sbrajesh
commented
8 years ago Hi, Thank you for posting.
- I see that you are using sitewide gallery feature. Please flush your permalinks to make it work. It uses rewrite and needs the permalink to be flushed. Also, if you have BuddyPress gallery directory enabled, please make sure they do not conflict(slug).
- About the privacy:- Media privacy does not stop a media file url to be completely hidden. It stops users if they try to see the media using the normal route. If you have the full url of the media file(media file url and media url are different), You can always see it. The reason is performance. Hiding a media file will need us to get php to read the file from filesystem and render it. No one does it(not even Facebook) to avoid performance.
When you apply privacy, It is applied on media and media visibility doe not allow accessing them. If you have the src url of the media, you can always access it. We do not plan to implement file level privacy as it is a performance bottleneck. The media privacy is more about discoverability.
It does not mean that it can not be done. I personal don't feel ( based on other large scale implementations like Faceook and others) that we should do it in core. May be, we can put an addon or another developer can put an addon for this for specific sites.
Thank you Brajesh
I marked a album for logged in users and when visiting http://localhost/buddypress/gallery/gatets/media/h8733d98f/ i returns an error, but the full url to image works http://localhost/buddypress/wp-content/uploads/mediapress/sitewide/1/4/h8733D98F.jpeg
I think private albums should create a .htaccess file to check for logged users (when a simple logged users permission is required).
When using buddypress a php script could check & serve images to ensure the user is allowed to see the image.
I know it would be more resource intensive, it could be optional activating a "paranoid mode". I am new to wordpress development, but I would: 1) create a .htaccess to redirect access to private albums to secure_script.php?url=[current_url] 2) the script check is user have access to the image (this part is already done and it works) and returns it or redirect to error page.
It should be backwards compatible.
Any interest in adding this to the module?