Let's see, I have this combination of modules:
-imagefield2.1
-imagefield gallery lightbox2: 1.4
-imagecache2.1
-lightbox2: 2.6
I have created an image field with multiple images and I view it as a slideshow, using a thumbnail for the grid view and the original image for the slideshow.
Now comes the question. In my content access permissions I have stated that anon users cannot access original size images, but lightbox is serving them anyways. I don't know which module causes this problem, or if this cannot be enforced as I am using a public file system.
Any reply would be greatly appreciated. Thanks.
Comments
Comment #1
Farreres commentedMoving this issue here because it happens outside of lightbox2. It seems content access permissions for imagecache2 aren't enforced. If we have some permissions is to make use of them, isn't it?
Comment #2
Farreres commentedOk. I have been checking imagecache.module code. I see the only place where permissions are being enforced is in function imagecache_cache_private(). It seems these permissions were thought for the private file system. Now I remember that usually file permissions are only enforced when the filesystem is private, for public filesystem it is apache who serves the files. It means that if I want some files to be protected, they must sit in a private place for the dupal hooks to be launched.
But, as the preset file is created by imagecache, I understand its URL is rewritten through imagecache. That way, even in public file systems, function imagecache_cache is called, and I understand this function should also check permissions. Would it be possible that imagecache denies an url when the view permissions aren't fullfilled so we can simulate this in a public file system? Yes, the users will of course still be able to enter the files directory, but would that be possible?
Comment #3
Farreres commentedI think I have located the problem. I propose a modification for imagecache in this line:
I tried it before at theme level with this code:
But it only works when an image is themed, and doesn't work for URLs. There is, for example, the lightbox2 module that has its own theme for image managing and then they display the image based on the url obtained. Thus, it's imagecache who must send the URL taking into account user permissions.
What do you think?
Comment #4
dopry commentedno the permission cannot be enforced with public files.
Comment #5
Farreres commentedExcuse me for changing back this to active, I did it only to ask another thing.
Would it be possible to create a theme function so that this could be programmed locally? I mean a theme_imagecache_create_url so that it could be done without modifying the imagecache source code? I don't really understand what you mean (that permissions cannot be enforced for public files) because I have done it. I understand what you mean, that permissions are designed for private file system. But since imagecache rewrites addresses, it can be done internally even for public file system. In any case, I only would like to be able to alter imagecache basic functionality from my theme without touching the original code, nothing more.
Thanks
Comment #6
dman commentedYes, you can override a theme function as you propose - if that's what you want. Give it a go.
However, you are not really enforcing file permissions - as above, that can't be done for contents of your file directory unless you do something else with apache, and not with Drupal.
Imagecache calls create those files. Once the files are created, Apache will serve them, regardless of who asks for them.
Making access calls in the the _imagecache function won't help, as the file will be created/published when an authorized user wants it, and can be found by anyone else later.
All your theme change will do is change whether (or what) URL is displayed. Anyone who can guess the filename can still get at it. In that way, the files are not actually being protected. Just a bit harder to find.
Comment #7
Farreres commentedYes, I agree, images are only harder to find, but it's ok for me. Enforcing wasn't the correct name. I wanted that the functionality for anon users simulated that of registered users. I don't care if some freak wastes hours of his life searching for the images. There they are for him to find :) Can you tell me, how can I write a theme override? I am not too experienced and I am only used to write theme_ functions. I tried overriding from the theme and I got a duplicate function definition error.
Comment #8
dopry commented@Farreres: See the handbook or use the forums. This issue queue is not the place to ask how to override theme functions. RTFM!
Comment #9
Batyu commentedThis happened to me in 6.x-2.0-beta10 as well.
In Content types, one can set the display of each field.
For an image field, you can choose an imagecache preset in a way that it links to
the original file. So one sees the image derived with ImageCache, but when
you click on it, the original image is shown.
To have this capability in the system, but allowing for degree of control over which roles can effectively
make use of it, is the issue here.
I've made a modification to the imagecache.module file, so that after enabling the module, one
get a new permission type under imagecache.
The roles that have the permission can view the original image, the roles without it only see the image modified via ImageCache.
I hope this answers the issue.
Comment #10
bkosborneAn old thread, but I came across this which explained that public file systems don't utilize the per-preset permissions. There is another old thread related to this here with a patch to update the documentation: http://drupal.org/node/678066