Support

Support is part of Event Gallery Extended.

Please get a subscription if you need support. Feel free to use the ticket system or the contact form for reporting defects or pre-sale questions. Make sure you're logged in in order to be able to create a new ticket.

For general information you can also jump to the manual.

Subscribe now!

#2452 images protection in cache folder

Posted in ‘Event Gallery Extended’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Latest post by sbluege on Tuesday, 14 March 2017 12:03 UTC

nbstudio
 Hi
Quick question.
If I enable the folder protection option, an .htaccess file is correctly created in the images/eventgallery protected folders.

What about cache/eventgallery?
I see no .htaccess files are created, so the protection is not so effective...
Suggestions to avoid this "backdoor"?

sbluege
Actually you can place a .htaccess file in the cache folder. But I think this useless since there is a URL on your site to deliver those thumbnails anyways. The browser displays them. In the worst case one simply takes a screenshot. Keep in mind that those thumbnails are not the original file. You can use a watermark to add a little bit of protection.

nbstudio
thanks for the reply.
can you please tell me where the thumbnails are located?

sbluege
they are located in /cache/com_eventgallery_images
Please be very careful in this folder if you create a .htaccess file and consider what I wrote above.

nbstudio
What I would like to achieve is to protect named folders, and make them available only to named user groups.

e.g. Folder 1 only visible to Registered Users
Folder 2 only visible to Subscribed Users
Folder 3 only visible to Super Users.

So, if those events' permissions are properly set, they will be only visible to the specified group,
and the html page generating thumbnails will only display the ones they have access to.

It this correct?

sbluege
Yes. The HTML will only contain references the user is allowed to see. But: if a user has the link to a random thumbnail he can always see it. I recommend to add some randomness to your image file names like Google/Flickr is doing this.

nbstudio
The thumbnail are generated by com_eventgallery/helpers/image.php , right?

Are you sure this file will only serve thumbnails and not full images too,
if one has no access to the folder?

sbluege
Yes. If your images are smaller than 1600px this is true in every case. Thumbnails are available in different sizes up to 1600px length. If your images are smaller, the original file will be passed with the configured image modifications and watermarks.

nbstudio
stupid question: if images are passed via a php file, and folders are correctly secured,
shouldn't the component be able to show only images a user is entitled to?

why does the direct link work even if a person is not authenticated to the site?

sbluege
Because this php script needs to be fast. It just delivers cached thumbnails. Doing check would require to pull up a lot of Joomla code which is slow. Keep in mind that Google and Flickr work in the same way. Once you know the thumbnail url you can see the image.

One can actually directly link to images but then you need to precalculate them all. That's where the php script comes in. It grabs the thumbnail from the cache and passes it to the client. If the thumbnail does not exists it creates it first.

nbstudio
I understand what you say.
Is there a way you can help me integrating this PHP file with a check on users permissions?

sbluege
I can only help with some hints:

1. have l look at the file components\com_eventgallery\views\event\view.html.php and have a look at the different filters in there like $folder->isVisible().

2. Delete the image.php file and switch on the Fallback Render Mode in the components options.

3. Add the security checks your found in the file above to components\com_eventgallery\controllers\Resizeimage.php

4. prevent access to the /cache/com_eventgallery_images folder

This will increase the load on your server and increases the load time of your image. Keep in mind that every update will revert your changes.

nbstudio
Thanks for the hints. I've tried to do that, and indeed it slows down a lot the page load.

I don't want to bother you anymore with this,
though, I think an implementation of a real folders and images protection would be great.

Why can't these filters be simply applied to image.php, having it rendering images only for users entitled to them?

sbluege
I'd like to repeat that there is a real folder and image protection. Your original files are save on an Apache server. Just the thumbnails are visible.

image.php is a very simple file. Since all the filter logic is hidden in code which needs database access through the Joomla layer things become slow(er).

nbstudio
maybe I'm not understanding correctly... I apologise for that.

