Passwort Protected Categories Bugs

[cellarius]

Some of these things have been mentioned before in other Threads. I try to collect them here, and I hope that sometime soon there will be a solution. Until then this may be a warning for all admins not to offer passwort protected categories etc., as there are massive leaks.

First: As I understand it, images stored in a password protected category should not be visible anywhere else, under no circumstances, in any form or size. Not even as a thumbnail. The same goes for comments on those images.

What I did:
- added a password protected category.
- uploaded an image

What I found out:

- image will not be visible in the member's gallery. This is as it should be.
- image will not be visible in latest photos or random photos boxes within photopost. This is as it should be.
- but: as soon as the image is commented on, this comment shows up under "latest comments" on my gallery home and a thumbnail of the image is shown - even for guests. Why should comments in a password protected area be open for the public, and why should one want to show thumbnails of password protected images to all the world? The comments do not show up on comshow.php.
- If using inc_features, a thumbnail of the image is shown in the featured photos box on my forumhome - even for guests!
- if using the PhotoPost Recent Images on Profile Page Mod, a thumbnail of the image is shown in the featured photos box on the profile page of the uploader - even for guests! I know this is a mod, but it's provided by Chuck, so I think it has to rank at least as semi-official.

Furthermore annoying:

If a user uploads an image into a password protected area, Photopost sets this image as index-thumbnail for the member's gallery in showmembers.php. Rightly so, Photopost does not show this thumbnail to other users and guests - after all, it is in a password protected area and the thumb should not be shown (although elsewhere it is). Instead of showing a replacement picture, such as a lock, or not changing the thumb at all if the last uploaded image goes to a password protected area, Photopost shows nothing at all. There is no way for other visitors to reach the member's gallery from showmembers.php. My members have started to upload double images just to get a index thumb for their member's gallery, since there does not seem to be another possibility to set it.
This has been mentioned at least a year ago and not fixed in versions since, although this behaviour is clearly not intuitive (but rather stupid).

As is, the password protected categories - for me - are plain useless.

[Chuck S]

Well I can not comment on the external hack your talking about here as yes its a mod. The vb photo block though is going to show photos to whomever you choose to set viewing permissions. Not including password protected cats is easy in bold in the queries in inc_features.php add this

Code:

Content visible to verified customers only.

I will let Michael comment on the showmembers photo thing.

Now recent comments is easy in index.php around line 199 add this in bold.

Code:

Content visible to verified customers only.

[cellarius]

Thanks for your answer, Chuck.

Quote:

Originally Posted by Chuck S

Well I can not comment on the external hack your talking about here as yes its a mod.

As stated: I know it's a mod, but since you are the one that provided the mod, who then should be able to comment on the issue?

Quote:

The vb photo block though is going to show photos to whomever you choose to set viewing permissions.

My opinion: This has nothing to do with viewing permissions. Viewing permissions is for global rules. Password protected images are for people who know the password - and nobody else (admins or mods excepted). I can fully understand my users who complained that their password protected images showed up on my main page.

Quote:

Not including password protected cats is easy in bold in the queries in inc_features.php add this

Code:

Content visible to verified customers only.

Thanks for the code, I'll try it later. But I want to say that I strongly feel that this should be standard. A file hack should not be needed for this.

Quote:

I will let Michael comment on the showmembers photo thing.

I'm waiting for that.

Quote:

Now recent comments is easy in index.php around line 199 add this in bold.

Code:

Content visible to verified customers only.

Again: This should be standard and not require a file hack.

Will the two hacks suggested in this thread become standard in future (the next?) releases?

[cellarius]

Quote:

Originally Posted by Chuck S

The vb photo block though is going to show photos to whomever you choose to set viewing permissions. Not including password protected cats is easy in bold in the queries in inc_features.php add this

Code:

Content visible to verified customers only.

Works - thank you.

Quote:

Now recent comments is easy in index.php around line 199 add this in bold.

Code:

Content visible to verified customers only.

Not so easy, it seems, once one does test it. Adding your code leads to the following error:

Code:

Content visible to verified customers only.

This is clearly caused by a missing c.password in the select-statement of the mysql-request, which I tried adding. It now reads:

Code:

Content visible to verified customers only.

This in turn spawns the following error:

Code:

Content visible to verified customers only.

Clearly, the added field in the SELECT-Statement does disturb the list-operation there - but this is for you to sort.

