6.0.0-git
2019-03-19

[#6404] Password protected galleries
Summary Password protected galleries
Queue Ansel
Type Enhancement
State Resolved
Priority 1. Low
Owners mrubinsk (at) horde (dot) org
Requester duck (at) obala (dot) net
Created 2008-03-08 (4028 days ago)
Due
Updated 2008-12-24 (3737 days ago)
Assigned 2008-12-14 (3747 days ago)
Resolved 2008-12-22 (3739 days ago)
Milestone 1
Patch No

History
2008-12-24 14:25:09 Michael Rubinsky Comment #20 Reply to this comment
I guess that preview.php should be aware of locked galleries too.
Yup, good catch, thank you. Fixed.
My initial page comes with a special password property page. Yes,
maybe is more logic to have this attribute with other gallery
proprieties. But we must allow to set the password only to the
gallery owner.
I added a check to the existing gallery property form to not show that 
field if the current user is not the owner.  I really don't see the 
issue here though.  The only other people that would see this form 
other than the owner are admins - and admins can see the password 
protected galleries without knowing the password anyway.
2008-12-24 11:52:54 Duck Comment #19 Reply to this comment
I guess that preview.php should be aware of locked galleries too.



My initial page comes with a special password property page. Yes, 
maybe is more logic to have this attribute with other gallery 
proprieties. But we must allow to set the password only to the gallery 
owner.
2008-12-22 20:34:24 Michael Rubinsky Comment #18
State ⇒ Resolved
Reply to this comment
k - this appears to be in good order. Just need a icon for the locked 
gallery thumbnails, but it's no longer a 1.0 showstopper.
2008-12-17 15:45:59 Michael Rubinsky Comment #14
Milestone ⇒ 1
Reply to this comment
Target for 1.0 since the code is in an inconsistent state at the moment...
2008-12-14 15:49:45 Chuck Hagenbuch Assigned to Michael Rubinsky
State ⇒ Assigned
 
2008-11-09 16:49:58 Michael Rubinsky Comment #13 Reply to this comment
I'll try to take a look again at these changes in the context of 
recent changes.

The main issue I had with how this - and the gallery age requirement - 
is currently implemented is that there needs to be various checks 
sprinkled around Ansel to check these things. We query by permissions 
to get the gallery list, then on top of that, we have to double check 
other types of permissions in various places to be sure the person is 
old enough, the gallery has a password etc...



I remember trying (unsuccessfully)  to centralize everything at one 
point, but I don't remember the exact issues off hand.  I'll look at 
it again, but to honest, it's going to be towards the bottom of my list.
2008-11-09 16:26:21 Chuck Hagenbuch Comment #12
State ⇒ Feedback
Reply to this comment
Any progress here, since a lot of other changes to Ansel have gone in?
2008-03-17 14:53:58 Michael Rubinsky Comment #11
Taken from Michael Rubinsky
State ⇒ Stalled
Reply to this comment
Sounds good...and thank you for your work.



I'm looking forward to seeing the facial recognition once it's fully 
implemented
2008-03-17 08:53:19 Duck Comment #10 Reply to this comment
I done what your comment but I moved my work into my local svn 
repository where I gone much forward with face recognition and face 
bitmap search (finds similarities) and even some more optimizations. 
But is difficult to me to create a ticket for every single changes I 
made. I wish to make Ansel feature and optimization capable for my 
site till the end of the month. I will stay tuned, but I will probably 
wait with patches till I finish, or maybe even till Ansel is branched 
for php5.



All my patches are created against the cvs snapshot of the day the 
patch is created. Problems my occur as things changes till the patch 
is revisioned.
2008-03-14 19:27:44 Michael Rubinsky Comment #9 Reply to this comment
I should also mention that I had to guess a bit on where some of these 
changes went as the patch didn't apply cleanly...maybe a fresh patch 
against current HEAD would help if this seems to be working for you.
2008-03-14 19:24:36 Michael Rubinsky Comment #8 Reply to this comment
So far...



1) DB Syntax error when saving new galleries

2) Password and Tags fields are already filled in with values from 
somewhere when creating a new gallery

3) After entering password from the protect form, a "no gallery 
specified' error is still returned.

4) Images from password protected galleries are still shown in the 
mini thumbnails of gallery groups and the image titles are still shown 
in the blocks.  If a gallery is not accessible, you shouldn't be able 
to even read the titles, file names etc...

5) Image for locked galleries not included in patch

6)  Passwords stored in plaintext


2008-03-12 14:19:07 Duck Comment #7
New Attachment: ansel-passwd[1].diff Download
Reply to this comment
I forgot tho check the gallery tile.
2008-03-12 14:14:53 Duck Comment #6 Reply to this comment
Couple of issues:
- password can be edited only by the owner of the gallery

- added hasPasswd() method to tell if the gallery has passwd and the 
user has not entered it yet

- added gallery-locked.png to as thumbnails for locked images



Now we check if the gallery is locked by password in 
Ansel_View_Abstract and various blocks.
2008-03-12 14:14:41 Duck Comment #5 Reply to this comment
Couple of issues:
- password can be edited only by the owner of the gallery

- added hasPasswd() method to tell if the gallery has passwd and the 
user has not entered it yet

- added gallery-locked.png to as thumbnails for locked images



Now we check if the gallery is locked by password in 
Ansel_View_Abstract and various blocks.
2008-03-10 15:29:08 Michael Rubinsky Comment #4 Reply to this comment
...and should we be storing passwords in the database as cleartext?   
We should probably md5 them before they are stored instead of just 
when we are storing them in the session.
2008-03-10 15:26:46 Michael Rubinsky Comment #3
State ⇒ Feedback
Reply to this comment
Couple of issues:



You are prevented from viewing *any* galleries in the List view if the 
current grouping contains any password protected galleries that you do 
not have the password for.  For example, browsing all of User A's 
galleries, you are *immediately* presented with a password dialog. If 
you do not have the password for that gallery, you have to way of 
viewing any of the rest of the grouping.



I also don't think we should show the password dialog until we 
actually try to view the gallery itself.  Maybe a "locked" image as 
the gallery tile thumbnail should be displayed when we have not 
"authenticated" to a particular gallery yet.



We also need to implement some sort of better check for things like 
Ansel's blocks.  Right now, images and galleries that are passwd 
protected show up in the various blocks, and when you mouse over an 
image, for example, the image is briefly displayed and then is 
replaced by the login form in the floating div where the previewed 
thumbnail should be.



I'm also not sure that a non-owner with edit permissions should be 
able to change a gallery password....and if we *do* want to allow it, 
there is an issue that when the password is changed and we are asked 
for the new password when being redirected back to the gallery view, 
after a successful "authentication", a "No gallery found" error is 
returned.


2008-03-08 22:36:07 Michael Rubinsky State ⇒ Assigned
 
2008-03-08 12:54:20 Duck Comment #2
Assigned to Michael Rubinsky
New Attachment: protect.php Download
Reply to this comment
The enter password form.
2008-03-08 12:53:39 Duck Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 1. Low
Summary ⇒ Password protected galleries
Queue ⇒ Ansel
New Attachment: ansel-passwd.diff Download
Reply to this comment
Added the ability to lock a gallery by a password. I added the check 
into the gallery hasPermission method which seem the more logic place. 
If the headers are still not sent the user is redirected to the 
password enter form. Otherwise returns false.

Saved Queries