search

thibaud-rohmer / PhotoShow

A free web gallery in PHP with drag-n-drop support
http://www.photoshow-gallery.com
505 stars 152 forks source link

unauthorized access to photo via url #300

Open timpx opened 9 years ago

timpx commented 9 years ago

Hi there, I'm not sure if this a problem with photoshow or my server configuration, but let's try. Let say I have a photo "b.JPG" in a private directory "a", even if not logged in I can access the photo via the url "https://photoshow_website/?f=a%2Fb.JPG". I have put the Photos directory in /var/www/ with www-data as owner of the directory (apache/debian) Any ideas how to avoid this unauthorized access via url?

djmattyg007 commented 8 years ago

I solved this problem with my photo browser: https://github.com/djmattyg007/pictorials

It lets you store your photos outside of the web root, and implements an access layer on top to ensure direct access to image URLs is not possible.

timpx commented 8 years ago

ok thanks

djmattyg007 commented 8 years ago

Fun fact, Facebook as the same problem as PhotoShow with regards to this.

timpx commented 8 years ago

mmh, I would have expect facebook to be better than PhotoShow on this, according to their budget. But it's probably a feature, not a bug, knowing facebook love for privacy :)