Password protected albums?
|
Einstein
Joined: 2003-10-13
Posts: 105 |
Posted: Wed, 2004-10-13 22:12
|
|
A saw old request about password protected albums. Is it planed for G2? |
|
Posts: 328
Einstein, every user has to provide a password to login. And you can protect an album so that just one user is able to see it (or a group). So just add both features and you've got what you want:
- Only allow a certain group to view an album
- Place the users that are allowed to view it in this group
Posts: 32509
What Einstein is proposing is a quite popular feature request.
What he wants is an album that is not protected by user/group permissions, but by a simple password for anonymous users / guests.
You've created a gallery for a special event and don't want to ask all your friends to sign up with your gallery just to see the photos. But the photos still should not be publicly visible.
So you decide to email all your friends the same password for this single album.
I guess we could do something like that by creating a special user for each album / item password. The visiting just has to enter the password and no username and internally he will be logged in as this special album user.
Posts: 7994
This is analogous to G1's "hidden album/image" feature. I specifically got rid of that when I created the G2 architecture because it creates a gigantic headache for our permissions system. It makes calculating view permissions much more challenging, and if you can't do those in a single query then you lose the ability to do proper paging in an efficient manner. Right now, I believe the only way to do it is to have a special user. I don't foresee that changing in the near future.
Posts: 105
Valiant, you are reading my thoughts ;)
Anyway I will check the G2 architecture myself if it's really that complicated to add such a future.
Posts: 328
bharat, others, some irc brainstorming about the hidden (and now this password-protected feature) suggested some kind of "auto-login" feature, where you hit a specific url, and are automatically logged in as a certain user (which then has the rights to view the item). Just a thought... for more brainstorming.
Posts: 8601
yes, I had a similar thought.. we could have an ItemEdit plugin for selecting a password for an album.. this would create a user (username like albumpassword-ID where ID is the id of the album.. this makes it clear to an admin looking at the user list where these users came form.. oh, how will memberlist ignore these??).. then assign appropriate permissions on the album for the user (and remove Everybody permissions if needed). Someone trying to access ShowItem for the album would get bumped to the login page and returned to the album.. but we could also have a specialize login view in the module if desired.
other brainstorming...
- a view asks for password and sets a cookie; extend GalleryAlbumItem, add some logic in onLoad event to verify cookie is present
- is there any way to use http basic auth? (maybe not since we always go thru main.php)
Posts: 328
mindless, about http-basic-auth, it is possible, yes.. its just some server-headers to return and some client-headers to process, so it could be done from a single main.php.
Posts: 974
I've done the http auth through php a couple of times. Let me know if you want to see some sample code.
Posts: 8601
Ok, how about the attached module.... it adds a item edit plugin to set passwords for albums.. the onLoad handler for PasswdAlbumItem checks the password using http basic auth on a core:ShowItem request for the album.... so, it's kinda a specific case (no password check if you jump directly to any children in the album), but maybe this feature doesn't need bulletproof security.. it's just what it is.
Feedback welcome..
Posts: 32509
i'd prefer no password over a password that can be bypassed by a direct item link. something like that make you believe things are more secure than they really are, even if you add a big disclaimer.
Posts: 8601
sooo.... have any ideas on improving it?
Posts: 2322
While I don't dislike the password protected albums idea, I think it's separate from the concept of hidden albums.
I DO, however, like the idea of auto-login based on album. It seems easy enough to have a global 'hidden' user (that can't be logged into, directly), and make the viewing of an album conditional on having the user set to hidden.
Or...
Instead of changing the logged in user, create a flag for items which is 'additional users'. I don't have it fully worked out in my head, but this is the idea:
When a user is viewing an item, if the 'additional users' is set, the usernames listed in the field are appended to the permissions query. So, instead of 'signe or everyone or [whatever groups I may be in]', you get that, plus 'additional users'.
