Random Highlight not respecting permissions -- no, really!
|
nwnynwny
Joined: 2005-09-18
Posts: 9 |
Posted: Tue, 2005-09-20 05:48
|
|
I've spent a good chunk of time poring through the documentation and forums looking over the confusion about permissions and random picture selection, but I'm still having problems. It's entirely possible that I'm simply not understanding something, please bear with me and help me understand what's going on. I understand that permissions are set individually and that permissions are not inherited -- that any images that I don't want viewed by a general audience need to have privileges set invidually, rather than simply applying blanket privileges to an album (PITA, but that's beside the point, and I understand that it's on the TODO list). My scenario deals with the selection of a random image from within the album to serve as the album's thumbnail (as far as I can tell, this may be different from the Image Block functionality, I've not been playing with that yet). I have an album ("Album X") that contains three sub-albums within it; two of these sub-albums are available to the group Everyone, and the third is available only to me. -- Album X I have checked the permissions on the "hidden" sub-album ("Sub-album Three"), and the permissions on the individual images stored within it (the "NOT Okay Pictures"). There is no access whatsoever given to any groups or users beyond myself on any of those individual images, or on the Sub-album they are contained in. When I am logged out or in guest mode, I cannot see that album, and trying to go directly to an image within it gives me the login prompt. So far, so good. However, the widget that periodically selects a new thumbnail for "Album X" will use the thumbnail from the taboo "Sub-album Three" folder (predictably) one-third of the time. I think you can imagine the "yikes!" moment I had when I was surprised to see a very naked picture of myself on my Gallery page. Again -- I've checked the Group and User Privileges for the individual images in question, not just of the album they're sitting in. I'm very, very nervous here -- I truly want to understand fully what's happening here, as I don't like the spectre looming that I'll have more nekkid photo surprises. |
|
Posts: 32509
permissions are inherited. if you create a new item in album X, the new item will inherit all permissions from it.
if you want to change a whole tree, all subalbums of an album, that's possible too.
please give PM a privileged account (user/password/url) for your G2 and i'll take a look if you are just confused, which is still the most probable case.
Posts: 9
Thanks so much for taking the time to look at this with me. I've removed all of the taboo albums from my system, but I've created a test album that demonstrates exactly the behavior I was talking about. I've called it Album X and it's on the first page of my Gallery:
http://photo.humuhumu.com
Inside Album X there are two sub-albums, "Good" which is available to Everyone, and "Bad" which is not. Inside Good there is only one photo, of me with an onion ring on my arm. Inside Bad there is only one photo, of me eating cereal. Again -- I've double, triple, quadruple checked the permissions on both the cereal photo AND on the Bad album, and these should be hidden. When I'm logged out or in Guest mode, I cannot see the album, and cannot reach the photo using its direct url. However, when at my main Gallery page, the random highlight thumbnail for Album X is the image of me eating cereal half the time. I have the random highlight set to change every minute, so you shouldn't have to wait very long to see it.
Valiant, I've created an account for you that gives you all access on Album X, Good, Bad, and the two photos. I'll PM you the details.
Thanks again for lending a hand.
Posts: 32509
nwnynwny,
we were both right, it's a misunderstanding
actually, you're right and i misread your topic / description.
i thought you were talking about the random image block and not about the random highlight, sorry.
the thing with album highlights is very complicated. we decided that we ignore permissions when choosing a highlight for an album. so random highlight will expose your private photos, true. you shouldn't use random highlight for a public album that containt private albums if you don't want this to happen.
i'd keep random highlight for the public albums that have public subalbums, i'd keep it also for private albums, but not for a public album that has some private subalbums / pictures somewhere in its subtree.
you could file a feature request such that we respect permissions when choosing random highlights. I guess we could make that possible. just, in some cases you would end up with no highlight at all since no photos may be viewable, even if the album if viewable. but in your case, you'd prefer this definitely, i understand.
Posts: 9
Thanks for bearing with me, Valiant, and thanks for your explanation, that helps bunches.
There's one more thing I could use your patience in clarifying for me -- if I have any albums or photos anywhere in the system that are non-public, aren't they all contained in a single public album at the top level (in my case, the one titled "Humuhumu's Life in Photos")? The thumbnail for the top level is visible in the sidebar when I go to add a new album or a new photo at that top level. Right now I'm the only one with privileges to add stuff at that level, but I would like to be able to grant some people the ability to do that without also essentially granting them privileges to see me naked as a jaybird. If I turn Random Highlight off at that top level, but leave it on for the albums underneath it that don't have private things in them, does that solve that problem? I'm new to Gallery -- are there other places where one might see the thumbnail for the top level?
I absolutely understand that sometimes one has to sidestep complexity in favor of gettin' 'er done, but random highlight not respecting privileges resulted in my unwittingly showcasing my assets to the world, when I thought that I'd been very careful & thorough in locking them down (and in fact, I had been). Granted, I was able to catch it before I let anyone know about my new photo galleries, but there likely will be others who won't be so lucky. Maybe add a warning in the Random Highlight module setup? Is there already a warning and I missed it/skimmed over it?
