Is it a known issue that in gallery2 any watermarked image could be easily opened (downloaded) by ordinary user?
I can describe how to do it but I guess that gallery2 developers and experienced users know about that.
From my point of view, this is a bug, because people use watermarking module to avoid any access to the original, non-watermarked images.
Or may be I missed something in gallery configuration?
Would be very interesting to hear about possible solutions.
----------
My gallery2 info:
Gallery version = 2.3 core 1.3.0
API = Core 7.54, module 3.9, theme 2.6, integration 1.5
PHP = 5.2.0-8+etch15 apache
Server = Apache/1.3.34
Database = mysqli 5.0.32-Debian_7etch10-log, lock.system=flock
Toolkits = ArchiveUpload, ImageMagick, NetPBM, Gd, Exif, LinkItemToolkit, jpegtran
Acceleration = full/86400, none/0
OS = Linux 2.6.18 #2 SMP Mon Jun 8 16:54:52 MSD 2009 i686
Default theme = carbon
gettext = on
Locale = ru_RU
Watermark module = 1.1.7
Posts: 16504
You're not describing your setup very well. Just how are these people accessing the full-sized original that's not watermarked? I think you have something mis-configured or don't understand exactly how Gallery works.
g2data should NOT be web accessible
Are you watermarking the full-size image?
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 10
Probably I described my question not very well, sorry.
I upload to the gallery and watermark already resized images. And this is not g2data web access issue, as I understand.
It's easier for me just to show the steps. Assume that by default all uploaded images are watermarked.
You go to any image page like your.gallery.domain/gallery2/main.php?g2_itemId=xxxxx . Remember xxxxx. Than get image URL usually by right click and open this URL, it will be something like your.gallery.domain/gallery2/main.php?g2_view=core.DownloadItem&g2_itemId=yyyyy&g2_serialNumber=z . You will see you watermarked image, that's ok. Now replace yyyyy with xxxxx and reload page.
In my case I get original, non-watermarked image.
What's wrong?
Posts: 16504
Not a bug, the watermark module does not touch the original, full-size image. Users shouldn't have access to the full-size image. If they didn't have access to the full-size image, they would get a security violation message if they tried that.
If you want them to have access to the full-size image, yet still have it watermarked then you need to do this.
Create another resized image that's the same size as the full-size image (yes this will take up more space on your server)
Remove "view original" permission for your users
Now they have access to the "full-size" image and it's always going to be watermarked because in Gallery's eyes it's a derivative and not the original, so the watermark module will modify that file and there is no way for them to access the un-watermarked, full-size original file.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 10
Yes, I know that gallery2 shows to users derivatives, not originals.
Probably I understood your idea not completely, but for the moment it doesn't work for me. I tried for one particular album. The full-sized images there have 800 pixels by longer side.
On the "Edit album" page, tab "Album" (I have page, tab and other parameters names in Russian, so the translation could be not precise, but hopefully correct) I set two active equal intermediate sizes, both 800x800.
On the "Change Permissions" page I had "view all versions" for group "All". If I remove "view original" there, I get "view element" and "view intermediate sizes". For this configuration in my case gallery shows to unregistered user:
a) only thumbnail-sized image instead of 800x800 (not clear for me why?)
b) my scheme to show original image described above (via g2_view=core.DownloadItem and g2_itemId from image page) still works.
I understand that probably I'm doing something wrong. Many thanks for your advices.
Posts: 16504
Can you either post or PM (click Write to author) me a URL to your site?
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 16504
On the link to the album you sent me remove the View Original Version(s) permission
[img]http://gallery.menalto.com/files/remove_View_original_version_01.gif[/img]
.
.
.
[img]http://gallery.menalto.com/files/remove_View_original_version_02.gif[/img]
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 10
Done. On the screenshot the translation is in red.
[img]http://gallery.menalto.com/files/g2_no_orig.gif[/img]
And now, as you can see, for unregistered users the images in this album are shown only in thumbnail size, 200 px in my case.
Posts: 16504
Ah, I get it now. I bet everything is working.
The problem is the Carbon theme. It appears to only display the first resized version. So you can't have multiple resized versions with the Carbon theme, at least as far as I can tell.
If this isn't the behavior you want, you're probably going to have to hack around in the watermark module for it to modify the orginal images. Remember, if you do that, you won't be able to ever remove the watermark. Or watermark your images prior to uploading... or use a different theme, or modify Carbon to look at resized versions.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 10
Ok, thanks, I understood. The Carbon theme has a problem with showing multiple resized versions. I will return to "view all sizes" permissions for that album.
I understand that all images could be watermarked before uploading to gallery. This is an option for me.
But the question remains for me with showing non-watermarked images via main.php?g2_view=core.DownloadItem&g2_itemId= with g2_itemId from image page. I still think that in g2_view=core.DownloadItem mode there is no permission check at all and it doesn't depend from theme used.
Posts: 16504
But there is a permission check. Gallery believes that the "View original version(s)" is that non-watermarked original. Which it is since the watermark plugin doesn't touch the original image. It creates another derivative that is passed as the full size image when the full size image is requested. However, if you request the original derivative directly, that's what you're going to get if you have permission to it.
I believe you're only options are (in order of difficulty)
1) Make the only resized image a 800x800 image, no other resized images should exist except for the thumbnail. Then modify the Carbon theme so the "full-size in new window" link actually just opens that current image in a new window. Then you can disallow people access to the full size image using Gallery's permissions.
That change should be pretty easy and really only take a few minutes, though I'd have to look at the code for the Carbon theme.
2) Modify the watermark module to destroy the original image, replacing it with a watermarked version
3) Modify the watermark module in how it ties into Gallery for those image requests. Don't know if this is possible.
4) Modify the core code of Gallery to do what you want.
You could also request a feature change, but it's likely to never happen since development on G2 has stopped and the devs are working on G3.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 10
Thanks. I agree with options you suggested. I will try this weekend to look to the Carbon theme code, first option looks for me as most correct. If you will find the peace of code to change, please let me know.
Posts: 16504
Taking a quick look. It appears you'll need to edit /themes/carbon/templates/navigator.tpl
http://codex.gallery2.org/Gallery2:Editing_Templates
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here
Posts: 10
I will look there, many thanks. Will post the results if any.
Posts: 32
I understand what he is asking.....is it possible that the g2data folder is not secure outside of his G2 directory? If it is inside of the G2 directory, then the original images would be accessible.
Jim Helsel
Director
ImageSport NZ
Posts: 4342
IMO there is an issue that the developers missed (or didn't consider significant) - I posted a patch for it here.
http://gallery.menalto.com/node/87322
Posts: 10
This is exactly the problem I was writing about.
Many thanks to alecmyers for the patch posted. It works perfectly. The only thing is the path to DownloadItem.inc . At least for my G2 installation it's "modules/core" and not "modules/core/classes" as written in the patch description.
Posts: 27300
If I recall it had something to do with print services. The original still had to be available and the workaround as you describe as well as the codex page for the watermark module, suggests you make a re-size of 100%.
Thanks for the code workaround alecmyers, I have not seen that post before.
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 4342
Yes - my patch will break things if you're using a print service with the 'cart' module (well, it won't actually break, you'll just get prints with the watermark on them). It could be adapted to work though.