Hello,
I have a question on the way to protect albums from being seen.
I want to have some kind of client area on my site. Clients should be able to log in and see their pictures. They should not be able to edit the album and no one else should be able to see their pictures.
Of cause I set all albums for clients to not be published, but they still can be opened by directly calling the respective url. I want to prevent this if possible.
I tried two ways of protecting the images. First via album passwords and guest users. That did not work for me as the "user_login-out"-plugin doesn't allow for a login for guest users and I did not find a way to bring zenphoto to display the login dialog besides direct input of the url.
I also tried setting clients as admin users (I would actually prefer this method for ease of managing clients). Now the front end login works beautifully. However admin users even without any rights can open every album if they know the url - did I get that right? That's why I tried checking with isMyAlbum. However I could only get that to work correctly by assigning albums to users with album right and allowing them to edit the respective album. If I uncheck the edit checkbox it won't work anymore.
Is there an easy solution to this that I overlooked? One thing that came to my mind was an own sql query to check admin_to_object against the current album id because this seems to associate the right users even when they are not allowed to edit an album. But maybe there is a function I oversaw?
Thanks for your help and sorry if this was already answered before, my search yielded no results that would have solved the issue.
Zenphoto
Comments
`if (zp_loggedin()) {`
`$my_albums = getManagedAlbumList();`
`foreach ($my_albums as $album_name) {`
`if ($album_name == $_zp_current_album->name) {`
`$my_album = true;}}}`
As far as I was able to judge this is not very different (if less complex) than what isMyAlbum does - but for some reason it didn't work for me with isMyAlbum.
`if(isMyAlbum($_zp_current_album->name,ALBUM_RIGHTS) { .... }`
Also note, that the images within the cache and the root albums folder are not protected itself. You have to use a .htaccess if you want the full protection. See http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#39 for some info.
I didn't put it in the album loop but the image loop (on album.php). Is this a problem though? `$_zp_current_album` is still set?
It worked like intended with isMyAlbum() when I gave users the right to edit albums but not when I set the album to managed but without rights to edit.
Thanks also for the reminder on the image protection.
The isMyAlbum() function of course refers to the user account assign to this album. So probably your code from above is best fitting for your purpose (I have not tried it that way).
To clarify: However admin users even without any rights can open every album if they know the url - did I get that right?
Actually not if albums are assigned to specific users and those users don't have "view all" rights:
View all rights: Allows the user to view all albums, pages, and news articles. Without this right, the user can view only public ones and those checked in his managed object lists.
(from: http://www.zenphoto.org/2008/07/an-overview-of-zenphoto-users/)
Sbillard surely will responder later as well.
Guest users will always be presented a login form when they visit a page for which a password is required and they have not already logged in. No need for some other "form", but of course if the gallery is protected, then the login form will be the first thing they see.
`isMyAlbum()` will return a "true" value if the user is allowed to view the album based on the rights you have assigned him. Note particularly that "unprotected" albums are "public" so any one can view them.