What's the proper way to file a feature request?
Posts: 9
p.s. -- are there other places in Gallery where complexity prompted the ignoring of permissions?
Posts: 32509
no, else we respect permissions everywhere.
it's not that we don't respect permissions here, well it's a matter of interpretation. i'd say yes, we don't respect permissions when choosing a thumbnail for an album. another dev would argue that when you choose a thumbnail for an album, and you're not using the random highlight module, then you have to choose a single thumbnail for all users.
how would you do that?
say album X has photos which are only visible for group A and other photos that are only visible to group B. which photo do you take as the album highlight? remember, random highlight is not activated, that's just an additional feature.
you can't select any photo as highlight of the album without violating permissions since if you chose a photo which was only visible to group A, group B would see it also as album highlight.
so now we know, we'd need multiple highlights for each album. that would be a feature request. for now, we say:
- if you have private photos in a public album, or in a private subalbum of a public album, ... make sure you are ok with the thumbnail of the public album, that is, change it once. changing a highlight is done in a few seconds.
But i definitely agree that the case with random highlight is differnt. in random highlight we can select the highlight for each user anyway, and why not obey permissions in this case.
@top level highlight:
right, if anyone else can edit the top album, they'll see the top level album highlight. recommendation: disable random highlight for the top level album. i think you can see the top level highlight only in these edit pages on top level.
and i'm sorry for your inconveniences.
Posts: 32509
wait:
i'm looking now at the random highlight module and it's supposed to obey permissions!
i'm trying to reproduce your issue in a test gallery on my system.
Posts: 32509
update:
random highlight obeys permissions. it works. please give me "All Access" in your g2 on Album good, bad and both photos in them. before, i didn't have permission to see the permissions of the bad photo example.
i'd say your photo in the bad album has the permission to be publicly viewable^, but i need to verify this.
Posts: 9
I'd deleted the Album X example, but I just recreated it exactly as I had it. I've granted your account all access on Album X, Good, Bad, and the photos within. Instead of being on the front page, I've put it at the back of all my albums, so you can see the Album X thumnail on page 7:
http://photo.humuhumu.com/v/?g2_page=7
Thanks so much for your tenacity with this!
Posts: 32509
i've tried to reproduce it on my test g2 install, the same structure.
album A
-- subalbum public (everybody view all access)
---- subsubitem public (everybody view all access)
-- subalbum private (everybody no access )
---- subsubitem private (everybody no access
and album A shows always subsubitem public as highlight when logged out, and switches between public and private when logged in as admin.
you didn't make it easy for me to check your issue, you should have set the random highlight duration to 0...
but from what i see:
after logout, after 1 or 2 random highlight cycles, the private (bad) highlight is never seen again.
this could be explained with the g2 permission cache...or not.
so i'd say: a user who doesn't have permission to see an item will never see it as random highlight. not even in your G2.
to test this theory, close all browser tabs / windows that show your website, then clear your browser cookie cache (or just delete the GALLERYSID cookie for this website) and then go as guest to your page and keep hitting refresh.
i'd set the random highlight timeout to 0 such that you can test faster.
Posts: 9
Sorry about that, I didn't realize it went to 0 -- I'll give it a whirl.
Posts: 9
You're right! Thanks so much, what a relief. After logging out and restarting the browser, it works properly; Guest mode didn't reflect what Guests were actually seeing. I had tried logging out, and thought that I had seen the taboo images; perhaps as you say it was a cache issue, and sometimes logging out isn't sufficient.
Thanks again for taking the time to work through this with me -- I'm very sorry about the 1 minute lag you were having to deal with.
Posts: 32509
i've written:
http://codex.gallery2.org/index.php/Gallery2:Modules:randomhighlight
to clarify things. thanks!
Posts: 383
Reading this discussion gives me the question if the permission handling is done at the right place and in the right way.
Am I making sense?
Posts: 32509
- the actingUserId is just a preview, a feature that should show what a guest sees. it's doesn't work for all features of G2.
- the actingUserId is either the user or guest. that stuff is handled in GalleryTheme.class function loadTemplate
with a theme, you can do what ever you want. you can ignore permissions etc. if you want to ignore them, it's up to you. if you want to change the active user, it's up to you.
after all, the theme decides exactly what to show. and by default, it shows what the active user is supposed to see.
it is no security whole or something like that. you created the theme or decided to use it. it's part of the program.
Posts: 383
Permissions aren't meant to be broken in my humble opinion :P
Unfortunately if you want to enforce the permissions for users you would have to check the permissions of the logged in user every time and verify the login as well. I guess that will be an extra load on the server that nobody wants to have.
ps
The "Create link" option does display when I use the guest preview on photo pages. I already figured out it doesn't show when I actually log out, but it was weird anyway to see it in guest preview mode...
Posts: 32509
- the API respects the permissions.
- there are API calls which ignore permissions deliberately.
- a theme is part of the source code and has access to the API
we can't respect the guest preview mode in all places of g2, as i said. some small architectural changes would be needed to make that happen.
talk to mindless or bharat on #gallery, if you want to argue about permissions. it's just my opinion here, i don't have a problem if it get's changed.
