6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
10/17/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#12668] gallery prieview images doesn't respect permissions
*
Your Email Address
*
Spam protection
Enter the letters below:
. ..__.. . ..__. | |[__]\ / || | |/\|| | \/ \__||__|
Comment
> This happens when: > > 1) The "private" sub gallery has SHOW perms, but not READ perms. > > 2) The parent gallery has READ permissions, but not enough images in > it to generate a key-image thumbnail so we look in the sub galleries > that are readable *for the currently logged in user*. If the > currently logged in user has READ on the sub galleries when the > key-image thumbnail is generated the image could possible include a > "private" image. > > 3) A user with SHOW, but not READ on the private gallery logs in. > Since the parent gallery's thumbnail was already generated, it is > used as is. > > For the record, this will be an issue even if a gallery does not > contain any sub galleries. This key point is that the key-image > thumbnail may be generated by a user that has less restrictive > permissions than the current user viewing the gallery. > > Really not sure how to fix this since we are not going to generate > these thumbnails on each page load, and we don't currently have > image-level permissions. > > Thoughts?
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers