Module: Album Passwords
|
rWatcher
Joined: 2005-09-06
Posts: 722 |
Posted: Fri, 2010-10-29 06:04
|
|
This module will allow users to assign a password to a public album. With this module enabled, registered users will be able to assign/remove a password to any album they have edit privileges on by using the Album Options -> Assign password / Album Options -> Remove password menu options. Once a password has been assigned, it will appear to be empty to Guest and other users, until the password has been entered in via the Enter password menu option. The album must be publicly viewable in order for the password to function properly (the View/Everybody permission must be checked). Also, this module does not block access to the contents of the protected album, it only makes the album look empty. As such, the album (and it's thumbnail) will still be viewable to the public, and accessing photos/subalbums through their URLs directly will also work (so be careful with dynamic pages like search, tags, latest updates, etc. as the photos in the protected albums will be accessible from these screens). This module has been tested against Gallery 3.0, and appears to work fine to me. If anyone more familiar with Gallery's permission system knows a way to completely hide an album and it's contents, let me know (I suspect there's something simple that I'm missing). But for the moment, making an album look empty is the best I've been able to come up with. --- |
|
Posts: 253
Tank you rWatcher for your module, very useful
As you say, it's not perfect but until then it as working (almost) :
Cannot assign or enter PW on Firefox mac 3.6.11, the button "save" or "login" does not seems to do anything, the pop up stays the same.
It is working well on Chrome and Safari.
Suggestion : would it be possible to have a pop up asking for the password instead of a having it in the navigation ?
-----------------
* Version: 3.0 (Santa Fe)
* Albums: 12
* Photos: 168
remove Platform information
* Host name:
* Operating system: Linux 2.6.18-194.11.3.el5
* Apache: Apache/2.2.3 (Red Hat)
* PHP: 5.2.6
* MySQL: 5.0.77
* Server load: Unavailable
* Graphics toolkit: gd
Posts: 27300
I am having the same issue a ptri. I can enter a password and save a password in Internet Explorer, but get a JS error. If I close the modal window and refresh the page I get a 'success' info dialog saying it was successful.
Sending you a PM of login info and URL, so you can see the behavior.
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 722
It's working fine for me under Windows with:
Internet Explorer 8
Firefox 3.6.9
Safari 5.0.2
Tested out both on my gallery and floridave's.
@floridave -- what version of internet explorer are you using?
@petri -- I think I'm seeing the same behavior on an older computer (Mac OS 10.3 / Firefox 2). I'm looking into a fix now, hopefully it's the same problem that the other browsers are having.
Posts: 722
I messed around with the JS code and the forms, this should fix everything (hopefully). If not let me know.
Posts: 253
Works fine for me now
Thank you rWatcher
-----------------
Gallery URL = http://www.coquille.org/gallery/main.php
Gallery version = 2.3 core 1.3.0
API = Core 7.54, Module 3.9, Theme 2.6, Embed 1.5
PHP version = 5.2.6 apache2handler
Webserver = Apache/2.0.52 (CentOS)
Database = mysql
Posts: 27300
Works for me now as well.
Cheers for this rWatcher!
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 2
Good module, but some things for improvement:
- when i protect an album, the album title picture is still show, which is normaly a picture from the album. A "protected" Picture would be great.
- is it possible to hide the protected folder, not only the pictures?
- the protected pictures are shown in the slideshow!
Togeis
Posts: 722
I've made some updates to this module:
- Increased the version number to 2.
- Re-wrote the code to hide the album (and by extension it's thumbnail) instead of the contents of the album.
- Removed the ability to protect the root gallery album (this is kind of pointless now that the album no longer appears to be empty).
- Added an admin screen with an option to choose between hiding albums only (the album is accessible without the password if you know the URL) and denying access to the protected areas (users without the correct password get Gallery's 404 error when trying to access the albums and their contents).
Be aware that protected albums and their contents are still viewable from dynamic pages (search, tags, latest updates, etc.) which will potentially allow users to view the thumbnails of the albums/photos/videos even if they can't access the items directly. Also, denying access completely does not extend to accessing images directly through their www.example.com/gallery/var/albums/somefile.jpg urls.
Posts: 5
Hi, thanks for this module!
But honestly I'm a bit confused about its functionality:
What I want to do is basically the old Gallery2 password protection: E.g. I create an album with photos from my last birthday party. Then I password-protect it and send the album URL together with the password to my friends. They open the URL, enter the password in an input field, submit the password and then see the photos.
To use this module someone must be both a registered and logged in gallery user, and then enter the album password through a link in the menu to finally see and access the album? Does this make sense? Or am I wrong, and it's possible to get the old Gallery2 password protection?
Posts: 394
I second that. G2 password protect albums was perfect and simple.
