Denying "View" to "Everybody" prevents registered users from seeing thumbnails/images

I mentioned this in a post over on the Gallery 3.x page, but as I'm continuing to see the problem, I figured it was better suited here. I'm trying to create a gallery that only known registered users can see. Thus, I go to the gallery permissions page and turn off the permissions for the Everybody group, leaving them on for the Registered Users group. The result is that the galleries show up, but the thumbnails and resized images appear as broken links. If I log out the entire gallery disappears as it should, and if it's the top level gallery I get the "Oops" message with a request to log in.

Unfortunately, I'm having a heck of a time trying to figure out exactly how to reproduce the problem, as toggling permissions on and off seems to restore the thumbnails, at least for a while. Coupled to that, I can't really post a URL of the gallery that's private to let anyone see how it's not working when made private!

There is definitely some sort of interaction with permissions and URLs, as I get different behavior between accessing "www.website.com/gallery3" and the subdomain of "photos.website.com" that points to the same folder. Right now I can't get it to even let me log in to the latter. It just stays stuck at the login prompt with the button "pressed" after entering username and password. I've seen this behavior previously as well, but never associated it with a path vs. sub domain problem.

And while I'm on the subject of logins (I know, start a new thread!), it appears that every page in the gallery is treated as a different website. Thus, Internet Explorer's "remember passwords" feature doesn't work most of the time because each new gallery, etc. where you try to log in requires you to enter username and password once and tell IE to remember before it will work. And of course the re-authenticate doesn't use autofill passwords at all.

At any rate, if anyone has some good idea as to what's going on or ways to resolve it, I'd be much obliged!

Thanks,

Beo

Here's the error log that I'm assuming is being created when I try logging into my "photos.website.com" page.