Posts: 32509
actually, i agree.
the API shouldn't accept any other actingUserId than guest or activeUserId (easy to implement).
does any other user than guest or activeUserId make sense? IMO no.
as root / admin, you may want to see what group x or user y sees, but that's not that important right now and it's not offered as a feature.
RwD, could you file it as a, hmm, bug? that all functions that accept a userId should compare the userId with activeUserId and anonymousUserId and return permission denied if it's another userId.
a theme / module other could still change the activeUserId manually though. that's hard to prevent.
Posts: 383
Sure, can do. I'll do it as soon as I have a minute of spare time.
Gallery is a big collection of scripts using a db that does not enforce any kind of rules you would need to implement this feature. Therefor it is impossible to lock out a theme completely. If I really want I'll add modified functions to my theme that will give me the results. So 100% security will never happen...
Posts: 32509
gallery a big collection of scripts? who want you to offend? lol
there are just 3 scripts in G2. index.php which redirects to main.php. main.php which is the entry point. and bootstrap.inc which instantiates $gallery. the rest are mainly classes and 2 functions in init.inc
arg, it must seem i have too much time
Posts: 64
I know this is an old thread, but it still 100% relevant so I am using it.
I have a login-restricted subalbum for a client's pictures, and don't want them appearing on the homepage, which is set to display random highlights from the subalbums.
I therefore have the exact same problem that was described before, and I am using the very latest Gallery 2.2.3. It doesn't matter if I use a completely different computer, going to the site without logging in at all, and where I have never logged in. I still get the random highlight showing the image from a restricted subalbum on the front page, even though that album is not visible in the albums page it leads to.
It would seem that if I use the site in Admin mode, which permits the image to be generated, it is then available in a cache to ALL users as a random highlight. If I was to log out as Admin it may well disappear from this cache again, but every time I log on, it will be 'unlocked' and added back to the available cache again next time it is randomly generated. Considering how frequently I am logged on, this is a real problem. I'd rather not turn off the random highlight for the front page, but until there is a fix, I guess I'll have to.
I'm a bit surprised this is still an issue 2 years later, or is there something I am missing?
If you see a picture of some surgery on the homepage, that will demonstrate the problem- that should be restricted. The album and images are all set to be viewable only to a specific user account. I have set the RH generation time to 0, and the surgery image is has about a 1/3 chance of coming up.
-----------------------------
www.lightpainter.co.uk
Posts: 32509
The issue has been fixed a long time ago and is not present in Gallery 2.2.3 with 2.2.3's randomhighlight module to our knowledge.
Please post _exact_ steps to reproduce (what albums, subalbums, items to add, what permissions each album / item / subitem has), what result you're experiencing as a logged out user and what you'd expect.
Also note that "guest mode" isn't the same as being logged out. The guest mode is just an approximation and might show some things that are visible to the user you're logged in as.
Thanks.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 64
Thanks for the rapid response Valiant!
OK, done some testing and it seems to be reproducible.
I have the album structure
Gallery
- Main (Random Highlight (RH) on)
-- Landscapes (Everyone views-resizes)(Random Highlight on)
-- Surgery (user 'Surgery' views All sizes; No permission for anyone else) Single image set as highlight for Surgery album)
When logged in as Admin on PC1, Gallery has a 50:50 chance of showing a landscape image or the restricted surgery image, as expected.
On a separate PC (PC2), NOT logged in at all, I do not see the surgery image unless it has been generated in the current RH interval. If I refresh PC2 after the RH interval has passed, the restricted image does not reappear.
If I refresh PC1 and PC2 simultaneously, and the restricted image is generated on PC1, it will also appear on PC2.
I have checked the permission on the restricted image itself, and it is the same as the album, ie only visible to user 'Surgery'.
Can you reproduce this?
-----------------------------
www.lightpainter.co.uk
Posts: 64
After doing some more testing, it is rather curious.
The above observations were done on a RH interval of 0.
If I change it to 1 min, and refresh the 2 PCs simultaneously, then the restricted image still occasionally shows on PC2, when it is shown on PC1, but it is much less likely to do so. When it is shown on PC1, it has a much shorter life (not 1 min), and another refresh straight after will cause the image to change. The unrestricted images do persist for 1 minute as expected.
Could it be that the restricted image is in fact generated, but the RH timer is reset immediately so it runs again on the next call, to get another image?
This still leaves the possibility, even if low, of a restricted image appearing on the home page if someone happens to open it at the same time as an admin or authorised user, before the RH re-runs. Assuming the RH is only triggered by a page request, then it would have to coincide with home page being viewed as Admin/ authorised user AND bringing up the restricted image, a very low-risk scenario in practice, especially if there were lots of unrestricted albums compared to restricted.
Still, if the restricted images were highly sensitive,like the first poster's nekked selfportraits (!), it could be damaging. It would be better if the RH could not access restricted images at all, including from admin accounts, than risk this.
-----------------------------
www.lightpainter.co.uk