Tickets :: [#9178] guest photo download fails

6.0.0-beta1

8/12/25

Summary	guest photo download fails
Queue	Ansel
Queue Version	1.1.1
Type	Bug
State	Resolved
Priority	1. Low
Owners
Requester	mmartin (at) mnet-online (dot) de
Created	08/16/2010 (5475 days ago)
Due
Updated	09/11/2010 (5449 days ago)
Assigned	08/16/2010 (5475 days ago)
Resolved	09/10/2010 (5450 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	Yes

09/11/2010 07:02:45 AM	mmartin (at) mnet-online (dot) de	Comment #8	Reply to this comment
I guess this can be closed then? ok, thx

09/10/2010 04:58:51 PM	Michael Rubinsky	State ⇒ Resolved

09/10/2010 03:34:50 PM	Jan Schneider	Comment #7	Reply to this comment
I guess this can be closed then?

08/17/2010 02:50:10 PM	Michael Rubinsky	Comment #6	Reply to this comment
i think this is already there, in the gallery settings, You have the setting 'Who should be able to download (original) photos': - everybody - logged in users - users with read permissions (backtranslated from german :-) i thought the permission check in download checks then this setting This determines if a user can download the original image file (the full-size file that was originally uploaded) instead of the resized image that is used in the image view. This is different then allowing zip downloads. Creating, and then transferring, a zip file that could conceivably contain every image in the gallery is not a good thing to allow the world to do.

08/17/2010 07:43:20 AM	mmartin (at) mnet-online (dot) de	Comment #5	Reply to this comment
The idea is to prevent downloading of zip files by guests in order to prevent potential DOS attacks. Generating and downloading the zip files is very resource intensive, and for large galleries, having the world be able to do this is probably not a Good Idea. I'd be willing to make this an additional permission on Ansel, so it has to be explicitly allowed. "Allow guests to download zip files" or something similar. i think this is already there, in the gallery settings, You have the setting 'Who should be able to download (original) photos': - everybody - logged in users - users with read permissions (backtranslated from german :-) i thought the permission check in download checks then this setting

08/16/2010 06:07:38 PM	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git for this ticket: MFB: Don't show download as zip link if we can't actually do it. ~~Bug: 9178~~ http://git.horde.org/diff.php/ansel/lib/View/GalleryRenderer/Gallery.php?rt=horde-git&r1=a0662bb9e501771ae1fdb966f7331dedd19b5ece&r2=5f3efa958b10d85e88e4395374b3c6ebdf188bc0

08/16/2010 06:03:48 PM	CVS Commit	Comment #3	Reply to this comment
Changes have been made in CVS for this ticket: Don't show the download images as zip link if we can't actually do it. ~~Bug: 9178~~ http://cvs.horde.org/diff.php/ansel/lib/Views/GalleryRenderers/Gallery.php?rt=horde&r1=1.29&r2=1.30&ty=u http://cvs.horde.org/diff.php/ansel/lib/Views/Image.php?rt=horde&r1=1.86&r2=1.87&ty=u

08/16/2010 05:57:34 PM	Michael Rubinsky	Comment #2 State ⇒ Feedback	Reply to this comment
The idea is to prevent downloading of zip files by guests in order to prevent potential DOS attacks. Generating and downloading the zip files is very resource intensive, and for large galleries, having the world be able to do this is probably not a Good Idea. I'd be willing to make this an additional permission on Ansel, so it has to be explicitly allowed. "Allow guests to download zip files" or something similar.

08/16/2010 12:53:22 PM	mmartin (at) mnet-online (dot) de	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ guest photo download fails Queue ⇒ Ansel Milestone ⇒ Patch ⇒ Yes State ⇒ Unconfirmed	Reply to this comment
when trying to download a gallery or selected Photos as a zip file, the Access denied message appears when You are not logged in (guest), even when guests have read permission. the attached patch corrects that by removing the superfluous !Auth::getAuth() from image.php and gallery.php