[Chuck S]

anything thats a fix will get put into the build

As far as mods you would need to post in the mod forums on any hacks and the hack author would choose to respond or not even if its me it does not matter.

Recent comments make the query in index.php this and try

Code:

Content visible to verified customers only.

[cellarius]

Quote:

Originally Posted by Chuck S

anything thats a fix will get put into the build

That's good to hear, really.

Quote:

Recent comments make the query in index.php this and try

Code:

Content visible to verified customers only.

Doesn't work, same error as above. I'm not too surprised, though. As far as I know, mysql allows only one FROM-statement, and there are two in your code. I would have expected some kind of JOIN there.

Any word from Micheal concerning the other open issue?

[Chuck S]

Actually just a typo its suppose to be left join Reload the query in my post

[cellarius]

Not working.

Though I really appreciate your effort - would it be possible for you to test the queries you suggest before making me try them? You surely have a testing board and better debugging possibilities than me.
That's the third one I'm putting in there that spawns the same error...

Quote:

Originally Posted by cellarius

Any word from Micheal concerning the other open issue?

[Chuck S]

Code:

Content visible to verified customers only.

That should work fine so what does not work? I did change the query and have it running on my site.

[cellarius]

Now, whatever you changed or whatever I did do wrong the last time - indeed, this version works, and it does the trick. Thanks!

But once again I'll ask the question: Any news from Michael concerning the as if yet unadressed problem from the OP?

[Chuck S]

Well that all depends on how he wants to address things

I would suggest trying this in image-inc.php

Code:

Content visible to verified customers only.

change to this

Code:

Content visible to verified customers only.

[cellarius]

No, that did not change it - still the same behaviour.

[Chuck S]

Interesting I will do some testing but that should have worked fine. That essentially tells the program only to update the lastphoto for a user if the category does not have a password. Now just for clarification you uploaded to a password protected category with some other test user not previously affected and the last photo was changed?

[cellarius]

What I did:

1. Edited the file
2. Used my own account (which had for his user gallery a not password protected image thumb), uploaded an image into a password protected category -> my user gallery's thumb changed to the password protected image
3. opened another browser and surfed as guest to the user gallery index: as before, the new image thumb was invisible.

[Chuck S]

Members Galleries - ReefTalk Gallery

Interesting my account Chuck S I uploaded two photos into a private password protected album and my lastphoto did not change

[Chuck S]

This is the entire block I have in image-inc.php

Code:

Content visible to verified customers only.

[cellarius]

Hi Chuck,

didn't get around to try this any sooner - but: if I change the whole chunk of code, it works. Retried it with the shorter version - it doesnt.

Anyway: with the code changes you last proposed the member gallery thumb does not get changed anymore when uploading into a password-protected category, so this is fine now.

Just one last question: I understand that code changes proposed here will be taken over into future releases. Is this true for this one, too? Just asking 'cause you mentioned above Michael might want to follow a different path on this one. If this is not sure to make it into the next release, I'd mark it in my upgrade notes as requiring attention.

Thanks!

[Chuck S]

These are all proposed code changes. Michael will follow it or do it his own way thats up to him. I only report the issue and the proposed fix although 95% of what I propose is the fix used.

[cellarius]

Sorry to see that none of this made it into 6.2. Of course, release date was pretty close. But I still think these are quite serious flaws.

And: Obviously Michael never gave any statement about this problem:

Quote:

If a user uploads an image into a password protected area, Photopost sets this image as index-thumbnail for the member's gallery in showmembers.php. Rightly so, Photopost does not show this thumbnail to other users and guests - after all, it is in a password protected area and the thumb should not be shown (although elsewhere it is). Instead of showing a replacement picture, such as a lock, or not changing the thumb at all if the last uploaded image goes to a password protected area, Photopost shows nothing at all. There is no way for other visitors to reach the member's gallery from showmembers.php. My members have started to upload double images just to get a index thumb for their member's gallery, since there does not seem to be another possibility to set it.
This has been mentioned at least a year ago and not fixed in versions since, although this behaviour is clearly not intuitive (but rather stupid).

If you're not interested in this bug just plain tell me - then I'll know and stop bothering to bother you

[Chuck S]

Well from what I see two of your three issues involve external files.

Now Michael does not remember every bug I will pass along the password cat comment that should be fixed. The photo block we could alter but will leave that external file up for him to decide.