ImageCache places public readable images outside the 'private' area created for Private Upload.

For example, Inline can trigger ImageCache thumbnail or preview preset generation (for teasers).

Anonymous users who can guess the URL of the imagecache images can access resized versions of them, even if they don't have access to the node to which an image was originally attached (which image was forced into private folder with restrictions).

I want to offer a thumbnail gallery and other views of images with node-based access restrictions.

Glad for any feedback or suggestions,

Webel

Comments

webel’s picture

I tried using the Node Images settings to force it to use the same private folder as Private Upload, however the images then aren't displayable by Node Images.

Webel IT Australia, "Elements of the Web", Scientific IT Consultancy,
For PHP-driven Drupal CMS web sites, Enterprise Java, graphical UML, UML Parsing Analysis, SysML, XML.

jjjames’s picture

+1 on this. If people can guess the URL, then they can see any image. How can we set permissions for each size?
thanks

webel’s picture

This is still a very outstanding matter for me for some important client sites that should not expose images to the public (with one including restricted defence data in images, and another with images that for commercial reasons should not be accessible by direct URL, even if hard to guess).

I would be most grateful for an accurate report from anybody on a solution that enables visible access to resized (with all images subject to restrictions) and/or directly displayed images (with only the one image of constant size protected) commensurate with access controls for a node and with the file attachment access.

Reported also with useful references (that prove I am doing my homework to help myself first) under Inline module issues as: #678242: Private Upload module seems to conflict with Inline Upload with or w/o Imagecache

Darren Kelly, Webel IT Australia

Webel IT Australia, "Elements of the Web", Scientific IT Consultancy,
For PHP-driven Drupal CMS web sites, Enterprise Java, graphical UML, UML Parsing Analysis, SysML, XML.

webel’s picture

Webel IT Australia, "Elements of the Web", Scientific IT Consultancy,
For PHP-driven Drupal CMS web sites, Enterprise Java, graphical UML, UML Parsing Analysis, SysML, XML.

webel’s picture

Dear Drupal Community,

I am a great fan of Drupal and use it every day on numerous sites, and promote it widel, so when the process is leaving me stranded it is fair for me to offer some criticism, and forgive me if a solution to this does exist (and if so, please then offer it to me by reply, which is part of the process).

From the naive yet vallid perspective of at least 2 current clients it is hard to believe that in 2010 one can't upload an image to a web site truly privately, with the access conditions of the image matching that of text on a site. This is a basic requirement for commercial and defence web sites (amongst others).

If I may play devil's advocate for a moment:

If is is possible to secure the page text and it is possible to secure the attachments (as the clients have experienced satisfyingly as anonymous users correctly failing to access attachments under Private Upload), then why is it seemingly so hard for displayed images ? And why should a client pay for my time trying to find out how to do it with Drupal ? I mean after all, people can do wonderful things with computers these days, and there are movies from Pixar and impressive things like the Matrix .. you get my drift.

I hope you can please point me to a solution for sensible and robust private access to images, which display correctly, and perhaps even resize, soon.

Webel IT Australia, "Elements of the Web", Scientific IT Consultancy,
For PHP-driven Drupal CMS web sites, Enterprise Java, graphical UML, UML Parsing Analysis, SysML, XML.

webel’s picture

C'mon Drupal Community, if I'm overlooking something simple, just please point me to the answer, if not, then there is a widely needed feature/capability (to manage and securely display original and/or resized images) that needs to be addressed, very glad for any feedback, even if it's just from others to say they also need this feature and have found no solutions yet, regards, Webel

Webel IT Australia, "Elements of the Web", Scientific IT Consultancy,
For PHP-driven Drupal CMS web sites, Enterprise Java, graphical UML, UML Parsing Analysis, SysML, XML.

webel’s picture

I am still very interested in solutions for private image uploads compatible with Imagecache, which seems through creation of resized/scaled images into it own folder system to undermine privacy of images. Grateful for any advice or solutions,

Webel

Webel IT Australia, "Elements of the Web", Scientific IT Consultancy,
For PHP-driven Drupal CMS web sites, Enterprise Java, graphical UML, UML Parsing Analysis, SysML, XML.

vm’s picture

seems to me you can do this on a content type basis using drupal's access permissions and disallowing anon users to view the imagecache presets.

As far as the images in the folder goes, for files to be truly private the must be above the public root. one may also want to investigate using a .htaccess file in the folder if in the public root.

As far as how private files work with imagecache in D6, I can't say with any specificty.