Let's see, I have this combination of modules:
-imagefield2.1
-imagefield gallery lightbox2: 1.4
-imagecache2.1
-lightbox2: 2.6

I have created an image field with multiple images and I view it as a slideshow, using a thumbnail for the grid view and the original image for the slideshow.

Now comes the question. In my content access permissions I have stated that anon users cannot access original size images, but lightbox is serving them anyways. I don't know which module causes this problem, or if this cannot be enforced as I am using a public file system.

Any reply would be greatly appreciated. Thanks.

Comments

Farreres’s picture

Project: Lightbox2 » ImageCache
Version: 5.x-2.6 » 5.x-2.0

Moving this issue here because it happens outside of lightbox2. It seems content access permissions for imagecache2 aren't enforced. If we have some permissions is to make use of them, isn't it?

Farreres’s picture

Ok. I have been checking imagecache.module code. I see the only place where permissions are being enforced is in function imagecache_cache_private(). It seems these permissions were thought for the private file system. Now I remember that usually file permissions are only enforced when the filesystem is private, for public filesystem it is apache who serves the files. It means that if I want some files to be protected, they must sit in a private place for the dupal hooks to be launched.

But, as the preset file is created by imagecache, I understand its URL is rewritten through imagecache. That way, even in public file systems, function imagecache_cache is called, and I understand this function should also check permissions. Would it be possible that imagecache denies an url when the view permissions aren't fullfilled so we can simulate this in a public file system? Yes, the users will of course still be able to enter the files directory, but would that be possible?

Farreres’s picture

I think I have located the problem. I propose a modification for imagecache in this line:

function imagecache_create_url($presetname, $path) {
  if (!user_access('view imagecache '. $presetname)) {
    $path = 'default-403error-image.jpg';
  }
  $path = _imagecache_strip_file_directory($path);
  switch (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC)) {
    case FILE_DOWNLOADS_PUBLIC:
      return url(file_directory_path() .'/imagecache/'. $presetname .'/'. $path, NULL, NULL, TRUE);
    case FILE_DOWNLOADS_PRIVATE:
      return url('system/files/imagecache/'. $presetname .'/'. $path, NULL, NULL, TRUE);
  }
}

I tried it before at theme level with this code:

function mytheme_imagecache($namespace, $path, $alt = '', $title = '', $attributes = null) {
  // check is_null so people can intentionally pass an empty array of attributes to override
  // the defaults completely... if
  if (is_null($attributes)) {
    $attributes['class'] = 'imagecache imagecache-'. $namespace;
  }
  $attributes = drupal_attributes($attributes);
  if (user_access('view imagecache '. $namespace))
    $imagecache_url = imagecache_create_url($namespace, $path);
  else
    $imagecache_url = imagecache_create_url($namespace, 'default-403error-image.jpg');
  return '<img src="'. $imagecache_url .'" alt="'. check_plain($alt) .'" title="'. check_plain($title) .'" '. $attributes .'\ />';
}

But it only works when an image is themed, and doesn't work for URLs. There is, for example, the lightbox2 module that has its own theme for image managing and then they display the image based on the url obtained. Thus, it's imagecache who must send the URL taking into account user permissions.

What do you think?

dopry’s picture

Status: Active » Closed (won't fix)

no the permission cannot be enforced with public files.

Farreres’s picture

Status: Closed (won't fix) » Active

Excuse me for changing back this to active, I did it only to ask another thing.

Would it be possible to create a theme function so that this could be programmed locally? I mean a theme_imagecache_create_url so that it could be done without modifying the imagecache source code? I don't really understand what you mean (that permissions cannot be enforced for public files) because I have done it. I understand what you mean, that permissions are designed for private file system. But since imagecache rewrites addresses, it can be done internally even for public file system. In any case, I only would like to be able to alter imagecache basic functionality from my theme without touching the original code, nothing more.

Thanks

dman’s picture

Yes, you can override a theme function as you propose - if that's what you want. Give it a go.

However, you are not really enforcing file permissions - as above, that can't be done for contents of your file directory unless you do something else with apache, and not with Drupal.

Imagecache calls create those files. Once the files are created, Apache will serve them, regardless of who asks for them.
Making access calls in the the _imagecache function won't help, as the file will be created/published when an authorized user wants it, and can be found by anyone else later.
All your theme change will do is change whether (or what) URL is displayed. Anyone who can guess the filename can still get at it. In that way, the files are not actually being protected. Just a bit harder to find.

Farreres’s picture

Yes, I agree, images are only harder to find, but it's ok for me. Enforcing wasn't the correct name. I wanted that the functionality for anon users simulated that of registered users. I don't care if some freak wastes hours of his life searching for the images. There they are for him to find :) Can you tell me, how can I write a theme override? I am not too experienced and I am only used to write theme_ functions. I tried overriding from the theme and I got a duplicate function definition error.

dopry’s picture

Status: Active » Closed (fixed)

@Farreres: See the handbook or use the forums. This issue queue is not the place to ask how to override theme functions. RTFM!

Batyu’s picture

Version: 5.x-2.0 » 6.x-2.0-beta10
StatusFileSize
new2.44 KB

This happened to me in 6.x-2.0-beta10 as well.

In Content types, one can set the display of each field.
For an image field, you can choose an imagecache preset in a way that it links to
the original file. So one sees the image derived with ImageCache, but when
you click on it, the original image is shown.

To have this capability in the system, but allowing for degree of control over which roles can effectively
make use of it, is the issue here.

I've made a modification to the imagecache.module file, so that after enabling the module, one
get a new permission type under imagecache.

The roles that have the permission can view the original image, the roles without it only see the image modified via ImageCache.

I hope this answers the issue.

bkosborne’s picture

An old thread, but I came across this which explained that public file systems don't utilize the per-preset permissions. There is another old thread related to this here with a patch to update the documentation: http://drupal.org/node/678066