Fullsize)" => Result: User A can still see and enter the SecretAlbum Second step: * Moved User A to SecretGroup => Same result, User A can still enter Third step: * Also denied access to Registered Users => More or less out of curiousity: you said it wouldn't work and yeah, it didn't => User A can't see the group anymore, although he's part of SecretGroup. Fourth step: There is no fourth step, yet . Please take a look at my attachments. Those show my current settings.

spags Joined: 2010-03-26 Posts: 120	Posted: Fri, 2014-04-18 13:16
	I might have a bit of an experiment tomorrow. I'm sure I've got something similar set up in my gallery (but not using a specific group). In the meantime, you might want to look at the Hide module - which looks like it probably does exactly what you want anyway.

tale Joined: 2014-04-17 Posts: 6	Posted: Fri, 2014-04-18 16:41
	Thanks for your effort, spags. Much appreciated! If I understand the plugin correctly, "hide" would work nicely as long as it's just one "secret" group and just one kind of secret albums. To be honest, I simplified my usecase a little bit. In the end I hope to be able to make certain albums available only to certain groups. For example: * Album "event1" for "group1" * Album "event2" for "group2" * Album "assignment1" for all registered users * Album "event3" for "group1" and also "group2" and so on. Kind of... let's see... like a forum software where you can allow different members via their corresponding groups to different subareas. Should have maybe told this earlier (But I'm going to test "hide" anyway, just to be sure.)

spags Joined: 2010-03-26 Posts: 120	Posted: Sat, 2014-04-19 00:09
	Experimenting shows something like the following would get the desired result: Root Album: Everybody, Registered Users and SecretGroup all get View permissions Any Public Albums: Inherit the Root Album permissions from above Normal (Registered Users only) Albums: Deny for Everybody but Allow for Registered Users and SecretGroup Secret Album: Deny for Everybody and Registered Users but Allow for SecretGroup The permissions for Secret Album were contrary to what I initially thought (in regards to Registered Users), but it gives the desired result. In your case, I guess you are going to have multiple "SecretGroups" so for each secret album you would need to give Allow access for the applicable secret group.

tale Joined: 2014-04-17 Posts: 6	Posted: Sat, 2014-04-19 12:24
	I reproduced your exact steps, at first to no avail. Then I got a little desparate and started deactivating all surplus modules. When I disabled the "register"-plugin it suddenly worked! Nice! But then I got carried away and tried to built from the test environment to a some real galleries and groups. This is, where it gets interesting: 1.) I added a new group "Köln" (cologne) and a new album "birthday". 2.) I set the following permissions: root -> Everybody, RegisteredUsers and each group may enter (view) public -> inherits all secret -> explicitly denies everything to all groups but the "secret group" birthday -> explicitly denies everything to all groups but the "Köln" group I expected the following: - secret group should be able to see: public and secret - Köln group should be able to see: public and birthday - a member of both Köln AND secret group should be able to see: public, secret and birthday - everybody else should be able to see: public Long story short: - everybody can see: public and secret (but is unable to enter the latter group) - secret group can see: public and secret - Köln group can see: public and secret (but is unable to enter the latter group, same as "everybody") - a member of Köln AND secret can see: public and secret (same as "secret") Frankly: I don't know what else to try anymore. I started from scratch once, but it didn't help. Currently, I'm starting to suspect that there is more to this than my potential inability to use this feature correctly. Maybe I stumbled upon a buggy implementation or something? It's just surprising, that no one else seems to experience my difficulties as it doesn't seem to be a very unusular usecase?

spags Joined: 2010-03-26 Posts: 120	Posted: Tue, 2014-04-22 12:29
	The fact that you could get it working in your test environment shows that it should work in your live ones as well. I don't know why it would have started working correctly when you disabled the Register module, but I guess it could have some effect if the module was controlling the Registered Users group - maybe it in fact does (I'm not sure). The way you say you have it set up sounds like it should be working. Why those groups can see (but not navigate into) the albums I'm not sure about either. I guess it is undesirable to start deactiviating modules in your live sites as well. Maybe you could consider backing up a live site and restoring it to your test environment for further experimentation.

tale Joined: 2014-04-17 Posts: 6	Posted: Tue, 2014-04-22 12:47
	Thank you very much for all your effort, spags, but I decided to switch over to a Coppermine gallery. This is really quite a shame, because I do like Gallery3's looks and functionality a lot more but still... a simple, yet trustworthy permission management is essential for me.

spags Joined: 2010-03-26 Posts: 120	Posted: Tue, 2014-04-22 12:56
	Ahh how unfortunate. Good luck with Coppermine though.

tale Joined: 2014-04-17 Posts: 6	Posted: Tue, 2014-04-22 13:04
	Quote: Ahh how unfortunate. Good luck with Coppermine though. Thanks

Failing to set trivial permission for albums

XUser login