The only things I modified in the theme were hiding the comments and titles, and changing the sizes of the thumbnails, so I'm not sure how it would have affected anything else... I know it's still using the same function for random images - I didn't change that at all. But I'll check the error log and see if I can find out anything.
OK, checked the error log and there was nothing that looked remotely relevant in it. Just a few missing favicon.ico messages and that sort of thing. Plus two occurences of "File is not a JPEG file" from the massedit page, which I think was caused by a couple of images that had spaces after their names (fixed now). Also, just to clarify, it wasn't a total blank page it was showing (like the kind you'd get with a fatal error), but a page with the breadcrumb trail, title, footer, etc. but no actual content. Anyway, there don't appear to be any PHP errors happening.
Also, I checked the code of the index page and it is not assigning the password_protected class to the thumbnail for that gallery at all. And I haven't changed the CSS in any way.
Just to verify whether or not it was a theme issue, I switched back the default theme. This did result in the password prompt showing up - but the image thumbnail for the protected gallery still appeared in the main listing, and did not have the password_protected class. I tried a couple of other themes with basically the same result, and when I found one that included the random image block, it still showed images from the protected gallery among the random ones.
So those two problems are not theme-specific - none of the themes I tried (including default!) gives protected albums' thumbnail that class, or excluded protected images from the random image block if they had one.
Then, just to see if the problem with the password prompt not appearing was due to anything I did or not, I uploaded an unmodified version of Thinkdreams - and it doesn't show the password prompt either. So apparently that problem is in the Thinkdreams theme itself, not in any of my changes. Which sucks because it's the only theme that looks relatively similar to what the photographer I'm doing this site for wants. :-(
Any ideas how the password prompt could be restored to Thinkdreams? I'm not afraid of editing code...
For direct access image URL, is it possible to handle some security check in i.php? I can copy the image location in browser and paste it to open the image in another browser.
seem all image request should go through this php. I found this php will redirect the request to the location of physical path, it is quite easy to guest other protected album image path. Perhaps there could be an option in admin page for turn on i.php to read and output the image rather than redirect it, for someone who may sacrifice performance for better security.
When you directly access the image (.../albums/album_name/image.jpg) you are not going through any scripts, so zenphoto can do nothing about it. You can prevent this by putting security on the albums folder in your .htaccess file or by moving your albums folder outside of the web paths or, less secure, but far easier to do, change the name of your albums folder to something harder to guess.
Has protection for direct access to images been added since your post, sbillard? I was having a look at Zenphoto around a year ago, and then it was possible to have direct access just like you describe. But when I installed the latest version today, it seems like /albums/album_name/image.jpg doesn't not work if the image is in a protected album.
Is that thanks to mod_rewrite and the image suffix?
I noticed also that if user searches with e.g. name of protected album all thumbnails of the images are shown. One cannot access individual image though with out login in. But if the slideshow plugin is istalled you can view full screen slide show of the all protected images in the search results.
I had to add a search password and remove the slideshow plugin to prevent this. I have most images as public put I have one personal album with subalbums which contain images of my family and friends which I don't want to be accessible by anyone one the web.
It seems I have to tune the ZenPage theme and the slideshow to prevent this.