Posts: 693
I didn't use G2 (too complex) but I agree with these comments. In fact I'd go further. I'd like to be able to send someone a URL with the password embedded in it so that they don't have to enter it. This would be close to the idea of a "guest pass" that Flickr uses.
U-G
Posts: 394
It seems like a module to simply use the htaccess file to assign a password would be a fairly simple solution.
As far as having requiring client's be registered, then logged in, and then enter the password is just not going to work.
I agree again that a simple password is the best way to go. One reason is that my clients may only hit my site while I'm working with them, and then not ever hit it again. There is no reason to have them become part of the Gallery 3 experience by registering etc.
One better step would be to allow Admin to assign a user name and password, like it is now, but not to require the user to register, just simply use the given user name and password.
That way admins could keep track of all users and have instant accessibility to their user name and password. I've had multiple requests that "I forgot my password." G2 didn't store that information in an easy to locate area, although resetting the password was easy.
Posts: 54
Hi rWatcher,
I found one problem when interacting this module and the downloadalbum module. Actually this is something to be corrected in the downloadalbum module, but I would ask your help.
The problem is when:
- I have an album with subalbums and
- I protect one of the subalbums with your module and
- someone downloads the full album (with subalbums) as .zip using the downloadalbum module, without entering the password (so the downloader does not have access to the protected album). I this case the protected album is also zipped and sent to the user but it should not.
I would like to find a way to correct this.
Here the part from downloadalbum module where the files to be zipped are collected (from modules\downloadalbum\controllers\downloadalbum.php):
... /** * Return the files that must be included in the archive. */ private function getFilesList($container) { $files = array(); if( $container instanceof Item_Model && $container->is_album() ) { $container_realpath = realpath($container->file_path().'/../'); $items = $container->viewable() ->descendants(null, null, array(array("type", "<>", "album"))); foreach($items as $i) { if (!access::can('view_full', $i)) { continue; } $i_realpath = realpath($i->file_path()); if (!is_readable($i_realpath)) { continue; } ...Here in this foreach all $items are checked if the user has access to its fullsize ('view_full' permission) or not. This should be extended with some check against the albumpassword function, because now this !access::can('view_full', $i) lets pass thru the password protected items also, therefore those files will be in the result .zip file.
So could you help me how to verify if an item is password protected?
Thanks in advance,
JM|Tomi
Posts: 3
Hello rWatcher,
Are you still alive?
Posts: 28
So,
this isn't really "protecting" the images? I we can hotlink directly to the image and get access to it?
Also, found a bug (i think) I created a folder called "clients" then a subfolder for a client. Set the password on the subfolder. It hides it. I enter the password. I then try to click to view the full size image....and i get the "oops something went wrong screen"
Posts: 722
Basically, here's how this module works:
- A _registered user_ creates an album, uploads some photos, and then assigns a password to the album using the "Album options -> Assign password" menu.
- The album will then be hidden to anyone except the album owner and admins.
- Anyone else (other registered users, and guest users without an account on the gallery) can then enter in the password by clicking on the "Enter password" link towards the top center of the page to gain access to the photos.
- Once a password has been entered, the user will have a "Protected albums" menu at the top of the screen with links to the album or albums that the password protects.
Alternately, the module can be put into "hide only" mode from the admin settings screen, in which case anyone with a direct link to a protected album or photo can view the items without the password.
At the moment, this module only controls access to gallery generated pages (album/photo/movie view pages). It does not control access to the actual photo in the /var directory. Anyone that knows the actual url to the photo could still view it that way, and photos can be directly hotlinked to. I may fix this later.
That is a bug between this module and the 3.0.1 release. I have worked out a fix that involves modifying a core gallery file, I'm still trying to figure out if there's a better way to do it though.
Posts: 722
Here is the latest version of AlbumPassword:
- Increased version number to 3
- Fixed all known bugs between this module and Gallery 3.0.1
- Re-wrote the hide code to filter out protected items from search results and other dynamic pages.
Known Issues:
At the moment, this module only protects files from within Gallery's web interface. Photos can still be linked to directly via urls like www.example.com/gallery/var/albums/somefile.jpg .
Upgrade Instructions:
Transfer the new albumpassword folder to your gallery/modules folder and run the www.example.com/gallery3/index.php/upgrader to upgrade the module to version 3.
Once you've upgraded the module, you will need to log in as an admin and run a Maintenance task called "Rebuild Album Password ID Caches DB" -- any albums protected with an older version of this module (version 1 or 2) will be publicly accessible until this task is run. Afterwards the module will work as normal. You do not need to run this task if your installing the module for the first time.
Posts: 5
I noticed v2 and Gallery 3.0 worked exactly the way I wanted it to.
I would share the URL to a private gallery and all items and sub-galleries would be displayed.
