Password protect redirect

ZiaTioN

Joined: 2006-02-14
Posts: 11

Posted: Sat, 2008-09-27 02:29

I am using the password module to password protect my entire gallery with a single password so I can disseminate the password to numerous family members without requiring them to have individual user accounts. I have got this all working properly, but the problem is when a non authorized user tries to access the main gallery page, they are redirected to the proper password promt page asking for a single password but when you try to link directly to any object that is under the main gallery page (like single image in an album under the main gallery album), the user is prevented from viewing which is good but the bad is that the user is redirected to the standard user login page:

view=core.UserAdmin
subView=core.UserLogin

How can I have the user get redirected to the proper single password prompt for the password module (view=password.PasswordEntry)?

ZiaTioN

Joined: 2006-02-14
Posts: 11

Posted: Sun, 2008-09-28 01:21

Fixed this myself again.

The problem is with the password module itself. When setting a password for a particular album, the password module password protects that item, but then only removes the 'core.view' permissions for anonymous users for all descendant objects (children and grandchildren, etc). When these descendant objects are accessed directly, the password module checks if they are password protected (which they will not be) and then returns and since the 'core.view' permissions have been removed, the gallery core module redirects to the standard login page.

I ended up having to add some code that will pull in all the descendants of the password protected object and then check to see if the itemId of the descendant is in that list (protected by an ancestor). I then had to comment out the check for the 'core.view' permissions since the password module has removed this permission for all descendants. With these changes, if an object is not specifically password protected but is under an ancestor that is, the code path for the single password page redirect will be taken.

I have only tested this within my own particular use case on my own gallery but I am sure the change is generic enough to be applied to any use case. Anyway, long story short, here is the diff and patch for the changes I made in case anyone wants similar functionality.

Diff:

169c169,177
<       if ($view == 'core.ShowItem' && $itemId == $item->getId() && !$duringUpgrade) {
---
>         # XXX - Added to redirect to proper password prompt even if a child of
>         #       a password protected album is accesssed directly.
>         $protected = false;
>         list ($ret, $descendants) = GalleryCoreApi::fetchDescendentItemIds($item, null, null, null);
>         if (!empty($descendants)) {
>             $protected = array_search($itemId, $descendants);
>         }
> 
>       if ($view == 'core.ShowItem' && ($itemId == $item->getId() || $protected) && !$duringUpgrade) {
191c199
<               if (isset($permissions['core.view']) || !empty($isHidden)) {
---
>               //if (isset($permissions['core.view']) || !empty($isHidden)) {
206c214
<               }
---
>               //}

Patch:

*** module.inc.orig   2008-09-27 20:13:28.000000000 -0500
--- module.inc  2008-09-27 20:06:11.000000000 -0500
***************
*** 166,172 ****
            $itemId = $item->getId();
        }
  
!       if ($view == 'core.ShowItem' && $itemId == $item->getId() && !$duringUpgrade) {
            list ($ret, $permissions) = GalleryCoreApi::getPermissions($itemId);
            if ($ret) {
                return $ret;
--- 166,180 ----
            $itemId = $item->getId();
        }
  
!         # XXX - Added to redirect to proper password prompt even if a child of
!         #       a password protected album is accesssed directly.
!         $protected = false;
!         list ($ret, $descendants) = GalleryCoreApi::fetchDescendentItemIds($item, null, null, null);
!         if (!empty($descendants)) {
!             $protected = array_search($itemId, $descendants);
!         }
! 
!       if ($view == 'core.ShowItem' && ($itemId == $item->getId() || $protected) && !$duringUpgrade) {
            list ($ret, $permissions) = GalleryCoreApi::getPermissions($itemId);
            if ($ret) {
                return $ret;
***************
*** 188,194 ****
                    }
                }
  
!               if (isset($permissions['core.view']) || !empty($isHidden)) {
                    /* Redirect to PasswordEntry if we have core.view or item is also hidden */
                    global $gallery;
                    $session =& $gallery->getSession();
--- 196,202 ----
                    }
                }
  
!               //if (isset($permissions['core.view']) || !empty($isHidden)) {
                    /* Redirect to PasswordEntry if we have core.view or item is also hidden */
                    global $gallery;
                    $session =& $gallery->getSession();
***************
*** 203,209 ****
                          array('view' => 'password.PasswordEntry', 'itemId' => $itemId),
                          array('forceFullUrl' => true, 'htmlEntities' => false)));
                    $phpVm->exit_();
!               }
            }
        }
        return null;
--- 211,217 ----
                          array('view' => 'password.PasswordEntry', 'itemId' => $itemId),
                          array('forceFullUrl' => true, 'htmlEntities' => false)));
                    $phpVm->exit_();
!               //}
            }
        }
        return null;

floridave

Joined: 2003-12-22
Posts: 22888

Posted: Sun, 2008-09-28 05:05

Thanks for the update.
Can you please add your patch to:
https://sourceforge.net/tracker/?group_id=7130&atid=307130
with an explanation of the new behavior.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

tonycajjo

Joined: 2009-07-18
Posts: 16

Posted: Fri, 2009-10-02 02:03

i am trying to implement this patch and wanted (well have) to patch the file manually. (i only have FTP access currently to solve this problem)

i will be unsing a password for each album, does this patch enable a guest with the password to view full size images? guest currently do not have that permission in my gallery, only the admin.