I just made a test, created an event, visible only to Super Users,
and put the .htaccess file in the cache/com_eventgallery_images

Why if I copy the here below URL in a browser, I can get the full image even without being logged?

http://www.valentinonegri.it/components/com_eventgallery/helpers/image.php?&mode=full&folder=gallery&file=03.jpg


So not only thumbnails are visible, also full images?

sbluege
How large was your original image? If it's smaller than 1600px that you get an image with the same size. But this is not the original image. It's a process thumbnail file. If you configure a watermark for your image you should see the difference.

nbstudio
I've tried with image larger than 1600px.
So the image generated with the watermark (large 1600) is considered a thumbnail?

http://www.valentinonegri.it/components/com_eventgallery/helpers/image.php?&mode=full&folder=gallery&file=03.jpg

sbluege
Yes. Event Gallery can generate those thumbnail sizes: 48, 104, 160, 288, 320, 400, 512, 640, 720, 800, 1024, 1280, 1440, 1600

nbstudio
ok. is it possible to determine the max height of them?
if so, where?
I checked the manual but couldn't find this info.

sbluege
Those values are fixed. But you can have a look at the file components\com_eventgallery\config.php where you can set the 1600 to a 1440. But that's it.

nbstudio
so, to sum it up, if one knows the specific URL of an image into a protected folder,
he/she is able to download a "thumbnail" of 1600px (or 1440) in any case, even if not logged in.

correct?

sbluege
That's true. Google & Flickr do work like this too. You just protect the HTML-part.

I'm thinking how to protect images in a smart way without slowing the system too much down. But so far I have no good idea. One way can be an additional URL parameter which contains an encrypted/signed value. This would help that people can't simply guess the URLs. But if people share the links to a thumbnail they would have access to it. Which should actually not matter since people can download and share images they see in their browser anyways. What do you think?

nbstudio
Unfortunately I'm not a skilled PHP programmer, so I have no idea about how this can be achieved. Sorry.

But, I have trust in you and hope that you can sort this out.

I would accept that the default image of the event can be visible to everybody,
but why comes the need to grant access to the whole world to the other images?

Also, the concept of "thumbnail", in my opinion, is something to be reconsidered.
Why is still a "thumb" a 1600px image?
It would be better to have small thumbs without restrictions and big images accessible to the respective usergroups.

Please let me know,
and, for now, thanks for your patience




sbluege
Every processed file is a thumbnail. You can apply a watermark to protect it or upload smaller images. Because of the way the layout works, those sizes are necessary.

Anyways, I uploaded a version to https://www.svenbluege.de/joomla-event-gallery/eventgallery-download/event-gallery-bleeding/eventgallery-3-6-4-protect which implements protection for all thumbnails (by usergroup/password). Of cause you'll not longer see thumbnails in the backend without having a front end session with the right permissions. I don't like this very much. But feel free to give this a try.

nbstudio
thanks a lot! that's what I was looking for!
You are a genius.

nbstudio
thanks a lot! that's what I was looking for!
You are a genius.

sbluege
Don't speak too soon. Did you tested it? This solution is nothing I want to have in this state in the main product. It adds complexity which I actually don't want.

nbstudio
Yes. Tested and working fine on my site. It protects images and no slowness

sbluege
I uploaded a new version which allows to see images in the back end as well. Do you want to give it a try?
It also adds a .htaccess file to /cache/com_eventgallery/images while creating new thumbnails.

nbstudio
hi
yes, please
as soon as I have the link I can test it. :)
thanks

sbluege
same link as before: https://www.svenbluege.de/joomla-event-gallery/eventgallery-download/event-gallery-bleeding/eventgallery-3-6-4-protect

nbstudio
it’s just perfect!
more than it was the former version
THANK YOU

nbstudio
Reply to your public ticket #2452 images protection in cache folder [Event Gallery Extended] it’s just perfect! more than it was the former version   thanks ! From: Sven Bluege Sent: Wednesday, December 07, 2016 9:16 PM To: Nick Bert Subject: Reply to your public ticket #2452 images protection in cache folder [Event Gallery Extended]  

nbstudio
hi sven
sorry , but there's still an issue in the front-end
thumbnails are protected, and I see them in the back-end even without being logged in the front.

however, clicking on each image results in "image failed to load"
can you please try it yourself?

sbluege
I fixed to bug in there. You needed to be logged into the admin section to see the images in the front end. Not a good idea. And the thumbnail url in the backend was not as it should be.

Please grab the latest build.

nbstudio
now it's OK
images are protected. visible in the back-end, and loads very fast.
should be the definitive version :)

sbluege
You should disable the sharing for those events as well. Otherwise people can still access those images if the know the URLs.

nbstudio
hi sven

I see a new version of JG Ext is available.
How can I update it, without losing the customizations you made to protect images?

thanks

sbluege
There are no additional customizations from my site. You should be able to update without losing feature.

nbstudio
so, the part modified when I opened the ticket,
it will be updated as well?

sbluege
All changes which where part of the old release are in the latest as well.