Beo

<?php defined('SYSPATH') or die('No direct script access.'); ?>

2010-07-02 08:02:18 -06:00 --- error: Kohana_Exception [ 403 ]: @todo FORBIDDEN
/home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php [ 194 ]
#0 /home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php(395): access_Core::forbidden()
#1 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/login.php(29): access_Core::verify_csrf()
#2 [internal function]: Login_Controller->auth_ajax()
#3 /home2/foegelle/public_html/gallery3/system/core/Kohana.php(331): ReflectionMethod->invokeArgs(Object(Login_Controller), Array)
#4 /home2/foegelle/public_html/gallery3/system/core/Event.php(208): Kohana_Core::instance(NULL)
#5 /home2/foegelle/public_html/gallery3/application/Bootstrap.php(67): Event_Core::run(Array, Array)
#6 /home2/foegelle/public_html/gallery3/index.php(94): require('/home2/foegelle...')
#7 {main}
2010-07-02 08:02:18 -06:00 --- error: Missing messages entry kohana/core.errors.403 for message kohana/core
2010-07-02 08:13:17 -06:00 --- error: Kohana_Exception [ 403 ]: @todo FORBIDDEN
/home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php [ 194 ]
#0 /home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php(395): access_Core::forbidden()
#1 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/login.php(29): access_Core::verify_csrf()
#2 [internal function]: Login_Controller->auth_ajax()
#3 /home2/foegelle/public_html/gallery3/system/core/Kohana.php(331): ReflectionMethod->invokeArgs(Object(Login_Controller), Array)
#4 /home2/foegelle/public_html/gallery3/system/core/Event.php(208): Kohana_Core::instance(NULL)
#5 /home2/foegelle/public_html/gallery3/application/Bootstrap.php(67): Event_Core::run(Array, Array)
#6 /home2/foegelle/public_html/gallery3/index.php(94): require('/home2/foegelle...')
#7 {main}
2010-07-02 08:13:17 -06:00 --- error: Missing messages entry kohana/core.errors.403 for message kohana/core
2010-07-02 08:14:47 -06:00 --- error: Kohana_404_Exception [ 43 ]: The page you requested, Michael-s-Photos, could not be found.
/home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php [ 123 ]
#0 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/albums.php(32): access_Core::required('view', Object(Item_Model))
#1 [internal function]: Albums_Controller->show(Object(Item_Model))
#2 /home2/foegelle/public_html/gallery3/system/core/Kohana.php(331): ReflectionMethod->invokeArgs(Object(Albums_Controller), Array)
#3 /home2/foegelle/public_html/gallery3/system/core/Event.php(208): Kohana_Core::instance(NULL)
#4 /home2/foegelle/public_html/gallery3/application/Bootstrap.php(67): Event_Core::run(Array, Array)
#5 /home2/foegelle/public_html/gallery3/index.php(94): require('/home2/foegelle...')
#6 {main}
2010-07-02 08:14:56 -06:00 --- error: Kohana_Exception [ 403 ]: @todo FORBIDDEN
/home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php [ 194 ]
#0 /home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php(395): access_Core::forbidden()
#1 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/login.php(48): access_Core::verify_csrf()
#2 [internal function]: Login_Controller->auth_html()
#3 /home2/foegelle/public_html/gallery3/system/core/Kohana.php(331): ReflectionMethod->invokeArgs(Object(Login_Controller), Array)
#4 /home2/foegelle/public_html/gallery3/system/core/Event.php(208): Kohana_Core::instance(NULL)
#5 /home2/foegelle/public_html/gallery3/application/Bootstrap.php(67): Event_Core::run(Array, Array)
#6 /home2/foegelle/public_html/gallery3/index.php(94): require('/home2/foegelle...')
#7 {main}
2010-07-02 08:14:56 -06:00 --- error: Missing messages entry kohana/core.errors.403 for message kohana/core
2010-07-02 08:15:25 -06:00 --- error: Kohana_404_Exception [ 43 ]: The page you requested, , could not be found.
/home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php [ 123 ]
#0 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/albums.php(32): access_Core::required('view', Object(Item_Model))
#1 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/albums.php(22): Albums_Controller->show(Object(Item_Model))
#2 [internal function]: Albums_Controller->index()
#3 /home2/foegelle/public_html/gallery3/system/core/Kohana.php(331): ReflectionMethod->invokeArgs(Object(Albums_Controller), Array)
#4 /home2/foegelle/public_html/gallery3/system/core/Event.php(208): Kohana_Core::instance(NULL)
#5 /home2/foegelle/public_html/gallery3/application/Bootstrap.php(67): Event_Core::run(Array, Array)
#6 /home2/foegelle/public_html/gallery3/index.php(94): require('/home2/foegelle...')
#7 {main}
2010-07-02 08:15:37 -06:00 --- error: Kohana_Exception [ 403 ]: @todo FORBIDDEN
/home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php [ 194 ]
#0 /home2/foegelle/public_html/gallery3/modules/gallery/helpers/access.php(395): access_Core::forbidden()
#1 /home2/foegelle/public_html/gallery3/modules/gallery/controllers/login.php(48): access_Core::verify_csrf()
#2 [internal function]: Login_Controller->auth_html()
#3 /home2/foegelle/public_html/gallery3/system/core/Kohana.php(331): ReflectionMethod->invokeArgs(Object(Login_Controller), Array)
#4 /home2/foegelle/public_html/gallery3/system/core/Event.php(208): Kohana_Core::instance(NULL)
#5 /home2/foegelle/public_html/gallery3/application/Bootstrap.php(67): Event_Core::run(Array, Array)
#6 /home2/foegelle/public_html/gallery3/index.php(94): require('/home2/foegelle...')
#7 {main}
2010-07-02 08:15:37 -06:00 --- error: Missing messages entry kohana/core.errors.403 for message kohana/core

This actually keeps getting weirder. I managed to get the www link to fail but yet tell me I was admin and show me where the error was coming from! Same error as in the log, but amusing that it THINKS it logged me in, at least enough to know I'm an admin, although the login failed. The function call shown right before the failure seems to match the source of the problem. It's in the "cross site request forgery" code. Not sure what that's checking, but I guess I'll keep digging! Not much else to do on a rainy 4th of July weekend!

