Images availble via URL

Tearabite

Joined: 2008-11-16
Posts: 7

Posted: Sun, 2008-11-16 15:47

Just installed G2.3 with Drupal 5.12 - everything went pretty well..

Gallery is restricted to select members. Non-members cannot access gallery or any photo albums
BUT
The problem i have is that if someone knows the URL (image location) of an actual image in a gallery it is available to anyone.

Gallery2 is installed in /sites/all/modules/gallery/gallery2
Image locations is stored OUT of the web-root.

the URLs to images is in this format:
http://mysite.com/sites/all/modules/gallery/gallery2/main.php?g2_view=core.DownloadItem&g2_itemId=xxx&g2_serialNumber=2&g2_GALLERYSID=xxxyyyyyxxxxxyyyyxxxx8888999xxxxyyy

have i missed a setting that is allowing the images to be available this way?

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Sun, 2008-11-16 17:26

Go to an album where you are seeing this problem. Click on Edit Permission, what are your permissions set to?
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

Tearabite

Joined: 2008-11-16
Posts: 7

Posted: Sun, 2008-11-16 17:37

permissions are as:
Mods [comment] Delete comments
Registered Users [core] View all versions
Registered Users [rating] All access
Registered Users [comment] Add comments
Registered Users [comment] View comments
Registered Users [core] Add sub-album
Site Admins All access

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Sun, 2008-11-16 18:15

Have you made sure that you were logged out and cleared your browser cache?

Can you send me a PM of one of those URLs that anyone can access? According to your permissions, nobody but registered users can view them. So if they logout then they shouldn't be able to view them unless it's in their browser cache.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

Tearabite

Joined: 2008-11-16
Posts: 7

Posted: Sun, 2008-11-16 18:18

Yes - i'm actually using a different browser.. I will PM a URL to you.

alecmyers

Joined: 2006-08-01
Posts: 4342

Posted: Sun, 2008-11-16 18:26

Quote:

...&g2_GALLERYSID=xxxyyyyyxxxxxyyyyxxxx8888999xxxxyyy

To point out the perhaps-not-so-obvious - but if you include the Session Id in the URI and also are using the same ip address - for example a different browser on the same computer or a different computer behind the same NAT firewall - and also, the admin session still exists in the gallery session table (i.e. unless you actively log out of the admin session) then the request will pick up the same user credentials as the administrator by "hijacking" the session (as I understand it.)

So your test url could still be using admin permissions, even though it's on another browser.

This is not a real-world problem because the IP address will be different. However, you probably don't want to include the Session Id in urls that you post.

Tearabite

Joined: 2008-11-16
Posts: 7

Posted: Sun, 2008-11-16 18:37

Excellent point about the SID (D'oh!) ..
I think this might be the case.

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Sun, 2008-11-16 20:20

Yep, that link doesn't work for me at all.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

Tearabite Joined: 2008-11-16 Posts: 7	Posted: Sun, 2008-11-16 15:47
	Just installed G2.3 with Drupal 5.12 - everything went pretty well.. Gallery is restricted to select members. Non-members cannot access gallery or any photo albums BUT The problem i have is that if someone knows the URL (image location) of an actual image in a gallery it is available to anyone. Gallery2 is installed in /sites/all/modules/gallery/gallery2 Image locations is stored OUT of the web-root. the URLs to images is in this format: http://mysite.com/sites/all/modules/gallery/gallery2/main.php?g2_view=core.DownloadItem&g2_itemId=xxx&g2_serialNumber=2&g2_GALLERYSID=xxxyyyyyxxxxxyyyyxxxx8888999xxxxyyy have i missed a setting that is allowing the images to be available this way?
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Sun, 2008-11-16 17:26
	Go to an album where you are seeing this problem. Click on Edit Permission, what are your permissions set to? ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

Tearabite Joined: 2008-11-16 Posts: 7	Posted: Sun, 2008-11-16 17:37
	permissions are as: Mods [comment] Delete comments Registered Users [core] View all versions Registered Users [rating] All access Registered Users [comment] Add comments Registered Users [comment] View comments Registered Users [core] Add sub-album Site Admins All access

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Sun, 2008-11-16 18:15
	Have you made sure that you were logged out and cleared your browser cache? Can you send me a PM of one of those URLs that anyone can access? According to your permissions, nobody but registered users can view them. So if they logout then they shouldn't be able to view them unless it's in their browser cache. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

Tearabite Joined: 2008-11-16 Posts: 7	Posted: Sun, 2008-11-16 18:18
	Yes - i'm actually using a different browser.. I will PM a URL to you.

alecmyers Joined: 2006-08-01 Posts: 4342	Posted: Sun, 2008-11-16 18:26
	Quote: ...&g2_GALLERYSID=xxxyyyyyxxxxxyyyyxxxx8888999xxxxyyy To point out the perhaps-not-so-obvious - but if you include the Session Id in the URI and also are using the same ip address - for example a different browser on the same computer or a different computer behind the same NAT firewall - and also, the admin session still exists in the gallery session table (i.e. unless you actively log out of the admin session) then the request will pick up the same user credentials as the administrator by "hijacking" the session (as I understand it.) So your test url could still be using admin permissions, even though it's on another browser. This is not a real-world problem because the IP address will be different. However, you probably don't want to include the Session Id in urls that you post.

Tearabite Joined: 2008-11-16 Posts: 7	Posted: Sun, 2008-11-16 18:37
	Excellent point about the SID (D'oh!) .. I think this might be the case.

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Sun, 2008-11-16 20:20
	Yep, that link doesn't work for me at all. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

Images availble via URL

XUser login