With the upgrades to Gallery 3.0.1 and v3 of Album Password. The private URL now does not display any items or sub-galleries. Am I missing something with permissions?
I get the message : There aren't any photos here yet!
All-in-all the module is great! Just what I need!
Posts: 722
This is actually how version 1 was designed to work (albums appear to be empty until a password is entered, but you can link directly to a photo view page without requiring a password). I'll have to see about tweaking the code some to restore v2 functionally when in "hide only" mode.
Posts: 5
Ahh I thought I was missing something. Typically, in the past we would show our clients their gallery just by linking to their URL.
After using the password system, I have to say...I liked it. It is just different than how we have done things for the last two years.
Thank you! Great work!
Posts: 3
Hi !
First, please excuse my (very) bad english. And thank you for your work.
I've got the same problem than savo, but when I try to download your file, I get the version 2... So I can't resolve the bug.
Where can I download the module in version 3 ?
Again, thank you !
Posts: 5
http://gallery.menalto.com/files/albumpassword.zip
Or try using...
www.yourgallerysite.com/upgrader
- this will check for updates to all your modules.
Posts: 3
The upgrader says that everything is ok, but it keeps me in version 2...
So I tried to download the file using another PC, and it worked ! Now I have the version 3.
Very strange isn't it ?
Thank again
Posts: 16504
Sounds more like a browser cache issue to me.
____________________________________________
Like Gallery? Like the support? Donate now!
Posts: 3
I think so. I tried from the first PC and again, I get the version 2...
I hope that will be usefull for other users.
Posts: 16504
Clear your browser's cache.
____________________________________________
Like Gallery? Like the support? Donate now!
Posts: 722
I've modified the albumpassword code so that, when in "hide only" mode, the module will automatically log the visitor into the protected album when they access it's url. This way visitors will be able to see the contents of the album when they access it's url directly. Does this provide the functionality you were looking for?
Posts: 5
Wow...you're awesome.
Looks like it does the trick.
I do like how once you visit a direct link you retain access to the hidden album you visited directly. (That make sense?)
If you visit more than one direct URL anything previous becomes hidden again.
Thank you!!!
Posts: 693
I haven't used this module (so far), but I do like the sound of this. It sounds very close to the Flickr "Guest Pass" system. http://www.flickr.com/help/guestpass/
I wonder if it could me made even closer.
U-G
Posts: 2
Hey, thanks so much for the great plugin rWatcher!
I have a question though (and after searching, I wasn't able to find anything to help me out with this specifically). I'm wondering how I would accomplish implementing the album password protection login on a custom page - not inside of Gallery. Here's what I'm wanting: a login button on my home page (which is separate from Gallery) that will bring up the login form - exactly (or similar) to the way it works when you click on "Enter password" inside of Gallery. Once you enter the password, you'll then be taken to the Gallery. And if possible, when someone clicks "Clear password" it would then take them back to my home page. Also, what would it take to have it so that if the person has submitted their password and then navigates back to my home page, that it would remember the password and they wouldn't have to login again?
I'm just now trying to figure Php out - so I'm extremely "green" as far as that goes. And I'm not sure what the solution to my questions entail... But I'd really appreciate help from anyone. I'm running Gallery 3.
Thanks!
Posts: 722
It's not designed to be used outside of Gallery, you'd have to modify the album password code to accomplish any of this.
You could maybe accomplish some of this by modifying the modules/albumpassword/controllers/albumpassword.php. The checkpassword function handles logging in, if you remove the verify_csrf code you'd probably be able to log in from a login form outside of Gallery. The logout function controls logging out, you could probably insert some kind of PHP url redirect command into the end of it do send people back to your home page.
Posts: 2
Alright, well thanks for the tips. I might try to work on that later.
However, now I've got another question. I noticed that when you search (even when you're not logged in with a password) that you can see the thumbnails for the pictures that are supposed to be protected. Then when you click on the thumbs, it takes you to the "Oops, page not found" Login page. Is this the way you designed it to work?
I've come up with a solution to work around this...but I'm just curious. Basically I'll have the search bar hidden when you're not logged in. Thanks again.
EDIT
I actually just realized that my solution doesn't work.... whenever someone logs in and searches, they will still see the other people's photos. Is there a way to completely hide pictures and thumbs that are protected with the password?
Posts: 722
Are you using the latest version of the AlbumPassword module (Version 3)? This should have been fixed with the version 3 release. Also, if you upgraded from version 2 or older, there's a maintenance task that needs to be run:
Posts: 20
I installed the module. It's working as described. Thanks very much.
At first, I thought because the album doesn't show up, Google will not able to index the images. However, I just realized /var is directly accessible through HTTP. "http://www.example.com/gallery3/var", this link displays the list of directories. I think this is better to be protected by g3.