Beo

Dang... Something went wrong!
We tried really hard, but it's broken. Hey wait, you're an admin! We can tell you stuff.
Kohana_Exception [ kohana/core.errors.403 ]:
@todo FORBIDDEN
MODPATH/gallery/helpers/access.php[ 194 ]

189 190 /** 191 * Terminate immediately with an HTTP 403 Forbidden response. 192 */ 193 static function forbidden() { 194 throw new Kohana_Exception("@todo FORBIDDEN", null, 403); 195 } 196 197 /** 198 * Internal method to set a permission 199 *
MODPATH/gallery/helpers/access.php[ 395 ] » access_Core::forbidden()

390 * Verify our Cross Site Request Forgery token is valid, else throw an exception.
391 */
392 static function verify_csrf() {
393 $input = Input::instance();
394 if ($input->post("csrf", $input->get("csrf", null)) !== Session::instance()->get("csrf")) {
395 self::forbidden();
396 }
397 }
398
399 /**
400 * Get the Cross Site Request Forgery token for this session.

MODPATH/gallery/controllers/login.php[ 48 ] » access_Core::verify_csrf()

43 $view->content = auth::get_login_form("login/auth_html");
44 print $view;
45 }
46
47 public function auth_html() {
48 access::verify_csrf();
49
50 list ($valid, $form) = $this->_auth("login/auth_html");
51 if ($valid) {
52 $continue_url = $form->continue_url->value;
53 url::redirect($continue_url ? $continue_url : item::root()->abs_url());

{PHP internal call} » Login_Controller->auth_html()

SYSPATH/core/Kohana.php[ 331 ] » ReflectionMethod->invokeArgs( arguments )

object
array(0)

args
array(0)

326
327 // Start the controller execution benchmark
328 Benchmark::start(SYSTEM_BENCHMARK.'_controller_execution');
329
330 // Execute the controller method
331 $method->invokeArgs($controller, $arguments);
332
333 // Controller method has been executed
334 Event::run('system.post_controller');
335
336 // Stop the controller execution benchmark

SYSPATH/core/Event.php[ 208 ] » Kohana_Core::instance( arguments )

0
NULL

203 Event::$data =& $data;
204 $callbacks = Event::get($name);
205
206 foreach ($callbacks as $callback)
207 {
208 call_user_func_array($callback, array(&$data));
209 }
210
211 // Do this to prevent data from getting 'stuck'
212 $clear_data = '';
213 Event::$data =& $clear_data;

APPPATH/Bootstrap.php[ 67 ] » Event_Core::run( arguments )

name
array(2) (
0 => string(6) "Kohana"
1 => string(8) "instance"
)

data
array(1) (
0 => NULL
)

62
63// End system_initialization
64Benchmark::stop(SYSTEM_BENCHMARK.'_system_initialization');
65
66// Make the magic happen!
67Event::run('system.execute');
DOCROOT/index.php[ 94 ] » require( arguments )

0
string(62) "/home2/foegelle/public_html/gallery3/application/Bootstrap.php"

89if (file_exists("local.php")) {
90 include("local.php");
91}
92
93// Initialize.
94require APPPATH . "Bootstrap" . EXT;