My thoughts aren't coming across too clearly, but you may understand what I'm getting at. Hit me on IRC if you have questions about what I'm trying to say.
Posts: 105
It really depends how you want to use the password protection. For example i will use it for party pictures. And it doesn't bother me if a friend wants to send a link if himself to someone.
Posts: 8601
I changed the onLoad code to check the parentSequence, so the check now applies to all descendent items too (relying on the fact that to build the breadcrumb all ancestor items will be loaded at some point during the core:ShowItem request..)
// Check for password on core:ShowItem request for this album or its descendents.. list ($view, $itemId) = GalleryUtilities::getRequestVariables('view', 'itemId'); if ($view == 'core:ShowItem') { if ($itemId != $this->getId()) { list ($ret, $parentSequence) = GalleryCoreApi::fetchParentSequence($itemId); if ($ret->isError()) { return $ret->wrap(__FILE__, __LINE__); } if (in_array($this->getId(), $parentSequence)) { $itemId = $this->getId(); } } if ($itemId == $this->getId() && (!isset($_SERVER['PHP_AUTH_PW']) || !$this->isCorrectPassword($_SERVER['PHP_AUTH_PW']))) { header('WWW-Authenticate: Basic realm="' . $this->getTitle() . '"'); header('HTTP/1.0 401 Unauthorized'); print "Unauthorized\n"; exit; } }So now the main drawback is the search module or imageblock can still find these items, since this code I wrote doesn't use real permissions.. but following the links from these modules to the item will prompt for the password.
Posts: 8601
Warning: there are side effects from changing the entityType of albums.. even though most code looking at entities uses GalleryUtilities::isA, which will still return true if the entity extends the class you're looking for, there are some db queries which specifically look for GalleryAlbumItem.. so entities that extend GalleryAlbumItem won't match these queries. Example: I can't move any photos into an album with password protection.. the album doesn't show up in the list of possible destination albums because it's entity type isn't GalleryAlbumItem.
Posts: 23
I agree that what Einstein is proposing is a quite popular feature request.
pbase.com is providing such feature for the customers as shown on the link below:
http://www.pbase.com/help/password_protection
There is no doubt that G2 will be the killing apps for internet gallery.
The "password protected" feature will make G2 more useful, especially for commercial use.
I wonder whether it will be simpler if the system check only down to album level, not item level. Also will that feature be implemented as an analog of a pad lock in real life. Everyone knows the password can open the album and watch the contents inside.
I am not a good software developer. What I suggest is for brainstorming only.
Posts: 974
What if we were to implement this as sort of a macro:
"Password protect album"
1a) Remove public permissions from an album
1b) Don't change user- or group-specific permissions
2) Create a new user
3) Give that user permissions for that album
4) Associate that user with the album so that non-authenticated users can log in with just a password to that album
5) Allow that user to be re-used for other albums with the same password
This could create a problem for users who have a password for an album but are logged in as themselves.
Just a thought.
Posts: 18
I'm planning to implement such feature as a plugin but I need some assistance.
1) Add a new permission called passwd.viewObject (They are only allowed to view the album with the password)
2) Add a edit album plugin which allow user to set password
3) If the password is set, associate guest user with passwd.viewObject permission
4) When a guest user access the album, the system redirect them to a new view
For step 4, I dunno what event should I register, which event will be raised when displaying an album?
Posts: 7994
Ok, this got me thinking along the lines of session based ACLs. Right now we look up the ACLs every time, but since that's an API call we can also have a set of extra ACLs that are stored in your session. So the permissions page could have an extra text field that lets you associate the permission of the current item with an ACL, and if you have provided that password you have the ACL until your session expires.
There are some stumbling blocks that I need to think about in more detail than I have time for now. Associating the password with the specific album is tricky. Figuring out how to show the placeholder is tricky. Having it go to a page where you enter the password equally problematic. But maybe this'll get other people thinking along similar lines.
Posts: 18
>> Having it go to a page where you enter the password equally problematic.
