Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The feature to set imce.vars.prvstyle in imce-content.tpl.php, to generate thumbs with an image style preset is a great feature I'd used in D6 and 7.
Drupal 7.20 has a known issue (http://drupal.org/drupal-7.20-release-notes) with some image derivative generating modules.
Where all my image style derivatives are being generated normally, I discovered only my preset for IMCE thumbs were not. The proof that this is the issue, is that the example setting in the release notes:
$conf['image_allow_insecure_derivatives'] = TRUE;
in settings.php resolves it, but bypasses the security fix. I realize the feature is experimental #943442: IMCE: new Box view (thumbnail display) although years old and much loved. The change is image derivative URLs append a token string. The release notes list other module's patches that resolve it. Anyone have a fix?
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedHaven't used this particular feature of IMCE myself, but it sounds important enough to mention in http://drupal.org/drupal-7.20-release-notes so retitling appropriately (so I can link to it there).
Comment #2
echoz CreditAttribution: echoz commentedThanks David, I was just about to link to the related #1109312: Image derivatives (image cache files such as thumbnails or custom styles) are not created when clean URLs are enabled #60 since it might provide tips to an IMCE solution.
I have 2 branches on 7.20 with the symptom described, and one copy with only core not updated, without the issue.
Comment #3
siefca CreditAttribution: siefca commented@echoz:
Could you do a simple test: remove derivative image from styles directory and check if it's regenerated from original after revisiting the page with this image present.
Comment #4
echoz CreditAttribution: echoz commentedThe symptom on this installation is only true for one of my image style presets, described in the issue summary, where in imce-content.tpl.php a variable is set for imce.vars.prvstyle to use the preset name.
I delete the whole styles directory, and bringing up the IMCE browser, the thumbs are not generated. Viewing these broken images in a new window results in access denied for the path they should be created at (files/styles/imce-thumb/public/subfolder/imagename.jpg) which is not created on the system (and is without the token), and seems like this is indicating the system itself is denied creating the derivatives.
Oddly, visiting a node where another image style preset is called, the styles directory is created along with the proper path and image derivative with the appended token string.
Comment #5
echoz CreditAttribution: echoz commentedThe committed patch at #1923554: New anti-DoS measure breaks for some file URIs does not make any difference for this case.
Comment #6
ufku CreditAttribution: ufku commentedThe thumbnail URLs were being created on client(JS) side. Unfortunately this is impossible with D7.20. Either you enable 'image_allow_insecure_derivatives' in settings.php or not use this IMCE feature.
An alternate solution could be generating all thumbnail urls on server side and load them with IMCE but it would be overkill for a directory with hundreds of images in it.
One can also conditionally enable 'image_allow_insecure_derivatives' by checking the current path to see if it is the thumbnail url used by IMCE.
Comment #7
echoz CreditAttribution: echoz commentedOk, I get it, thanks for the explanation.
Comment #8
RobLoachSince I don't have the energy to add the configuration setting across all my sites, I put together a small solution to enable the setting for you:
Image Allow Insecure Derivatives
Probably not something you want to use.
Comment #9
echoz CreditAttribution: echoz commentedI like this idea. Could anyone please provide some syntax help, I couldn't get this to work.
Comment #10
ufku CreditAttribution: ufku commentedPosted a feature request to the core
#1955554: Enable insecure image derivatives by role