Posts: 16504
Gallery does protect that directory and it's contents if you've told Gallery to by using Gallery's permission system and setting permissions on albums by requiring people to log in.
If you don't want directory browsing to be enabled you should disable that.Try checking Google for an answer:
http://www.google.com/search?q=disable+directory+browsing+htaccess
Google is your friend
____________________________________________
Like Gallery? Like the support? Donate now!
Posts: 16504
Oh and I meant to add:
FAQ: Are my photos secure? They're right there on my website!
____________________________________________
Like Gallery? Like the support? Donate now!
Posts: 5
There appears to be case sensitiviness bug somewhere in the version 3.
If I set a album password to be "Dipadapada" it's ok and works fine, but when a guest enters password "dipadapada" the hidden folder appears on the main page.
However, if the guest user now clicks on the Album image to enter it, he get's an error message saying that page may exist but requires a login.
So it seems to me that password checking has two implementations in the module and one of them (on the main page) is case insensitive and other one is case sensitive.
I've configured the album password for not only to hide albums, but to prevent access to them via direct links.
Posts: 34
I have version 3 of this module installed, but it just doesn't seem to do anything. I've made sure that hiding is set to Nobody, went into an album and assigned a blank password which is accepted, but the album still shows up on my main page. I don't get any errors or anything either..
AllowOverride FileInfo is enabled cause it would complain before..
Am I maybe missing some other Apache type setting or something?
Thanks!
-RT
Posts: 121
I have tried to assign a password but I cannot see where you do this.There is a link on the menu which states enter password . If I do any password is rejected.
Posts: 5
Sure, but that's the link where visitors give password for exposing hidden albums.
You can assign password by opening an album and clicking Album options -> Assign Password
Posts: 2
Hi rWatcher first off there is no problem with this module, works perfectly, great job. However I would like to modify it to suit my needs a little better, but I need some direction/assistance from you if possible. Here is what I am aiming for...
1. I don't want albums hidden if they have a password.
2. I would like the password box to pop up when a passworded album is clicked on.
3. Remove the menu 'Enter Password' as not needed see number2.
4. A little lock icon on the album to indicate that album is a locked / password. Not really necessary but would be nice touch.
I have read previous post and it sound a little like a previous version perhaps. Would this be difficult to achieve? Any assistance/advice would be great.
Posts: 64
Great work! Appears to work flawlessly as far as I've tested it, well done. Two things, though: While it would lower security a little bit, would it be possible to have the "Enter password" button visible only when there actually is something to unlock? I find it a bit distracting to always have it present. Also, the button's function would be easier to understand if its label was something like "Show hidden items" or "Unlock hidden albums" or just "Unlock", "Show all" etc., since that would describe its functionality more accurately.
Anyway, thanks for your work!
Pi
Posts: 2
3.13159,
If you would like to change the title of the menu tab just modify the code. In the folders open ablumpassword > helpers > albumpassword_event.php and find line 37
->label(t("Enter password")));Change Enter Password to:
->label(t("Unlock Hidden Albums")));Save and upload, replace current version.
That's it.
Posts: 722
Fixed. Passwords are no longer case sensitive -- There is a maintenance task ("Fix Password DB Casing") that will need to be run in order to correct existing passwords.
I've re-named the button to "Unlock albums" -- does that work better for everyone?
Posts: 84
I encounter a problem when I assign a password or unlock albums, both will show a dialogue box for me to enter password. After I input password and press Enter, return message (like an encoded URL) is still in the same dialogue box and the dialogue box is still there.
Posts: 722
What web browser are you using? It's possible it could be some kind of browser specific issue.
Posts: 84
Firefox 4 and Chrome 10 have the same problem. I always download the last code from github.
Posts: 722
I'm not able to reproduce this problem under Windows with Chrome 10. I'm downloading Firefox 4 now, I'll see if I can reproduce the issue with that in a few minutes.
Does "I always download the last code from github" include this module? Because that wouldn't be the latest code (unless you downloaded it from my github account). This is the absolute latest version of the module:
http://gallery.menalto.com/files/albumpassword.zip
Edit:
Firefox 4 / Windows works fine for me as well. Could you try re-uploading the module? Maybe one of the files didn't transfer properly.
Posts: 84
Album password module does download from http://gallery.menalto.com/files/albumpassword.zip.
It seems that no one encounters this problem, so I will try to install a clean gallery 3 and enable as minimum modules as possible to test again.
Posts: 84
Install a fresh gallery3 and only add album password module. The problem is still existed.
Please see attached files.
P1.png : Set a password to an album.
P2.png : The window doesn't close and show the strange URL.
P3.png : Press "Reload" on browser, it shows correct result.