Member
Member
ctdlg   2019-12-12, 18:16
#1

Hello,
There is a bug with unpublished albums and registered users : they can access pictures under certain circumstances (pictures are published within the hidden album) :
with a dynamic album showing newest pictures
with the search function, if they type a matching word.

Administrator
Administrator
acrylian   2019-12-12, 18:38
#2

That would happen if you have allowed unpublished results on creating the dynamic album.

There is currently no interface to modify all settings after wards but it's just a text field within the /albums folder. Open it via FTP and it should look a like this (parameters may vary):

WORDS=yoursearchterm
THUMB=1
FIELDS=tags
CONSTRAINTS=inalbums=1&inimages=1&unpublished=0

If you have unpublished=1 set it to 0. A bug with that setting not being set correctly on dynamic album creation was fixed in 1.5.5 and of course does not re-apply itself to albums created earlier.

Also if your registered users have "View unpublished" rights they would see them.

Member
Member
ctdlg   2019-12-14, 15:22
#3

Thanks acrylian.

I checked all my dynamic albums.
All of them show unpublished=0

My registered users do not have access to unpublished items.

Problem is with search function : it shows unpublished items to registered users. Not to other users.

Administrator
Administrator
acrylian   2019-12-14, 15:35
#4

Did you clear the search cache or have it disable? Please try that before I try to reproduce this.

Also please tell the exact rights these users have. They might have some type of rights that includes viewing unpublished items. That would be the case if they have admin rights or management rights to the items in question.

Member
Member
ctdlg   2019-12-14, 21:20
#5

Search cache is disabled (parameter set to 0). I did clear the search cache: same problem.

Registered user parameter :
Actualités : accès intégral
Albums : accès intégral
Galerie : Voir la galerie & Voir la recherche
General : Nothing
Pages : accès intégral
Albums gérés : nothing
Pages gérées : nothing
Catégories gérées : nothing

I use Chrome and my user account to check what my users can see.
I use Firefox and my admin account to set parameters and manage my site...

Administrator
Administrator
acrylian   2019-12-14, 22:20
#6

Ok, I will try to reproduce that. Generally anyone can access unpublished items by direct link unless they are password protected. But they should not be listed by search or elsewhere.

Please next time switch the site to the native English when posting something as that makes it a bit easier for me even if I roughly can understand it ;-) Thanks!

Member
Member
ctdlg   2019-12-15, 07:02
#7

yes, I will - easy language swich in general options page.

Same problem with unpublished AND password protected album.

Administrator
Administrator
acrylian   2019-12-15, 10:31
#8

Hm, this is really weird because when we fixed the bug that search returned those elements in 1.5.5. we tested this all in and out.

Btw, for password protected albums or other items they would be generally listed unless unpublished.

I will try to reproduce this.

Administrator
Administrator
acrylian   2019-12-15, 13:37
#9

I made some test. besides that I indeed found a bug regarding returning unpublished items. The fix is in the support build.

However it is correct in your case. Your user should not have "Access all right" to not see these. I had to look myself as our rights system is a bit of a mess und a bit counter intuitive in the code. But this behaviour is actually documented:

Access all: Access all albums without a password. Without this right, a user can access only public ones and those checked in his managed object lists. (front and back end)

https://www.zenphoto.org/news/an-overview-of-zenphoto-users/

Member
Member
ctdlg   2019-12-15, 17:09
#10

Thank you very much for the bug fix. I will download and install support build tomorrow.

Access all : Access all albums without a password, this is what I understood before !

Member
Member
ctdlg   2019-12-16, 18:57
#11

With your 1.57b support build : same problem.
Inside an unpunlished album, pictures and subalbums are published and not hidden.

If a registered user (see below) searches for a word contained in a title of a picture (inside this hidden album), he will find it.

user : rights :
User rights

Administrator
Administrator
acrylian   2019-12-16, 19:34
#12

As discussed above you need to disable "All access" rights if you don't want this. "Access" here means he can see them as they are listed on the gallery and in search results.

Anyone can "access" an unpublished item by direct link, even if password protected (on the latter a vistor cannot see the actual content).

Member
Member
ctdlg   2019-12-16, 21:30
#13

If I disable "All acces rights" then a registered user cannot access all protected albums as I use different logins to protect these albums.
Because, doing so, I can give a specific album login to someone : he (she) will not be able to enter other protected albums. This is very useful.

To sum up : hidden albums mean

  • nobody (exept admins) can see them
  • registered users can search inside those hidden albums, visitors cannot.

I will manage my registered users differently.

Administrator
Administrator
acrylian   2019-12-16, 22:57
#14

Perhaps you could try to define managed albums for these users but only with view rights and no edit rights. Then you should not need separate logins for albums. However that only works for top level including all sub levels.

Btw, we don't have/use the term "hidden albums", they are "unpublished albums".

Member
Member
ctdlg   2019-12-18, 07:58
#15

Thank you very much (again !) acrylian.
2 days to fully understand all you explained and what I should have done.

I followed your help : now, I'm using 3 Zenphoto accounts:

  • admin
  • family - members can see all albums
  • friends - members can see all albums except family albums

And of course simple visitors who can see all unprotected and published albums.

Friends cannot search anymore inside family albums
(this album is unpublished, protected, located at the root of "albums" folder).

Zenphoto ?
Waouh ! (in french)

  
Powered By MyBB, © 2002-2026 MyBB Group.
Made with by Curves UI.