Xonox

How can I secure private gallery images?

Recommended Posts

Hi,

I'm building a site that has private galleries, according to the input of this topic:

The topic is a couple of years old but was enough to get me going. Here's the method I chose:

1. Created an image field called private_gallery;

2. Associated this field to the ProcessWire user template, this way you create a user with password and gallery very easily;

3. Created a gallery template that checks for the user login and displays their gallery.

So, what do I need?

Everything is working fine, but if I copy the image link and paste it on a non logged in browser, I can see the image.

What's the best method to prevent non logged in users from viewing these images?

Share this post


Link to post
Share on other sites

I think you need to use pagefileSecure:

$config->pagefileSecure   bool    When used, files in /site/assets/files/ will be protected with the same access as the page. Routines files through a passthrough script.

Share this post


Link to post
Share on other sites
57 minutes ago, Macrura said:

I think you need to use pagefileSecure:

Thanks... I added this to my config:

$config->pagefileSecure = true;
$config->pagefileSecurePathPrefix = '.';

This secured the images, however, the gallery stopped working (no images whatsoever). I believe that the reason is this:

1. I have a page with a template called "private_gallery" that can only be viewed by users with the profile "client".

2. However, the client "gallery" is associated to the "user" template, so it's not related to the page in any way.

So I'm trying to get to the user gallery, through a different page. How can I do this? Am I missing something?

With $image->url, I'm getting the images URL without the "." that secures the folder.

Share this post


Link to post
Share on other sites

Just to make my question clearer, this is the code on the private gallery page:

if(!$user->isLoggedin() && count($user->private_gallery)) {
	?>
		<div id="gallery">
			<?php
				foreach($user->private_gallery as $image) {
					$thumbnail = $image->size(400, 0);
					echo '<a href="' . $image->url . '"><img src="' . $thumbnail->url . '" /></a>';
	  			}
			?>
		</div>
	<?php
}

Shouldn't the user, that it's logged in, have access to the images inside his user?

Share this post


Link to post
Share on other sites
14 minutes ago, Macrura said:

Have you tried a different prefix?

I've tried

$config->pagefileSecurePathPrefix = '-';

I get the same results. Can't load the images inside the template. :(

$config->pagefileSecurePathPrefix = 'sec';

I get the same results. Can't load the images inside the template but they're not secure on hotlinking. :(

Share this post


Link to post
Share on other sites

I will try and test on my local environment, but probably can't post back on this until Sunday or Monday

Share this post


Link to post
Share on other sites

Just because the user is logged in doesn't mean he has view/edit access to the user page. The user template is secured and inherit access from admin template.

  • Like 1

Share this post


Link to post
Share on other sites
On 5/26/2017 at 9:16 PM, Soma said:

Just because the user is logged in doesn't mean he has view/edit access to the user page. The user template is secured and inherit access from admin template.

Even if I give the user profile-edit permissions, the gallery images are still not available on the site - even if I give the client profile permissions to view the fields. This leads me to think that creating the private_gallery inside the user profile wasn't the best option, despite being very practical. :(

The link I posted first, had some reference to a module that @ryan developed. But that module link isn't working and I can't find anything of that kind in the Modules section.

So what's the best approach? Creating a user and a specific gallery page with that user name so that I can validate, as suggested by @onjegolders?

if ($user->name === $page->name) {
	// show all the pictures and other member stuff
} else {
	throw new Wire404Exception();
}

 

Share this post


Link to post
Share on other sites
1 hour ago, Xonox said:

Even if I give the user profile-edit permissions, the gallery images are still not available on the site - even if I give the client profile permissions to view the fields. This leads me to think that creating the private_gallery inside the user profile wasn't the best option, despite being very practical. 

Just a guess, but did you enable the permissions for that (those) field(s) in the Module > Site > User Profile > Settings page?

Share this post


Link to post
Share on other sites

I eventually change the whole system:

1. Created a template "private_gallery" that has two fields: "login" and "password" (Text).

2. When accessing the private gallery the system checks if user is logged in via cookie. If it is not logged in it shows the login page.

The galleries are created by the site master, so I don't think there's a need for the usual security involved on a common password. And I can secure the images for each gallery.

Thanks for your help.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.