.htaccess trouble

bpd@darb.net

Joined: 2002-08-20
Posts: 101

Posted: Thu, 2003-04-24 04:57

Hello,

I have put a .htaccess file into one of my album directories that requires it to have a password. It works fine and denies access to photos unless the vistor gives a username password that is correct (independant of gallery's database, its a htaccess userlist). The issue is however that they can still see the "album" just not the thumbnails or pictures ... they can still see captions, hits, comments etc. I thought that by locking down that directory, it should prevent anyone from even being able to READ the index files rquired to display?

the .htacecss works perfectly on other html-based directories i have, but for some reason they can get past its a gallery directory.

The URL is http://darb.net/secured-private

My .htacess read like this ;

AuthGroupFile /dev/null
AuthName "enter ze password"
AuthType Basic
AuthUserFile /auth/bpdprivate/userlist
Require valid-user

any ideas ?

Cheers

------
Give us your Gallery/webserver information to get a faster answer.
Get this information from the PHP diagnostic (in the configuration wizard).
Gallery URL (optional but very useful): http://darb.net/
Gallery version: 1.3.3
Apache version: 1.3.26
PHP version (don't just say PHP 4, please):
Operating system: debian - woody
Web browser/version (if applicable): ie6

beckett

Joined: 2002-08-16
Posts: 3474

Posted: Thu, 2003-04-24 06:02

The problem is that when you view an album, you're actually looking at this file:

http://www.yoursite.com/gallery/view_album.php

This *isn't* inside your albums directory, so the restriction doesn't apply. The code in view_album.php reads the database data directly from the files, and is not subject to the HTTP authentication restriction.

But if you restrict the albums with the Gallery user system, shouldn't that be enough to prevent someone from getting into the album in the first place? You might be better off putting your entire gallery behind the HTTP authentication, though.

G1's security is not ideal in that the photos are publicly available. G2 will use a firewall which will provide true protection in that images will only be available via Gallery itself.

-Beckett (

)

bpd@darb.net

Joined: 2002-08-20
Posts: 101

Posted: Thu, 2003-04-24 07:18

cheers ... i dont want to use the gallery user database because i wanted the albums visible, just not accessbile

ie, you go to click it, and then it prompts, rather than it being hidden.

no matter.

bpd@darb.net Joined: 2002-08-20 Posts: 101	Posted: Thu, 2003-04-24 04:57
	Hello, I have put a .htaccess file into one of my album directories that requires it to have a password. It works fine and denies access to photos unless the vistor gives a username password that is correct (independant of gallery's database, its a htaccess userlist). The issue is however that they can still see the "album" just not the thumbnails or pictures ... they can still see captions, hits, comments etc. I thought that by locking down that directory, it should prevent anyone from even being able to READ the index files rquired to display? the .htacecss works perfectly on other html-based directories i have, but for some reason they can get past its a gallery directory. The URL is http://darb.net/secured-private My .htacess read like this ; AuthGroupFile /dev/null AuthName "enter ze password" AuthType Basic AuthUserFile /auth/bpdprivate/userlist Require valid-user any ideas ? Cheers ------ Give us your Gallery/webserver information to get a faster answer. Get this information from the PHP diagnostic (in the configuration wizard). Gallery URL (optional but very useful): http://darb.net/ Gallery version: 1.3.3 Apache version: 1.3.26 PHP version (don't just say PHP 4, please): Operating system: debian - woody Web browser/version (if applicable): ie6
	XUser login Username: * Password: * Create new account Request new password
beckett Joined: 2002-08-16 Posts: 3474	Posted: Thu, 2003-04-24 06:02
	The problem is that when you view an album, you're actually looking at this file: http://www.yoursite.com/gallery/view_album.php This isn't inside your albums directory, so the restriction doesn't apply. The code in view_album.php reads the database data directly from the files, and is not subject to the HTTP authentication restriction. But if you restrict the albums with the Gallery user system, shouldn't that be enough to prevent someone from getting into the album in the first place? You might be better off putting your entire gallery behind the HTTP authentication, though. G1's security is not ideal in that the photos are publicly available. G2 will use a firewall which will provide true protection in that images will only be available via Gallery itself. -Beckett ( )

bpd@darb.net Joined: 2002-08-20 Posts: 101	Posted: Thu, 2003-04-24 07:18
	cheers ... i dont want to use the gallery user database because i wanted the albums visible, just not accessbile ie, you go to click it, and then it prompts, rather than it being hidden. no matter.

.htaccess trouble

XUser login