This is what make me a lot of headache. For rendering an album, which part of code will be called?
After viewing the code for panorama, I have a thought of making passwdAlbumItem a subclass of albumItem (Just like PanoramaItem is a subclass of PhotoItem.
and inside the loadTemplates method of those view.
if (client cookie's password field set) {
if (cookie's password matches that of the current album) {
load the templates of a typical albumItem.
}
} else {
load the templates prompting password
}
Posts: 8601
jeffchau, just curious, have you looked at the sample code attached in this topic and read the drawbacks of this code in the discussion?
I've added onLoadHandler since that code was written, which is probably a better way than subclassing AlbumItem.
Posts: 18
actually I have tried the attachment but I cannot get it work in beta 2.
Maybe it is due to the change in database schema.
After clicking install.
Error (ERROR_STORAGE_FAILURE, ERROR_UNKNOWN)
in modules/core/classes/GalleryStorage/DatabaseStorage.class at line 1236 (gallerystatus::error)
in modules/core/classes/GalleryStorage.class at line 261 (mysqldatabasestorage::addmapentry)
in modules/core/classes/interfaces/GalleryPluginParameterMap.inc at line 98 (gallerystorage::addmapentry)
in modules/core/classes/helpers/GalleryPluginHelper_medium.class at line 397 (gallerypluginparametermap::addmapentry)
in modules/core/classes/helpers/GalleryPluginHelper_medium.class at line 347 (gallerypluginhelper_medium::_addparameter)
in modules/core/classes/GalleryCoreApi.class at line 360 (gallerypluginhelper_medium::setparameter)
in modules/core/classes/GalleryPlugin.class at line 284 (gallerycoreapi::setpluginparameter)
in modules/core/classes/GalleryModule.class at line 176 (albumpasswdmodule::setparameter)
in modules/core/AdminModules.inc at line 68 (albumpasswdmodule::installorupgrade)
in main.php at line 173 (adminmodulescontroller::handlerequest)
in main.php at line 79
in main.php at line 70
Posts: 8601
ya, it's out of date.. i meant looking at how it works..
Posts: 18
I have changed the mindless code a bit and make it work for g2b2.
Since I still cannot get the idea from g2-database interaction. (since I am not familar with those saxon stuff). I just save the password as a module parameter, using the same way of sizelimit module.
I just modified it to make it work. And actually there is some useless class in the zip. But I am also busy with customizing my gallery. so maybe i will take some time to tidy up the code later.
<br>
Posts: 43
I tried to install it on G2B3, but it said it's incompatible! Anyone can help on this?
Posts: 8601
Here is the module with these updates:
1) Use onLoadHandler as suggested above, instead of changing entity type.
2) Use salt in hashing the password.
3) Up to date with apis.
Posts: 43
Thanks Mindless for the prompt reply!
But I still got the following error in the module description
Create password protected albums
Incompatible module!
Module API Required: 1.0 (available: 0.12)
Can Mindless help? Thanks a lot!
Posts: 16504
You need to upgrade to a more recent nightly, http://galleryupdates.jpmullan.com
Posts: 41
Who has tried the albumpasswd.zip?
How to install?
Posts: 8601
updated attachment above for current (in cvs) apis.
Posts: 76
I also find this functionality very relevant - I am just wondering if it will be rolled into the Gallery 2 (in a later version than B4) or if it "only" would be available as a seperat DL.
PS.: Where would one search for other users modules?
Posts: 76
1. DL the module
2. Unzip the module
3. Copy to folder "albumpasswd" to /<PathToGallery/modules/albumpasswd
4. Install & Activate the module in the Admin Options -> Modules
5. Edit the relevant Albums - in the bottom of the edit-album-page there is now a "Password Protect this Album" field
6. Enjoy
Posts: 16504
@ PS.: Where would one search for other users modules?
