Closed romain-intel closed 1 week ago
benjaminchodroff
commented
9 months ago Can confirm. If you access a piwigo 13.8.0 server site, such as my own https://benchodroff.com/photos, using the latest TestFlight piwigo mobile 3.1 ios app, and do not login, you will be unable to download any photos from the iOS app even though everything else works.
However, if you then login, you can download photos.
Would greatly appreciate a fix so that even anonymous users can download photos.
romain-intel
commented
8 months ago I'm not sure this is the exact same problem but may be related. My issue is that it is using a guest session when it shouldn't but yours seems to be that it is not using a guest one when you want it to. They may definitely be related.
Any update from the developers? Happy to provide more information if it helps.
Thanks!
romain-intel
commented
8 months ago Gentle ping on this? I am happy to help if I can. This is not an area I am too familiar with but happy to try with a bit of guidance. Thanks!
EddyLB
commented
8 months ago Hi @romain-intel It is mandatory to open a session for retrieving the URLs of the images (unless guest has accessed to them). So the iOS app opens a session, retrieves the URLs with this session and then download images as guest. Even if image URLs are quite complex, I agree that it is not secure enough and we are going to fix this issue.
romain-intel
commented
8 months ago Hello @EddyLB, thanks for your response. Yes, I saw it opening a session and that part works fine. I think we are saying the same thing namely: images are then currently sometimes downloaded without a session and you are saying that you will fix it so that image URLs as well as images are fetched using the authenticated session. Is that correct? If so, then yes, I think this would fix the issue I am seeing. (and to be clear, sometimes pictures are downloaded with a session, sometimes not, it's very weird :) ).
Describe the bug and how to reproduce I hadn't used Piwigo in a while and recently updated everything (the server to 14b3 and the iOS app). I also use a version of piwigo_privacy (https://github.com/yonjah/piwigo_privacy) which ensures that images are always protected (ie: you need to have access to them to actually get to them).
The issue seems to be that, in some cases, the iOS app does not use a logged in session to download images and instead downloads "as guest" which breaks this protection. It only seems to do this for the representative image of an album (and that too not in all cases so it is a bit weird). All other images load fine (thumbnail or full version).
I've been trying to figure this out because I know I have a bit of an exotic setup but I believe the issue is in the iOS app (and not the PHP server code).
I instrumented things in user.inc.php to see what requests were coming in and here is what I see (user 2 is the "guest" user and user 3 is an actual registered user):
You can see in the log above that there is an authenticated session
tqfe3uka6ijafjrkt1okb7erq1and that it uses that for things likegetStatusrequest but then, it has unknown sessions (not logged in), herer7gg164uve755672f0oms6b7m4andqb5qmhe7uifjab339jmuoiqd2l, to access images directly. I can also confirm that all these sessions appear in the DB and that only one of them contains the pwg_id (the others do not since they correspond to a guest login).Steps to reproduce the behavior: To reproduce, just login into a brand new piwigo instance should produce the requests shown above but it will most likely work unless images are protected.
Expected behavior I would expect the iOS app to always use the authenticated session to access anything from the server and never use a "guest" login to download or upload anything.
Note that in a lot of cases, it actually uses the proper session but it's just in some cases that it does not. I am pretty sure this worked before and I suspect some of the new cache code may have introduced a code path where a "guest" session attempts to get photos.
What did you do already I searched for similar issues and also tried looking at past commits to see if I could understand where the issue was coming from but no luck. I disable guest login (which I think is part of the issue) and it is not reproducible on the demo because I suspect the demo is not protecting URLs.
Screenshots If applicable, add screenshots to help explain your problem.
Smartphone (please complete the following information):
Additional context As mentioned above, I do use the piwigo_privacy extension (well somewhat modified) and I initially looked there for the issue but it seems to be doing as it should (ie: denying guest access to images). The issue seems to be the iOS app making guest requests when it should ideally be making authenticated ones.