Our Geeklog Embedded photo gallery requires users to login to contribute and manage their own albums, but anyone can view them.
Problem: Some users didn't restrict comments to LOGGED-IN users, allowing spambots to spam some photos with porn comments.
Solution: Very Simple 1-line code fix to globally prevent anonymous (not logged in) viewers from adding comments.
You'd think an Administrator, while editing permissions, could just edit this single comment permission in the top level gallery album and apply for all sub-albums, unfortunately this unifies all child album props throughout the album tree, including ownership, who can add photos, etc. ...Not what I need at all...
To deal with this, a very simple patch was made to the "canAddComments" function in gallery/classes/User.php around line 276 which adds the requirement of a minimum of a LOGGED-IN user to post comments, even if the album accidentally permits EVERYONE to post comments.
For reference, the original canAddComments() method in gallery/classes/User.php around 276 is below:
function canAddComments($album) {
global $gallery;
if($gallery->app->comments_enabled == 'no') {
return false;
}
if ($this->isAdmin()) {
return true;
}
if ($album->canAddComments($this->uid)) {
return true;
}
return false;
}
The patched method is below and surrounded by comments below:
function canAddComments($album) {
global $gallery;
if($gallery->app->comments_enabled == 'no') {
return false;
}
if ($this->isAdmin()) {
return true;
}
// Added $this->isLoggedIn() check to prevent the "not logged in"
// anonymous user from posting comments, even if the album allows.
// Jeffrey A. Hare 2007-10-09 Gallery 1.5.7
// --------------------------------------------------------------
if ($album->canAddComments($this->uid) && $this->isLoggedIn()) {
return true;
}
// --------------------------------------------------------------
return false;
}
To scan for spam comments, I simply use the search box and simply search for: @
This allows me to scroll through all the comments in the gallery.
Let me know if you found this solution useful.
-Jeff Hare
Posts: 6818
Hi Jeff,
first.. thanks for sharing this!
Second.. Do you have an idea for the userinterface to handle the problem i quoted from you?
Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6
Posts: 5
That's a question I've been wrestling with myself for years. The challenge is all about keeping the interface simple for the end gallery user. I'd like to be able to apply a minimum security template gallery wide though.
A form exactly like the permissions form (without the hierarchy checkbox) that lets an admin choose the minimum criteria/rule to globally apply for each permission might work just fine.
ie: for each kind of permission, be able to set a minimum user rule to:
Everyone, <<= unless album/photo restricts further, anyone can do/see this.
Logged-in, <<= unless album/photo restricts further, anyone logged-in can do/see this.
Owner, <<= unless album/photo restricts further, owners can do/see this.
Admin <<= unless album/photo restricts further, admins can do/see this.
NOBODY <<= to disable using that feature altogether?
I'd settle for a single gallery-wide minimum security level permission policy.
How might it work?
==================
If the Add Comments permission security RULE were set to LOGGED-IN as a minimum user for adding comments, anonymous people never see comment options but everyone else might depending on the album's settings.
If the owner changed the add comment setting to a list of her friends, then only those logged in friends would see comment options (like it is today).
On the other hand, the owner could still set it to NOBODY and hide comment options from everyone.
IMPLEMENTATION?
===============
It would seem like you should be able to follow an implementation strategy in the base User class similar to how I patched above. It would need to associate each permission with a class of user and test accordingly prior to calling the method in the derived class.
ie: isUserAllowed($some_permission) -> returns true if they are above the min. required user class level. This assumes that you can say: NOBODY, EVERYONE, LOGGED-IN, OWNER, ADMIN are in order of increasing permission authority.
Note that I spent less than 10 minutes total analyzing and patching in this comment spam solution (from the time I decided to do something about it), so there may be better ways of solving it. I really don't know the code at all. The fact that I figured this out so fast is a testament to the quality and structure of the product, not my skills.
Cheers!
-Jeff
Posts: 18
Is there now an easier way to prevent non 'logged in' users from commenting on your photos? I use gallery 1.5.6.
Posts: 6818
Hello,
You need to upgrade to 1.5.7 and then disable commenting in the config
Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6
Posts: 18
Will that then allow ONLY 'logged in' users to comment on my photos?
Cheers
Posts: 6818
Hello,
This is a setting per album.
Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6
Posts: 5
This really begs the question...
"In today's climate of pervasive spam attacks, is there any good reason to permit just any anonymous user to add content in the form of comments or spam to your site by default??"
I'd venture an educated guess here that for the vast majority of Gallery Users, the right answer is no, and that the proper default behavior here should be less permissive.
I use Gallery embedded in a portal. The portal's membership can create/manage their own galleries. Out of our 1000+ members and 400+ photo albums over the past 3-4 years, not one of them ever managed to set their permissions properly, so I had to resolve this policy in software.
-Jeff
Posts: 18
I still dont see how i can only allow 'logged in' users to comment on my photos. I can see how to change voting to only allow logged in users to vote, but cant see the same option for comments. Please guide me to the correcet part of either the ablum properties or the global config where i can change this.
Posts: 18
Ok, i've figured it out per album. Its in the permission section of the album options. Now how to I change the default settings for all new albums. I.E only ever allow logged in users to add comments as default.
Posts: 5
Hello bignellrp,
The patch I listed above really boils down to adding the following extra test to the canAddComments function in file gallery/classes/User.php
This function asks three questions, and returns true if comments can be added and false if they should not be permitted.
If you just want to disable commenting all together, just change the name of the old function to OLD_canAddComments and add this very simple replacement function instead:
Posts: 6818
Defaults for new albums are set in the config in step3.
Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6
Posts: 18
The step you mention only allows you to change all the album options from EVERYBODY to LOGGED IN.
It doesn't allow you to change one option, such as comments to LOGGED IN and leave the other options to EVERYBODY. I think i'll have to try the hack from above.
Posts: 6818
You are right. Maybe i will enhance the permission dialog in the setup.
Apologies,
Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6