Permission problem with Popular Tags

bfgb

Joined: 2009-11-15
Posts: 7

Posted: Sun, 2009-11-15 11:10

In the Popular Tags, tags from photos are considered regardless of whether or not the user has the permission to see the respective albums. Thus, supposing that you have public and private albums, a lot of private information is made publicly available.

Login or register to post comments

floridave

Joined: 2003-12-22
Posts: 17376

Posted: Sun, 2009-11-15 16:34

Known issue. The user can't see the item so that security is respected.
A bug was submitted:
http://sourceforge.net/apps/trac/gallery/ticket/457

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Login or register to post comments

bfgb

Joined: 2009-11-15
Posts: 7

Posted: Sun, 2009-11-15 17:22

Thank you for the fast reply, floridave. I see that this defect got the status 'wontfix', but I don't agree with the line of reasoning. For private groups you might have, for example, tags for living persons such as members of your family or friends. You normally don't want to find such tags on a public webpage, where they might be accessible even to search engines. Thus, in my opinion it is not sufficient that access to the photos themselves is denied. As long as this problem is not fixed, it would be useful to have at least the option to suppress the Popular Tags for certain groups.

Login or register to post comments

floridave

Joined: 2003-12-22
Posts: 17376

Posted: Sun, 2009-11-15 17:37

I created the ticket so I understand your position.
Please add your comment to the ticket.
I think it will be up to the community to change the behavior as it is a significant performance hit and code change to check permissions on each tag.
I plead the case and perhaps you can convince the developers to change their mind.

Quote:

As long as this problem is not fixed, it would be useful to have at least the option to suppress the Popular Tags for certain groups.

I think that could be done with the theme. Just don't show the tags for the guest user. Checking each tag would be more cumbersome.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Login or register to post comments

floridave

Joined: 2003-12-22
Posts: 17376

Posted: Sun, 2009-11-15 18:09

Here is a method to not show the cloud to guests:
<? if ($user->display_name() != "Guest User"):?>
At start of the <ul> (modules/tags/views/tagcloud.html.php)
then:
<? endif ?>
at the end of the </ul>

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Login or register to post comments

bfgb

Joined: 2009-11-15
Posts: 7

Posted: Mon, 2009-11-16 23:10

floridave wrote:

I created the ticket so I understand your position.
Please add your comment to the ticket.
I think it will be up to the community to change the behavior as it is a significant performance hit and code change to check permissions on each tag.
I plead the case and perhaps you can convince the developers to change their mind.

Quote:

As long as this problem is not fixed, it would be useful to have at least the option to suppress the Popular Tags for certain groups.

I think that could be done with the theme. Just don't show the tags for the guest user. Checking each tag would be more cumbersome.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Not to show the Popular Tags to guest users (as you suggested in your next mail) seems to be a good suggestion, fixing the problem for the moment (this means for the version 3.0). That way it is avoided that inexperienced users unintentionally reveal private information to the general public, and possibly also to search engines. It is not a completely satisfactory solution, though, because registered users may be quite inhomogeneous (for example close family members versus casual acquaintances). Even if privacy is not an issue, it is irritating for visitors of a web site if links are not working. But this is exactly what happens if people click on tags associated with photos to which they have no access. Supposing that you have 10000 private family pictures and 1000 pictures for your friends on your site, your friends might have difficulties to find the tags that are relevant for them. This makes a bad impression, in my opinion. Thus, I strongly plead in favour of a group-specific solution for the Popular Tags in version 3.x.

I didn’t look at the code of Gallery as yet (and perhaps I wouldn’t understand it sufficiently). But from what I learnt by reading the forum discussions, a general solution might be as follows: There are separate tag clouds for each group, which are created/updated not instantaneously, but only at certain occasions (for example, when somebody from a specific group logs in and the respective cloud turns out to be outdated, e.g. older than 10 minutes). Alternatively (or additionally), the refresh of the clouds could be triggered manually by the admin. I can’t imagine that such a solution would cost an unreasonable amount of computation time.

This is great software, by the way (I learnt about it just a week ago).

Login or register to post comments

floridave

Joined: 2003-12-22
Posts: 17376

Posted: Tue, 2009-11-17 04:59

Quote:

It is not a completely satisfactory solution, though, because registered users may be quite inhomogeneous (for example close family members versus casual acquaintances). Even if privacy is not an issue, it is irritating for visitors of a web site if links are not working. But this is exactly what happens if people click on tags associated with photos to which they have no access.

I know! You are preaching to the choir.

Quote:

Thus, I strongly plead in favour of a group-specific solution for the Popular Tags in version 3.x.

Did you plead your case on the ticket? Please find a developer that is willing to implement this feature for you.
The only method I could think of is a simple view modification to check if guests can view the tags or not.

The current developers have decided that at this time in development that is not high on the priority list to implement. Plead your case and they might change their minds.

The community, can create a new module to use the existing code and check permissions on each tag to see if it can be displayed. It is a performance issue. Checking permissions on each item was a big mistake in G2 and caused code complexity, bloat, performance, upgrade, support and other issues.