Environment
Included files(90)
DOCROOT/index.php

APPPATH/Bootstrap.php

SYSPATH/core/Benchmark.php

SYSPATH/core/Event.php

SYSPATH/core/Kohana.php

SYSPATH/core/Kohana_Exception.php

MODPATH/gallery/libraries/MY_Kohana_Exception.php

SYSPATH/core/Kohana_Config.php

SYSPATH/libraries/drivers/Config.php

SYSPATH/libraries/drivers/Config/Array.php

APPPATH/config/config.php

SYSPATH/libraries/I18n.php

SYSPATH/libraries/Kohana_PHP_Exception.php

SYSPATH/config/locale.php

MODPATH/gallery/config/locale.php

MODPATH/gallery/hooks/init_gallery.php

SYSPATH/libraries/Database.php

MODPATH/gallery/libraries/MY_Database.php

SYSPATH/config/database.php

MODPATH/gallery/config/database.php

DOCROOT/var/database.php

SYSPATH/libraries/Database_Mysqli.php

SYSPATH/libraries/Database_Mysql.php

MODPATH/gallery/helpers/gallery_error.php

SYSPATH/libraries/Input.php

MODPATH/gallery/libraries/MY_Input.php

SYSPATH/helpers/text.php

SYSPATH/libraries/Kohana_Log.php

SYSPATH/config/log.php

SYSPATH/libraries/drivers/Log/File.php

SYSPATH/libraries/drivers/Log.php

MODPATH/gallery/config/log_file.php

MODPATH/gallery/libraries/Gallery_I18n.php

MODPATH/gallery/helpers/module.php

SYSPATH/helpers/db.php

SYSPATH/libraries/Database_Builder.php

MODPATH/kohana23_compat/libraries/MY_Database_Builder.php

SYSPATH/libraries/Database_Mysqli_Result.php

SYSPATH/libraries/Database_Result.php

SYSPATH/libraries/ORM.php

MODPATH/gallery/libraries/MY_ORM.php

SYSPATH/libraries/ORM_Iterator.php

MODPATH/gallery/models/module.php

SYSPATH/helpers/inflector.php

SYSPATH/config/inflector.php

SYSPATH/config/sql_types.php

MODPATH/gallery/helpers/model_cache.php

MODPATH/gallery/helpers/gallery.php

MODPATH/gallery/helpers/gallery_event.php

MODPATH/gallery/helpers/identity.php

MODPATH/gallery/libraries/IdentityProvider.php

MODPATH/user/config/identity.php

MODPATH/user/libraries/drivers/IdentityProvider/Gallery.php

MODPATH/gallery/libraries/drivers/IdentityProvider.php

SYSPATH/libraries/Session.php

SYSPATH/config/session.php

MODPATH/gallery/config/session.php

SYSPATH/libraries/drivers/Session/Database.php

SYSPATH/libraries/drivers/Session.php

SYSPATH/config/cookie.php

MODPATH/gallery/config/cookie.php

SYSPATH/helpers/cookie.php

MODPATH/user/models/user.php

SYSPATH/helpers/request.php

MODPATH/gallery/helpers/theme.php

MODPATH/gallery/helpers/locales.php

MODPATH/user/helpers/user_event.php

MODPATH/comment/helpers/comment_event.php

MODPATH/search/helpers/search_event.php

MODPATH/slideshow/helpers/slideshow_event.php

MODPATH/tag/helpers/tag_event.php

MODPATH/downloadfullsize/helpers/downloadfullsize_event.php

SYSPATH/libraries/Router.php

SYSPATH/config/routes.php

MODPATH/gallery/config/routes.php

SYSPATH/helpers/url.php

MODPATH/gallery/helpers/MY_url.php

MODPATH/gallery/controllers/login.php

SYSPATH/libraries/Controller.php

MODPATH/gallery/helpers/access.php

SYSPATH/helpers/arr.php

SYSPATH/messages/kohana/core.php

MODPATH/gallery/views/kohana/error.php

MODPATH/gallery/views/error_admin.html.php

SYSPATH/libraries/Cache.php

SYSPATH/config/cache.php

MODPATH/gallery/config/cache.php

MODPATH/gallery/libraries/drivers/Cache/Database.php

SYSPATH/libraries/drivers/Cache.php

MODPATH/gallery/libraries/SafeString.php

Loaded extensions(65)
date

libxml

openssl

pcre

zlib

bcmath

bz2

calendar

ctype

curl

dba

