From My Desk

Gallery Security and features

30 May, 2018 @ 1:35

Security

One of the things I’ve recently been thinking about is how to ensure that galleries and their images are properly secured.  There is more testing needing to be done to ensure its correct but I feel its pretty decent.  When a user clicks a link to a gallery a check is done server side to determine the visibility of the gallery in general, either public, protected, or private.  If an album is a public one, well then we are done and return saying hey yup they are allowed to see and render like normal.  Now if an album is private all I do is check that someone is logged in as an administrator and if so allow the viewing.

Protected albums get a little more complicated but not by much.  This one becomes a two-step process, first checking that there is someone logged in, getting their user ID, and then taking that and comparing against the array of allowed ID’s stored in the meta of the gallery.

One thing that I need to fix and adjust yet though is the gallery images.  More specifically if you know the URL of an image you can view it, that’s not good that’s for sure!  This one does get slightly more complicated though as images can belong to many albums so how do we handle this?  My take so far is that we query for the image all albums that the image belongs to, easy enough considering this is stored in the meta of the image, great we can loop the galleries the image belongs to, and check the visibility of that gallery, then apply the above for galleries to see if they can view it and if so return that image, if not redirect to the gallery home page like I’ve done with galleries.

Features

So one of the things that came to me when I was working my overnight job was ‘What if I create a protected gallery and add people to view it?’  Basically, I want to trigger an email to send to the users I’ve specified when creating a gallery so that they can be informed of it, helps save an email written, especially if there are many people added.  But what if I create the gallery but I’ve not added images yet, I don’t want the person seeing a blank gallery do I?  Now I have to ask, do I trigger the email on publish or something else?

Then I also got to thinking, what if I add another user after the gallery was created?  I need to have an email sent to them but I don’t want that sent to everybody, so now where do I trigger that?  While I do some research I guess I’ll have to leave it as is…. manual.

I’m really hoping that before too long I can release this plugin to the public, I’ve spent a lot of time and effort on it and would love to allow others to use it on their site but there are still some usability things that need to be done.  The one I keep meaning to look at mainly is allowing someone to just bulk add images to a gallery versus one at a time, it gets tedious and is the reason I myself haven’t finished adding images to some of the albums, I just dread it.  For now I’ll keep coding and researching, maybe find some inspiration and finish it up.