After disabling the full image view, I refreshed the URL of the full view of a gallery image. The image was still served. For security reasons, shouldn't a 404 error or access denied message be displayed when a user requests the full view of an image, when the full view option is disabled?

You mean the full size image? That is normally displayed directly unless you set protection for it. Then it is displayed via a page. Sure that the browser cache is not playing tricks on you?

I did have the full image display set to "No Access", and refreshing the page still displayed the image. I don't think this was a cache issue, but I'll check again. It sounds like these results surprised you, which tells me this is unexpected behavior, so I'll make sure the problem really isn't something like that and report back.

I cleared the cache and confirmed this seems to be an issue. I have full image access set to "No Access", which correctly causes the normal view for an image to link to itself, not to the full view. But loading the URL of what had been the full view before I disabled it, still shows the full image.

I do not have the full view cache option enabled, and the album folder is not web-accessible, so I'm not mistaking this for the direct image URL of the image in the album folder.

I'll create a ticket, but wanted to be sure this indeed the case first.

What are you refreshing? The page with the link to the protected image or the protected image itself?

If the location of your album is either "std" or "in_webpath" (the album folder class in zp-data > zp-config.php) then this is standard behavior, as by typing the full image path you are bypassing zenphoto.

You need to have your album outside the webpath ("external") for zenphoto to give you the protection you want.

@sbilliard - I refreshed the page showing the full image - full_image.php. When the option is set to "No access", the normal image page does not link to the full image, as expected.

@zenPhotoCharles - my album is indeed outside the web path, so this isn't a case of bypassing.

I found that no comparison check for "No access" seems to be made in full_image.php - I created a ticket: http://www.zenphoto.org/trac/ticket/1483

There currently is no check in that script for this situation. Probably there should be.

I don't know that I'd call it an outright "security" issue, but I do think that the "no access" option implies that the full image will not be viewable to users. For photographers who sell prints and don't want full-sized images available for download, this could be a big issue. Of course, they could simply put already-cropped images in the album, but they might not see this as necessary because of the no-access feature.

I did put a few lines of code in that ticket to handle this scenario.