Protecting Album images with htpasswd while keeping Albums and thumbnails public
CAJohnson
Joined: 2005-10-06
Posts: 14 |
Posted: Mon, 2005-10-31 19:19 |
I searched the forums for an answer to this issue and while some posts got close none seemed to quite solve it. If I missed something and the solution is well known, accept my apologies. The problem that was brought to me was this: In Gallery 1.4x to 1.5.1: How do you protect all the images in the Albums directory, while keeping the albums themselves and all the thumbnails viewable to the public, using htaccess/htpasswd? The solution I came up with was to move the view_photo.php file to a subdirectory of the Gallery directory [eg, gallery/secure], and use htaccess to protect that directory. Then you secure the albums directory in such a way that only Gallery can access it,as discussed in this thread. This allows Gallery to display all non-hidden albums and thumbnails, but when a visitor clicks on any thumbnail, the htaccess log-in dialog pops up. Once they log-in they can browse thru the galley with no further ado. To implement this I took the following steps: 1) move view_photos.php to the new subdirectory. 2) modify this line in view_photo.php: Quote:
require_once(dirname(__FILE__)) . '/init.php'); to this: Quote:
require_once(dirname(dirname(__FILE__)) . '/init.php'); This allows view_photo.php to find the init.php file it needs. 3) make the same change to: Quote:
include(dirname(__FILE__)) .'/js/fitToWindow.js.php'); 4) change mod_rewrite.template in gallery/setup In the RewriteRules one finds the string: Quote:
$GALLERY_URL/view_photo.php?set_albumName=$1... -- that is not the whole line BTW, just the key fragment. Insert the name of the directory where view_photo.php now lives into the path, like this: Quote:
$GALLERY_URL/secure/view_photo.php?set_albumName=$1... in both lines. Since it appears to me that Gallery uses mod_rewrite its the sole way to find view_photos.php, that is the only change needed to make it accessible. 5) Create an htaccess file per the thread above, using either mod_rewrite or deny,allow and place it in the albums directory to protect all albums, or in specific album subdirectories to protect only them. All protected albums will protected by the same htpasswd file however. 6) Disable slide shows. Slide shows access images independently of view_photos.php and will display them even if it is protected. If you need slide shows (and who does really?) more work it is needed. 6a) Move slideshow.php to the folder with view_photos.php. Quote:
makeGalleryUrl('slideshow.php' which you change to: Quote:
makeGalleryUrl('secure/slideshow.php' It must be changed several times in each file. It is a pain and if you don't know at least a little PHP I wouldn't try it. Better to do without slideshows I think. You might even want to move or rename the slideshow file to prevent it being accessed directly. I have been messing with this implementation for about a week in a test installtion of Gallery 1.51, and so far it has worked fine, with the one exception noted below. My purpose here is to suggest this solution and ask if there is anything horrible I have overlooked in implementing it. While I have been using Gallery for about 2 yrs, I'm not a programmer [not since my Fortran days and we used punch cards back then] and knew nothing whatsoever about Php and not much about htaccess until this issue was brought to me. So I all too aware that there may be good reasoms why do this is a bad idea. I respectfully request feedback on this idea and a solution, if possible, to 2 issues: 1) can someone tell me how to use mod_rewrite to point all the gallery apps to the new location of slideshow.php [or any other file that I might need to move] so changing all those paths manually is not necessary? 2) A larger issue I already posted about in this thread: securing the Albums directory using mod_rewrite works great for images, but doesn't work for video files. If you have a solution for that, please post it over there, with a pointer here. Related issue. While I was working on this, a related issue came up: how do you protect different catagories of albums under the main albums directory? For example: if you had users you wanted grant different levels of access to -- no albums, some albums, all albums -- but want the albums with album highlights and descriptions generally visble, how do you do it? In Gallery 1.5.5, at least, this takes much more work. I won't go into it here except to outline what I experimented with. Again the solution depends on whether you need to use htpasswd or not. If you don't, you can use the Gallery permissions system and the register function to create users and give them access to the albums you want them to see, by setting the album permissions to accordingly to LOGGEDIN or to specific users. To make the Album Highlights and descriptions etc visible to everyone, make a new php file based on search.php that will find the albums of each catagory you have and display them, hidden or not. Call the new search file from a link on your main gallery page -- or another page -- using a searchstring token, (eg: new_search.php?cat=poweruser, where cat is the name of the search variable and poweruser is the value being searched on) and the visitor will see all the albums in that catagory -- you can make it look just like the Gallery main page if you try -- but to view the contents, he will have to log in. See this thread on how to make a nice log-in link to do this. If using htpasswd is required, things becomes much more involved, but I think are still doable. The only way I can think of is to modify Gallery so that it puts all the resized images for each album subdirectory in their own subfolder. That is: for an album named Test, the all the images -- full size, resized and thumbnails -- would be in albums/test. Under this mod, full-size and thumnails are in albums/test but the resized images are in albums/test/Images. Then you can protect the resized images of selected albums with a specific htaccess/htpasswd file pair by placing the htaccess file in the Images subdirectory; setting the View Full-Sized Images permissions in Gallery to NOBODY; and protecting the whole Albums directory against direct requests with mod_rewrite. This turns out to be possible -- at least it seems to work in my test installation (subject the problem with video files, above -- but it is a lot of work. I can't imagine anyone would really want to do it and suspect there is a better way. For all I know Gallery 2 has this capability. [I don't run Gallery 2 because there seem to be some things I like that it doesn't do yet and it needs mySQL, which I don't support.] Obviously significant PHP coding is required (significant at least for a ignorant like me) so it is not for everyone. And once done, upgrading your version of Gallery and keeping these changes would mean doing it all over again, as the changes are extensive enough I doubt patches would cut it. But if you are interested, write or post and I will provide more details. I cannot however certify that my ideas or implementation are either sound or wise. Feedback and further insight are of course welcome. |
|