How can I secure private gallery images?

[Xonox]

Hi,

I'm building a site that has private galleries, according to the input of this topic:

The topic is a couple of years old but was enough to get me going. Here's the method I chose:

1. Created an image field called private_gallery;

2. Associated this field to the ProcessWire user template, this way you create a user with password and gallery very easily;

3. Created a gallery template that checks for the user login and displays their gallery.

So, what do I need?

Everything is working fine, but if I copy the image link and paste it on a non logged in browser, I can see the image.

What's the best method to prevent non logged in users from viewing these images?

[Macrura]

I think you need to use pagefileSecure:

$config->pagefileSecure

bool

When used, files in /site/assets/files/ will be protected with the same access as the page. Routines files through a passthrough script.

[Xonox]

57 minutes ago, Macrura said:

I think you need to use pagefileSecure:

Thanks... I added this to my config:

$config->pagefileSecure = true;
$config->pagefileSecurePathPrefix = '.';

This secured the images, however, the gallery stopped working (no images whatsoever). I believe that the reason is this:

1. I have a page with a template called "private_gallery" that can only be viewed by users with the profile "client".

2. However, the client "gallery" is associated to the "user" template, so it's not related to the page in any way.

So I'm trying to get to the user gallery, through a different page. How can I do this? Am I missing something?

With $image->url, I'm getting the images URL without the "." that secures the folder.

[Xonox]

Just to make my question clearer, this is the code on the private gallery page:

if(!$user->isLoggedin() && count($user->private_gallery)) {
	?>
		<div id="gallery">
			<?php
				foreach($user->private_gallery as $image) {
					$thumbnail = $image->size(400, 0);
					echo '<a href="' . $image->url . '"><img src="' . $thumbnail->url . '" /></a>';
	  			}
			?>
		</div>
	<?php
}

Shouldn't the user, that it's logged in, have access to the images inside his user?

[Macrura]

Have you tried a different prefix?

[Xonox]

14 minutes ago, Macrura said:

Have you tried a different prefix?

I've tried

$config->pagefileSecurePathPrefix = '-';

I get the same results. Can't load the images inside the template. 

$config->pagefileSecurePathPrefix = 'sec';

I get the same results. Can't load the images inside the template but they're not secure on hotlinking. 

[Macrura]

I will try and test on my local environment, but probably can't post back on this until Sunday or Monday

[Soma]

Just because the user is logged in doesn't mean he has view/edit access to the user page. The user template is secured and inherit access from admin template.

[Xonox]

On 5/26/2017 at 9:16 PM, Soma said:

Just because the user is logged in doesn't mean he has view/edit access to the user page. The user template is secured and inherit access from admin template.

Even if I give the user profile-edit permissions, the gallery images are still not available on the site - even if I give the client profile permissions to view the fields. This leads me to think that creating the private_gallery inside the user profile wasn't the best option, despite being very practical. 

The link I posted first, had some reference to a module that @ryan developed. But that module link isn't working and I can't find anything of that kind in the Modules section.

So what's the best approach? Creating a user and a specific gallery page with that user name so that I can validate, as suggested by @onjegolders?

if ($user->name === $page->name) {
	// show all the pictures and other member stuff
} else {
	throw new Wire404Exception();
}

 

[rick]

1 hour ago, Xonox said:

Even if I give the user profile-edit permissions, the gallery images are still not available on the site - even if I give the client profile permissions to view the fields. This leads me to think that creating the private_gallery inside the user profile wasn't the best option, despite being very practical. 

Just a guess, but did you enable the permissions for that (those) field(s) in the Module > Site > User Profile > Settings page?

[Xonox]

I eventually change the whole system:

1. Created a template "private_gallery" that has two fields: "login" and "password" (Text).

2. When accessing the private gallery the system checks if user is logged in via cookie. If it is not logged in it shows the login page.

The galleries are created by the site master, so I don't think there's a need for the usual security involved on a common password. And I can secure the images for each gallery.

Thanks for your help.