dbase

dom

hash

filter

ftp

gd

gettext

gmp

session

iconv

standard

json

ldap

mbstring

mcrypt

mhash

mime_magic

mysql

SimpleXML

ncurses

odbc

pcntl

SPL

PDO

pdo_mysql

PDO_ODBC

pdo_pgsql

pdo_sqlite

pgsql

posix

pspell

readline

Reflection

imap

shmop

mysqli

soap

sockets

SQLite

exif

sysvmsg

sysvsem

sysvshm

tidy

tokenizer

wddx

xml

xmlreader

xmlrpc

xmlwriter

xsl

zip

cgi-fcgi

Zend Optimizer

$_SESSION
session_id string(19) "removed for display"

total_hits integer 6

_kf_flash_ array(0)

user_agent string(206) "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB0.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; . …"

ip_address string(12) "72.179.35.70"

last_activity integer 1278128938

user string(61) "User_Model object for "Michael" - details omitted for display"

csrf string(19) "removed for display"

group_ids array(2) (
0 => string(1) "1"
1 => string(1) "2"
)

active_auth_timestamp integer 1278103724

$_POST
csrf string(19) "removed for display"

continue_url string(0) ""

name string(7) "Michael"

password string(19) "removed for display"

$_COOKIE
g3sid string(19) "removed for display"

__utma string(54) "17980462.1841819881.1276576209.1276576209.1277653367.2"

__utmz string(69) "17980462.1276576209.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"

$_SERVER
CONTENT_LENGTH string(2) "90"

CONTENT_TYPE string(33) "application/x-www-form-urlencoded"

DOCUMENT_ROOT string(27) "/home2/foegelle/public_html"

GATEWAY_INTERFACE string(7) "CGI/1.1"

HTTP_ACCEPT string(254) "image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, applicat …"

HTTP_ACCEPT_ENCODING string(13) "gzip, deflate"

HTTP_ACCEPT_LANGUAGE string(5) "en-us"

HTTP_CACHE_CONTROL string(8) "no-cache"

HTTP_CONNECTION string(10) "Keep-Alive"

HTTP_COOKIE string(19) "removed for display"

HTTP_HOST string(16) "www.foegelle.net"

HTTP_REFERER string(43) "http://www.foegelle.net/gallery3/index.php/"

HTTP_USER_AGENT string(206) "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB0.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; . …"

PATH string(13) "/bin:/usr/bin"

PATH_INFO string(16) "/login/auth_html"

PATH_TRANSLATED string(46) "/home2/foegelle/public_html/gallery3/index.php"

QUERY_STRING string(0) ""

REDIRECT_STATUS string(3) "200"

REMOTE_ADDR string(12) "72.179.35.70"

REMOTE_PORT string(5) "60206"

REQUEST_METHOD string(4) "POST"

REQUEST_URI string(35) "/gallery3/index.php/login/auth_html"

SCRIPT_FILENAME string(46) "/home2/foegelle/public_html/gallery3/index.php"

SCRIPT_NAME string(19) "/gallery3/index.php"

SERVER_ADDR string(14) "74.220.215.247"

SERVER_ADMIN string(22) "webmaster@foegelle.net"

SERVER_NAME string(16) "www.foegelle.net"

SERVER_PORT string(2) "80"

SERVER_PROTOCOL string(8) "HTTP/1.1"

SERVER_SIGNATURE string(151) "<address>Apache/2.2.15 (CentOS) mod_ssl/2.2.15 0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635 Server at www.foegelle …"

SERVER_SOFTWARE string(96) "Apache/2.2.15 (CentOS) mod_ssl/2.2.15 0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635"

UNIQUE_ID string(24) "TC6zKkrc1-cAAFCCAjQAAAOT"

file_gzip string(20) "/ramdisk/cpud/status"

PHPRC string(50) "/home2/foegelle/public_html/:/etc/:/usr/local/lib/"

PHP_SELF string(35) "/gallery3/index.php/login/auth_html"

REQUEST_TIME integer 1278128938

argv array(0)

argc integer 0