You can find more user contributions here, it appears to stay fairly up to date.
http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=G2%20-%20User%20Contributions
As for getting into final release, mindless can answer that better, but I doubt it. The devs are focusing on bug fixes, UI improvements, documentation and probably performance. More than likely, no new features will implemented into G2 until after final release. But you can also count on the API not changing between now and then, well for the most part unless someone finds some major problem ;)
Posts: 76
OK - seperate DL is now problem, as long as the module exist ;-)
Thanx for the link to the user contrib, I wonder why I hav'nt found it myself. I thought I had been all over this site by nowx
Posts: 10
I love the password protection capability available through this module -- thanks for putting the time into this and making it available.
One problem, though... I've discovered that adding an album to the cart will still allow display of thumbnails for each image in the password-protected album. In other words, even those that haven't entered a valid password can view a thumbnail image of the protected contents simply by adding the album to the cart.
Anyone know of a way to prevent this while still maintaining password protection and shopping cart capability?
Thanks!
kwc
Posts: 352
I'm not sure if the latest cvs fixes this or not, but I do think there was a permissions problem in general with the cart functionality. I'd try the latest cvs and see if that fixes it. It may not because this is using the special password thing but you never know.
Posts: 8601
see the bottom of modules/albumpasswd/module.inc
onLoad is called whenever the database entity for the password protected album is loaded during the processing of a request. you can see the code here only enforces the password check for core.ShowItem of this album or its descendent items. i suppose you could modify this code to also check for 'controller' request variable == 'cart.AddToCart'.
Posts: 3
what do you use for a user name with this module?
I installed this module on a stand alone G2 and I get the following under the Album tab:
Album Password
Assign a password required for viewing this album.
I assigned a password but when I try to login I get prompted for a Username and a Password (http auth dialog box). I have tried entering every combination that I could think of for the Username, from leaving it blank to setting up a user with the same password. I also noticed that the "Remove password" checkbox doesn't seem to work. When I check it and hit save I get "Settings saved successfully." but the checkbox with "Remove password" is still there.
Any thoughts?
Posts: 8601
i think the username should be ignored.
i haven't tried this module recently, perhaps it needs updating.
Posts: 1
I also had the same difficulty using G2. I am prompted for both a username and password...leaving the usernmame blank and entering the configurd password doesn't seem to work.
Is there an update to this useful module for the final G2 release?
Thanks!
Posts: 378
Is there a registered RFE for this feature ?
I think it would be nice to have it "voted" with all others feature requests. If it appears to be popular, maybe this module should be included in the standard code base.
Posts: 16504
Yes, there is http://sourceforge.net/tracker/index.php?func=detail&aid=1120914&group_id=7130&atid=357130
Feel free to vote on it
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 378
Thanks!
I just voted for this one! ;-)
If others could vote too, that would help this feature!
Posts: 51
The module for password protected albums was done already by a Google SOC student. But when it will be released, I dont have a clue.
http://codex.gallery2.org/index.php/Gallery2:SummerOfCode#Hidden_and_Password-Protected_Items
Perhaps a developer can clue us in.
In the meantime I am putting my votes to the feature request "invitation only". It can be found on the first page of the Feature Vote page.
http://sourceforge.net/tracker/index.php?func=detail&aid=1078228&group_id=7130&atid=357130
Posts: 11
Was there ever a resolution to the username and password question? Since I am running into the same problem. I would love to see this working. Thanks.
Posts: 3
I am also interested in that feature. Would be nice if someone could implement that soon.
Posts: 378
So vote for it! (http://gallery.menalto.com/sfvote/vote/1120914)
Posts: 11
Already taken care of ;-)
Posts: 174
I installed this in one of the most recent copy of G2 (one of the latest cvs infact), and it installs fine, but when i click on the album it just says Unauthorized. I tried in both IE and firefox and got the same thing.
I'm running G2 under IIS6.... Any suggestions on what it could be?
Posts: 25
I get this same problem... Anyone find an answer?
Nick