ZiaTioN Joined: 2006-02-14 Posts: 11	Posted: Sat, 2008-09-27 02:29
	I am using the password module to password protect my entire gallery with a single password so I can disseminate the password to numerous family members without requiring them to have individual user accounts. I have got this all working properly, but the problem is when a non authorized user tries to access the main gallery page, they are redirected to the proper password promt page asking for a single password but when you try to link directly to any object that is under the main gallery page (like single image in an album under the main gallery album), the user is prevented from viewing which is good but the bad is that the user is redirected to the standard user login page: view=core.UserAdmin subView=core.UserLogin How can I have the user get redirected to the proper single password prompt for the password module (view=password.PasswordEntry)?
	XUser login Username: * Password: * Create new account Request new password
ZiaTioN Joined: 2006-02-14 Posts: 11	Posted: Sun, 2008-09-28 01:21
	Fixed this myself again. The problem is with the password module itself. When setting a password for a particular album, the password module password protects that item, but then only removes the 'core.view' permissions for anonymous users for all descendant objects (children and grandchildren, etc). When these descendant objects are accessed directly, the password module checks if they are password protected (which they will not be) and then returns and since the 'core.view' permissions have been removed, the gallery core module redirects to the standard login page. I ended up having to add some code that will pull in all the descendants of the password protected object and then check to see if the itemId of the descendant is in that list (protected by an ancestor). I then had to comment out the check for the 'core.view' permissions since the password module has removed this permission for all descendants. With these changes, if an object is not specifically password protected but is under an ancestor that is, the code path for the single password page redirect will be taken. I have only tested this within my own particular use case on my own gallery but I am sure the change is generic enough to be applied to any use case. Anyway, long story short, here is the diff and patch for the changes I made in case anyone wants similar functionality. Diff: 169c169,177 < if ($view == 'core.ShowItem' && $itemId == $item->getId() && !$duringUpgrade) { --- > # XXX - Added to redirect to proper password prompt even if a child of > # a password protected album is accesssed directly. > $protected = false; > list ($ret, $descendants) = GalleryCoreApi::fetchDescendentItemIds($item, null, null, null); > if (!empty($descendants)) { > $protected = array_search($itemId, $descendants); > } > > if ($view == 'core.ShowItem' && ($itemId == $item->getId() \|\| $protected) && !$duringUpgrade) { 191c199 < if (isset($permissions['core.view']) \|\| !empty($isHidden)) { --- > //if (isset($permissions['core.view']) \|\| !empty($isHidden)) { 206c214 < } --- > //} Patch: * module.inc.orig 2008-09-27 20:13:28.000000000 -0500 --- module.inc 2008-09-27 20:06:11.000000000 -0500 *********** * 166,172 ** $itemId = $item->getId(); } ! if ($view == 'core.ShowItem' && $itemId == $item->getId() && !$duringUpgrade) { list ($ret, $permissions) = GalleryCoreApi::getPermissions($itemId); if ($ret) { return $ret; --- 166,180 ---- $itemId = $item->getId(); } ! # XXX - Added to redirect to proper password prompt even if a child of ! # a password protected album is accesssed directly. ! $protected = false; ! list ($ret, $descendants) = GalleryCoreApi::fetchDescendentItemIds($item, null, null, null); ! if (!empty($descendants)) { ! $protected = array_search($itemId, $descendants); ! } ! ! if ($view == 'core.ShowItem' && ($itemId == $item->getId() \|\| $protected) && !$duringUpgrade) { list ($ret, $permissions) = GalleryCoreApi::getPermissions($itemId); if ($ret) { return $ret; *********** * 188,194 **** } } ! if (isset($permissions['core.view']) \|\| !empty($isHidden)) { /* Redirect to PasswordEntry if we have core.view or item is also hidden / global $gallery; $session =& $gallery->getSession(); --- 196,202 ---- } } ! //if (isset($permissions['core.view']) \|\| !empty($isHidden)) { / Redirect to PasswordEntry if we have core.view or item is also hidden / global $gallery; $session =& $gallery->getSession(); ************ * 203,209 **** array('view' => 'password.PasswordEntry', 'itemId' => $itemId), array('forceFullUrl' => true, 'htmlEntities' => false))); $phpVm->exit_(); ! } } } return null; --- 211,217 ---- array('view' => 'password.PasswordEntry', 'itemId' => $itemId), array('forceFullUrl' => true, 'htmlEntities' => false))); $phpVm->exit_(); ! //} } } return null;

floridave Joined: 2003-12-22 Posts: 22888	Posted: Sun, 2008-09-28 05:05
	Thanks for the update. Can you please add your patch to: https://sourceforge.net/tracker/?group_id=7130&atid=307130 with an explanation of the new behavior. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

tonycajjo Joined: 2009-07-18 Posts: 16	Posted: Fri, 2009-10-02 02:03
	i am trying to implement this patch and wanted (well have) to patch the file manually. (i only have FTP access currently to solve this problem) i will be unsing a password for each album, does this patch enable a guest with the password to view full size images? guest currently do not have that permission in my gallery, only the admin.

Password protect redirect

XUser login