WordPress.org

Ready to get started?Download WordPress

Forums

NextGEN Gallery
How to prevent public access to galleries? (9 posts)

  1. qwertysimo
    Member
    Posted 1 year ago #

    Hi,

    when using basicaly out-of-box plugin configuration, I believed that if I put an album to my password protected post, this album (and it's galleries) will be protected somehow. Wrong.

    It is enough to open some other public post containing an album, copy URL of an gallery thumbnail, paste it to browser address bar, modify gallery ID parameter in URL and you can access any existing gallery.

    (According to feature request, password protection was not author's focus in mid 2010. Did anything change?)

    Is there a way how to configure Nexgen Gallery to prevent a "public" access to all galleries?

    I see there is option "Activate permalinks" but I cannot find any usable setup guide.

    Is it somehow possible to change URLs from using numeric gallery IDs like
    http://example.com/protected-post-name/?album=1&gallery=10
    to URLs with a custom gallery IDs instead like
    http://example.com/protected-post-name/?album=1&gallery=20130608_gallery_name

    It would be much harder to guess gallery name compared to gallery numeric ID edit in URL. In fact, you could read a custom gallery name only inside a password protected post.

    Any hint/advice appreciated. Thanks a lot.

    http://wordpress.org/extend/plugins/nextgen-gallery/

  2. qwertysimo
    Member
    Posted 1 year ago #

    I found this post about setting up "activate permalinks" option in NGG. It works nice. When I hover over album thumbnail, instead of URL showing "/?album=aID&gallery=gID", browser shows URL in form of "/album-name/galery-name".

    Great, but useless!

    If you open any public post (on your site) containing NGG album, you can edit URL in address bar and include "/?album=aID&gallery=gID" to access all existing galleries.

    Can someone help to disable showing an gallery when using a properly formated URL?

  3. qwertysimo
    Member
    Posted 1 year ago #

    I am suprised I do not see any replies. Maybe I did not write it clear enough, sorry for my English. Another try:

    Question from plug-in FAQ: Can I password protect galleries?
    My answer: No way! Do not waste your time trying that.

    I appologize to plug-in author if I am wrong but first, please, try these steps to see my point. I made a fresh clean public installation of WP 3.5.1 with only one installed/activated plug-in, NGG 1.9.12. There is one public post with album showing "public image". There is also a password protected page with album showing "private image". Please, follow these steps and answer my question at the end of this post.

    1. Open http://ngg.qwerty.sk site.
    2. Click on "My Public Gallery" link to show the album.
    3. You should see this URL in your browser address bar:
      http://ngg.qwerty.sk/?p=1&album=1&gallery=1&pageid=1
    4. Go to address bar and change gallery=1 to gallery=2 and press Enter.
    5. Please notice that thumbnail "public image" has changed to "private", or, in fact you see a gallery from my password protected page I never wanted to share with you. (Password to access the protected page is "password", check the album.)

    My question is: What to do to prevent this behaviour?

    As I wrote in my first post, it seems that content protection has no priority in development. What to say...

    There might be a 2-step workaround how to protect your content in NGG.

    • The first step is easy - to activate permalinks in NGG settings. When you turn on option "Activate permalinks", in step 3 above you would see this URL:
      http://ngg.qwerty.sk/?p=1&album=my-public-album&gallery=my-public-gallery&pageid=1
      You think you are done, because nobody can guess your gallery name. That is true. But, if you edit your address bar and enter this URL:
      http://ngg.qwerty.sk/?p=1&album=my-public-album&gallery=2&pageid=1
      you will see that private image again. This is because permalinks are translated to URL parameters that use numerical IDs instead of names you give to galleries.
    • The second step would be to change URL parameter names. I mean, if you modify NGG plug-in to use URLs like
      http://.../?my_album_ABC=aID&my_gallery_DEF=gID,
      nobody can guess what an URL should look like. I can imagine to have URL parameter configurable on NGG plug-in options page. I am not that good in PHP to modify the source. Can someone do it?

    Am I completly wrong with my understanding of this problem. Did not I find some existing configuration options? Do you protect your content in different way? Can you share?

  4. photocrati
    Member
    Plugin Author

    Posted 1 year ago #

    Hi qwertysimo -

    We have not looked at introducing any stronger password protection for galleries in NextGEN Gallery since we took over from Alex last year.

    And as of now, given all the other work we're doing on NextGEN 2.0, we don't have specific plans to address password protection. I'm sure we'll address this at some point, I'm just not sure when.