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

Login or register to post comments

floridave

Joined: 2003-12-22
Posts: 17376

Posted: Sun, 2009-11-29 20:35

Yet another ticket created: https://sourceforge.net/apps/trac/gallery/ticket/927

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Login or register to post comments

bfgb Joined: 2009-11-15 Posts: 7	Posted: Sun, 2009-11-15 11:10
	In the Popular Tags, tags from photos are considered regardless of whether or not the user has the permission to see the respective albums. Thus, supposing that you have public and private albums, a lot of private information is made publicly available.
	Login or register to post comments XUser login Username: * Password: * Create new account Request new password
floridave Joined: 2003-12-22 Posts: 17376	Posted: Sun, 2009-11-15 16:34
	Known issue. The user can't see the item so that security is respected. A bug was submitted: http://sourceforge.net/apps/trac/gallery/ticket/457 Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team
	Login or register to post comments
bfgb Joined: 2009-11-15 Posts: 7	Posted: Sun, 2009-11-15 17:22
	Thank you for the fast reply, floridave. I see that this defect got the status 'wontfix', but I don't agree with the line of reasoning. For private groups you might have, for example, tags for living persons such as members of your family or friends. You normally don't want to find such tags on a public webpage, where they might be accessible even to search engines. Thus, in my opinion it is not sufficient that access to the photos themselves is denied. As long as this problem is not fixed, it would be useful to have at least the option to suppress the Popular Tags for certain groups.
	Login or register to post comments
floridave Joined: 2003-12-22 Posts: 17376	Posted: Sun, 2009-11-15 17:37
	I created the ticket so I understand your position. Please add your comment to the ticket. I think it will be up to the community to change the behavior as it is a significant performance hit and code change to check permissions on each tag. I plead the case and perhaps you can convince the developers to change their mind. Quote: As long as this problem is not fixed, it would be useful to have at least the option to suppress the Popular Tags for certain groups. I think that could be done with the theme. Just don't show the tags for the guest user. Checking each tag would be more cumbersome. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team
	Login or register to post comments
floridave Joined: 2003-12-22 Posts: 17376	Posted: Sun, 2009-11-15 18:09
	Here is a method to not show the cloud to guests: `<? if ($user->display_name() != "Guest User"):?>` At start of the <ul> (modules/tags/views/tagcloud.html.php) then: `<? endif ?>` at the end of the </ul> Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team
	Login or register to post comments
bfgb Joined: 2009-11-15 Posts: 7	Posted: Mon, 2009-11-16 23:10
	floridave wrote: I created the ticket so I understand your position. Please add your comment to the ticket. I think it will be up to the community to change the behavior as it is a significant performance hit and code change to check permissions on each tag. I plead the case and perhaps you can convince the developers to change their mind. Quote: As long as this problem is not fixed, it would be useful to have at least the option to suppress the Popular Tags for certain groups. I think that could be done with the theme. Just don't show the tags for the guest user. Checking each tag would be more cumbersome. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team Not to show the Popular Tags to guest users (as you suggested in your next mail) seems to be a good suggestion, fixing the problem for the moment (this means for the version 3.0). That way it is avoided that inexperienced users unintentionally reveal private information to the general public, and possibly also to search engines. It is not a completely satisfactory solution, though, because registered users may be quite inhomogeneous (for example close family members versus casual acquaintances). Even if privacy is not an issue, it is irritating for visitors of a web site if links are not working. But this is exactly what happens if people click on tags associated with photos to which they have no access. Supposing that you have 10000 private family pictures and 1000 pictures for your friends on your site, your friends might have difficulties to find the tags that are relevant for them. This makes a bad impression, in my opinion. Thus, I strongly plead in favour of a group-specific solution for the Popular Tags in version 3.x. I didn’t look at the code of Gallery as yet (and perhaps I wouldn’t understand it sufficiently). But from what I learnt by reading the forum discussions, a general solution might be as follows: There are separate tag clouds for each group, which are created/updated not instantaneously, but only at certain occasions (for example, when somebody from a specific group logs in and the respective cloud turns out to be outdated, e.g. older than 10 minutes). Alternatively (or additionally), the refresh of the clouds could be triggered manually by the admin. I can’t imagine that such a solution would cost an unreasonable amount of computation time. This is great software, by the way (I learnt about it just a week ago).
	Login or register to post comments
floridave Joined: 2003-12-22 Posts: 17376	Posted: Tue, 2009-11-17 04:59
	Quote: It is not a completely satisfactory solution, though, because registered users may be quite inhomogeneous (for example close family members versus casual acquaintances). Even if privacy is not an issue, it is irritating for visitors of a web site if links are not working. But this is exactly what happens if people click on tags associated with photos to which they have no access. I know! You are preaching to the choir. Quote: Thus, I strongly plead in favour of a group-specific solution for the Popular Tags in version 3.x. Did you plead your case on the ticket? Please find a developer that is willing to implement this feature for you. The only method I could think of is a simple view modification to check if guests can view the tags or not. The current developers have decided that at this time in development that is not high on the priority list to implement. Plead your case and they might change their minds. The community, can create a new module to use the existing code and check permissions on each tag to see if it can be displayed. It is a performance issue. Checking permissions on each item was a big mistake in G2 and caused code complexity, bloat, performance, upgrade, support and other issues. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team
	Login or register to post comments
floridave Joined: 2003-12-22 Posts: 17376	Posted: Sun, 2009-11-29 20:35
	Yet another ticket created: https://sourceforge.net/apps/trac/gallery/ticket/927 Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team
	Login or register to post comments

Permission problem with Popular Tags

XUser login