Confirm that RANDIMG respects permissions?

doclalor

Joined: 2005-04-28
Posts: 14
Posted: Sun, 2014-06-08 17:01

Can anyone confirm that the RANDIMG module respects GUEST permissions? How can I be sure that the images this module supplies are cleared for view by the public?

Thanks!
~Brendan

 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 27300
Posted: Sun, 2014-06-08 17:17

You could confirm by creating a test album & add some items and changing permissions on that album and see if
http://EXAMPLE.COM/gallery3/index.php/randimg?maxsize=300&album=my-test-album
shows up.
From the code:

modules_code wrote:
Far from perfection, but at least require view permission for the root album

So it looks like it will not show the link if the user does not have view rights to the root album.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

 
doclalor

Joined: 2005-04-28
Posts: 14
Posted: Mon, 2014-06-09 15:29

Thanks, Dave, for supplying the url parameter that allowed me to test this. I would still love more than my confirmation/verification, though (which - however suggestive - do not prove RANDIMG honors permissions). The code would confirm that better, for those who have eyes to read it.

My little experiment: When I appended '&album=[a public album]', I was only presented with images from that album. Good. Then I appended '&album=[a private album]' and queried gallery3 using the RANDIMG url under two conditions:

* When I hit the url while logged in to my gallery3 site, I was able to view images from the private gallery. Even when my authentication lapsed (and required re-entering the password), I was able to view private images. (-> Why? <-)
* When I hit the url while NOT logged in (and in an "incognito" browser window), I hit refresh a hundred times and (a) was not presented with any private images, and (b) instead received images from other, public folders in the gallery. That seems like sensible default behavior.

My question: In light of my "Why?" above, I'd like to know, does RANDIMG indeed use browser-authenticated status to determine which images to serve up, so that if I am visiting a website which uses the RANDIMG url, the images served during my visits will vary depending on whether I am logged into the gallery from which those images are drawn?

As far as I can tell, the code that handles permissions here is in /modules/randimg/controllers/randimg.php:

Quote:
class randimg_Controller extends Controller {

protected $resource_type = "randimg";

public function index() {
// Far from perfection, but at least require view permission for the root album
$album = ORM::factory("item", 1);
access::required("view", $album);
print randimg::randimg_link();
}

}

Unfortunately, I'm not confident in my understanding of which album is the "root album." My site's root album is viewable by "everybody." Does that mean everybody can view every image using RANDIMG? Or does "root album" here perhaps just mean the image's "home album"? (That is what I would guess

Quote:
access::required("view", $album);

would do.)

Thanks,
~Brendan

 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 27300
Posted: Tue, 2014-06-10 22:48
Quote:
(-> Why? <-)

I don't know. Just looking at the code it seems that it checks if the guest user has view rights to the root album. Then I assume that the rest of the gallery permissions mecanismes (.htacces to the album) take affect if the user can see the image with the session that the browse stores.

Quote:
access::required("view", $album);

Is a check to see if the user has view rights to the album. So I guess if that is there then items will not be displayed if the user does not have permisisons to view the album.

Your testing that you have done is more substantial than I would have done to prove what your looking for.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team