Hey quertysimo –
Thanks for the thoughts. As I said, I figured that wouldn’t be satisfactory. A couple thoughts.
*We’ve gotten almost no emails/queries/questions/reports about this issue. That’s one way we determine importance. Generally, if an issue is important to the NextGEN user base, given how large it is, we hear about it over and over again. There are a ton of issues we hear about over and over again, and those generally come ahead of issues that are important to just one or a very small handful of users.
*I wouldn’t call this a security issue. Security issues generally refer to vulnerabilities that allow hacking, etc. Those types of security issues are critically urgent and we always resolve them within days.
*While I understand that someone may gain access to a gallery following your method, the channel here is still fairly obscure. Any user that’s going to go through the work of clicking your album and typing in guessed gallery ids to look for hidden galleries is someone who must really want to access one of your galleries. I don’t know what kind of content you have in your galleries, but as a practical point, most website visitors are not that determined to see if they can find hidden galleries on your site. I think the obscurity of the method is one reason we’re not getting a lot of emails about this. Even most seasoned NG users aren’t really aware that this is possible.
*If this was truly a quick fix, we’d probably look at it right away. But making adjustments to how NextGEN handles URLs is never that simple. The dynamically generated URLs are delicate, and if you make changes you risk breaking things and producing unintended consequences. So if we decide to tackle this, it’s not going to be that simple.
*The complexity is exacerbated by the fact that there are other mechanisms similar to yours. Basically, a similar issue might arise for any type of dynamically generated gallery type in NextGEN. For example, if you add tags to the images in your password protected galleries, and then display a NextGEN tag cloud anywhere on your site, some one could easy click on a tag and see an image that you were intending to have otherwise password protected.
–
So the best I can tell you is thanks for adding your voice and vote to this issue. We’ve got it on the list and we’ll consider it – balanced with 100s of other fixes/feature requests – each time we consider changes. If we hear more about this from others, it will move up on the list of priorities as well.
Again I know that’s probably not satisfactory, but I just wanted to give you more details so you might understand where we’re coming from.
Thanks and best,
Erick