    I'm sure that's an unsatisfying answer, but just wanted to reply and let you know.

    Erick

  5. Shonu
    Member
    Posted 1 year ago #

    I have not checked, bit there is a link on NextGen page to 3rd party add-ons:
    http://wordpress.org/extend/plugins/user-access-manager-nextgen-gallery-extension/

    (from page http://www.nextgen-gallery.com/nextgen-gallery-extension-plugins/)

    I go to bed now, but you ma have a look. Even I want to protect my picures as we do not want direct access to picures (I am not sure that accessijg upload folder is actually protected using this plugin)

  6. qwertysimo
    Member
    Posted 1 year ago #

    photocrati, thanks for explanation and you are right - your answer disappointed me. With 7+ milion downloads I would put fixing security issues to the top of my to-do list. I cannot imagine what must-have features in v2.0 can be more important than this.

    Shonu, thanks. I am not quite sure this is the way I want to go. Anonymous access is the majority of my site visits. I do not like concept of pushing users to register just to cover limitations of a plug-in

    I want that anonymous visitors only see galleries I want them to see, with no chance to access other galliers by modifying one number in an URL - a 5 second task for everybody who knows what an "URL" is.

  7. photocrati
    Member
    Plugin Author

    Posted 1 year ago #

    Hey quertysimo -

    Thanks for the thoughts. As I said, I figured that wouldn't be satisfactory. A couple thoughts.

    *We've gotten almost no emails/queries/questions/reports about this issue. That's one way we determine importance. Generally, if an issue is important to the NextGEN user base, given how large it is, we hear about it over and over again. There are a ton of issues we hear about over and over again, and those generally come ahead of issues that are important to just one or a very small handful of users.

    *I wouldn't call this a security issue. Security issues generally refer to vulnerabilities that allow hacking, etc. Those types of security issues are critically urgent and we always resolve them within days.

    *While I understand that someone may gain access to a gallery following your method, the channel here is still fairly obscure. Any user that's going to go through the work of clicking your album and typing in guessed gallery ids to look for hidden galleries is someone who must really want to access one of your galleries. I don't know what kind of content you have in your galleries, but as a practical point, most website visitors are not that determined to see if they can find hidden galleries on your site. I think the obscurity of the method is one reason we're not getting a lot of emails about this. Even most seasoned NG users aren't really aware that this is possible.

    *If this was truly a quick fix, we'd probably look at it right away. But making adjustments to how NextGEN handles URLs is never that simple. The dynamically generated URLs are delicate, and if you make changes you risk breaking things and producing unintended consequences. So if we decide to tackle this, it's not going to be that simple.

    *The complexity is exacerbated by the fact that there are other mechanisms similar to yours. Basically, a similar issue might arise for any type of dynamically generated gallery type in NextGEN. For example, if you add tags to the images in your password protected galleries, and then display a NextGEN tag cloud anywhere on your site, some one could easy click on a tag and see an image that you were intending to have otherwise password protected.

    -
    So the best I can tell you is thanks for adding your voice and vote to this issue. We've got it on the list and we'll consider it - balanced with 100s of other fixes/feature requests - each time we consider changes. If we hear more about this from others, it will move up on the list of priorities as well.

    Again I know that's probably not satisfactory, but I just wanted to give you more details so you might understand where we're coming from.

    Thanks and best,
    Erick

  8. photocrati
    Member
    Plugin Author

    Posted 1 year ago #

    Hey again - just looking over my answer. I was trying to write a lot fast, and some of that sounded strong. Just want to emphasize that I understand why you'd be concerned about this. Since I can understand the concern, I was just trying to help clarify why this issue isn't one, at least for now, that would jump to the top of the very long list of things on our NG to-do list.

    Even so, I also want to emphasize that it's valuable for us for you to point out the issue and add your vote to fixing it. That way if we see it again from other users, it just reinforces the priority.

    Thanks, quertysimo!

    Erick

  9. qwertysimo
    Member
    Posted 1 year ago #

    Hi, do not worry about your tone, that is fine! I see your point perfectly.

    To be honest, I have played a bit with the code couple of days agot and got it to generate URLs using a custom parameters like "my_gallery_id=" instead of "gallery=". Unfortunately I got lost in decoding permalinked URLs back combined with rewrite engine. I will give it another try when I have more time.

    Thanks for your comments.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic