Phoca Forum

I've done a few searches but have not been able to find an answer to this issue.

I have a Phoca Gallery successfully set up on my Joomla site with all the photos only accessible to registered users. In fact, nearly all the content on this site is for registered users only. This is all working except for the fact that *anyone* can access the photos if they know the URL. I know that it would be difficult for someone to figure out the exact URL for the picture files. However, that (to me) is security by obscurity and I need to get this working so that pictures are only accessible to registered users logged into the site.

I tried messing with the permissions on the Phoca photo directory, but that kills access to the photos completely... not even logged in users can get to them.

It seems this should be possible since I know that with DOCmac, restricted documents are only accessible to registered users through the Joomla site.

Can someone tell me if there is a permission issue with my installation or folders on the server... or is this a limitation of Phoca?

Thanks in advance! This is a great product. I'm just stuck at the moment.

Hi, yes your right, If you will know the exact url to the image, then there is no protection ... Phoca doesn't display the exact url way to original image (except you will display donwload link, ...) but there is no protection in permission area yet Any ideas in this area will be appreciated...

Jan

In my original post, I mentioned that DOCmac, restricted documents are only accessible to registered users through the Joomla site. I figured out *part* of how this is done. In the DOCman folder that contains all the documents I am hosting is an .htaccess file. The command that is making the files inaccessible is below: So it seems they used "deny from all" as the way to keep files from being accessed directly. I put this same file into the phocagallery folder and it worked, but too well...

Not only did it block me from accessing the picture files directly, it blocked them from being accessed from in the site. In fact, even though I only put the .htaccess file in the phocagallery folder, it prevented access to the image files in all the subfolders as well.

So that is the part that I figured out. What I haven't figured out is how DOCman is able to access the files from within the website with the .htaccess file in place. I'll keep looking to see if I can figure this out, but thought I would let you know what I found in case you have some ideas based on this.

Thank you for this info ... I don't know such practice so if you find how to access the images via site, please let me know, maybe we can write a FAQ then ....

Thank you, Jan

yes, this can be used in Phoca Gallery to, the .htaccess file should be custom added, I think this should be created specially for the server settings...

Jan

Leider verstehe ich überhaupt nicht worum es geht...

Was ist das Problem genau, was soll gelöst werden?

Verstehe ich es gut, dass du die Verzeichnisse für Phoca Download auser www geben kannst, aber nicht für Phoca Gallery ? Wenn ja, dann geht es um zwei verschiedene funktionen...

In Phoca Donwload sind die Dateien mit Hilfe von FTP geladen, bei Phoca Gallery sind aber die Bilder mit Hilfe von GD geladen (erzeugt), so vielleicht Ownership oder Permission verhindern die Erzeugung...

'../' . "../files/images/";

leider weiss ich nicht wie sich diese Veränderung auf dem Server behalten wird ??? niemals probiert ?

Jan

Hi, long time no see...

So, I finally installed your gallery component. Good component!

I've now compared several galleries for Joomla! as well as Gallery2 (not Joomla!) and I must say there are really not a lot of good, professional gallery apps. around. Sure, they show pics in the most fancy ways from small galleries. However, when it comes to professionals that want to sell images as stock photos via subscription or via singel download, with searchwords and subcategories, not that many of these apps. fills all the necessary prereq. for the professional user.

So, here we are...

From the discussion above I understand that mke112, purealloy and I have something in common. The wish for proper security. Because this is immaterial property and a part of the livelihood for some.

In order to achieve the appropriate level of security on Apache/PHP there are two ways to go:
1. Use of .htaccess - This normally works fine to restrict direct access to any directory or subdirectory below the www-root. Still it can be hacked or crawled.
2. Placing of files outside/above the www-root. This is 100% secure since an applic can be written to place and retrieve files from here. N.B. pure HTML access is not possible of course, since it's above the Apache web serving root. But a PHP script solves that.

As stated before. Docman makes use of .htaccess. If you select to have the 'dmdocuments' directory in your web directories. However, Docman can also move this repository and place it above the www-root.

Why am I saying all this?
I've spent the last week with 'wbGallery' which I thought, and still think, in some ways, is the application that I needed in order to set up a good looking, simple and relatively easy to modify, gallery. Just to find out that in the long run, I can't edit the way it stores and retrieves image files. (Several reasons for that in the code).

And now, I'm turning to this component, in order to see if it's easier to accomplish storage above www-root.

I could of course go with Gallery2, but the major issue for me is that I have a subscription system that only works within Joomla! structure, so the gallery has to adhere to the component structure. (Joomsuite Member)

So my question is really more of a request:
Please Jan, try to make it possible for the user to select storage path for image files above the www-root. If you manage that, then you'd be closing in on Gallery2 (marketwise).

A compromise for such solution could be:
Store Original images without watermark above root - accessible via a download button wich is controlled by admin settings. And watermark the rest and save as today under the www-root.
This is what I'm going to try the next couple of days...

Including two ideas (to tickle your brain )that I've found in other forums since this is all about paths: Regards
Akerman

So, I finally installed your gallery component

... So long in this forum and didn't know that the Phoca Gallery is the best gallery ...

1. .htaccess - yes, this solution for not getting the images from the folders can be used ... this should be set manually for every server, I think this should be not default as the .htaccess in Joomla! is not default too. Not all users wants and can use the .htaccess ... I think, I should write some FAQ, how to create and use .htaccess for Phoca Gallery

2. images outside the www root. In Phoca Gallery there is a Helper class "phocagallery" where you can set the path of images, so I think, if someone needs to protect the images, he can play with this settings...

Please try to look at:
administrator\components\com_phocagallery\helpers\phocagallery.php

function getPathSet()
{
$path['orig_abs_ds'] = JPATH_ROOT . DS . 'images' . DS . 'phocagallery' . DS ;
$path['orig_abs'] = JPATH_ROOT . DS . 'images' . DS . 'phocagallery' ;
$path['orig_rel_ds'] = '../' . "images/phocagallery/";
return $path;
}

to change the paths... the problem with loading images with help of php script is, everbody has other settings on his joomla site and there can be a lot of problems with such behaviour , but I take a look at it

Please try to change the paths in Helper class and let me know if there is some possible way to go...

Jan

Hi Jan,

...yes it IS a good component.... Trying to dig a bit in the CSS...right now...hmm..

Thanks for the prompt and as always; on topic, reply.

I've been sniffi'n around that file and I will attack it later today and see how it goes.

And, yes. All your points about .htaccess are valid. According to Apache development team, the use of this file with its different directives should preferably be as limited as possible. Actually they recommend that ALL access should be switched of in the Apache config and then opened up for the directories that needs to be opened!
That is a sound approach from a security perspective, however Joomla! seem to disagree since the use of SEO/SEF settings and some security blocking facilities directly involves the .htaccess structure.

I'll get back on this...


Regards
Akerman

Ok, here's a quick tutorial on the PhocaGallery and .htaccess files.

GOAL: To lockdown the direct URL access to the PhocaGallery image directory and its subdirectories.
Access from within the Component Phocagallery and its download functions will still work.

REASON: To prevent access to sensitive or copyright protected materials.

Jan, feel free to copy and paste to your heart content! (For the FAQ you where thinking to write... )

Prerequisites:
Apache 2
Joomla! 1.5.7 (not important, this tutorial is valid for any document in Apache www/ path)
Linux (There are well known issues with Windows/Apache and .htaccess. Please search Google for answers)
Path: The path for image is below WWW/ (Apache document root) (Component standard)

All testing performed on LOCALHOST. The hosting environments differs quite a bit and it is your responsibility to find out what settings your provider has for your specific site. Remember all this is Apache2 and Apache2 ONLY. So all questions to your hosting should be in regards to that.

My reason for compiling this info is to save some poor soul out there some headache and time. This looks simple at first, but it's not. Apache2 is a very powerful, scalable server, and the documentation matches that...

Ok, ready?

We will first need to create three files.
The '.htaccess' files that goes into the directory we need to protect (and sub-dirs is included of course).
The '.htgroups' and '.htpasswd' that we will place in a protected directory. (N.B. some tutorials place this in same directory as '.htaccess', that is wrong and not a sound security solution.

CREATE THE .htaccess file
1. Use any texteditor that does not insert hidden charachters and for good sake don't use line wrapping.
Create a new file called '.htaccess' This is a normal text file!
2. Insert the following code into the new file: N.B. I use multiple domains, so if you only have one, or use LOCALHOST then remove the 'mysitenamehere/' so it instead reads:' /var/www/administrator/authorization/.htpasswd'

3. Save the file in '/images/phocagallery' or wherever your image gallery starting point is.

4. Create a new file called '.htgroups' (Normal text file as mentioned above)
5. Insert the following text into the new file: You can insert any group name you want here like 'admins', 'maintenance' or whatever you like. The reason for using groups is because it is more complete and more logical than to cram all potential user into the .htaccess and .htpasswd file.

6. Save the file in a new directory called 'authorization' in either '/administrator/.. or above the WWW-root (ex. /var/authorization/')
And as usual, we use the 'authorization' as a name in this tutorial. You can set it to anything you like. Remember to change the .htaccess file though. Since it points to this directory.

7. Create a new file called '.htpasswd' (...again, a normal text file)
8. Insert the following text into the file:
I recommend using the http://www.webmaster-toolkit.com/ link to create the password, if you're unexperienced how to handle this.

9. Save this file into the same directory as you did under #6. above.

That concludes the file creation for '.htaccess' functionality' Now we go on to edit Apache2.

10. Now, since we're on LOCALHOST, you have to edit the Apache configuration file. A lot of tutorials calls this for 'httpd.conf'. That name is depreciated (not in use) and instead with Apache2 it is a file called 'apache2.conf' in '/etc/apache2' that is your target.
11. Open this file in a editor (normal text file...nag...nag..)
12. Insert the following text:
13. Save the file. Oh, and I hope you made a backup first?

14. Restart the Apache2 server. Either by Linux '/etc/init.d/apache2 restart' or via your GUI (usually running as a Service in the OS)
15. Empty the Web browsers Cache! And then reload/load the page.

Now, when entering the the Phocagallery directory in your browsers URL or the Administrator interface, you will have to enter the userid: 'web_admin' (or your own id here) and tha password you've set. before gaining any access. (The password is unique and does not have to be the same as any other password, if you don't want to of course).

Failing to provide these credentials lead to a '401 - Authorization Required' message. This comes from the Apache2 and can be styled to your liking. (Sometimes you can style such error pages in your SEO application)

Another tip is that you can make a simple index.(php/html) file and put in the directory (image directories usually don't have them. Normal Joomla! directories do.) Why? Because if it's not there the default for all webservers is to show the browser the file directory. (Your images). Inserting an 'index' file hides the files and the user only see that page.

N.B. As you saw above under step #12. I took the liberty of including also the '/administrator' directory. This is something you should ALWAYS do with Joomla!. Why? Simply because the administrator login is not sufficent. (Remeber the security hole in 1.5.6?...there are likely to be more...)
Just remember to place a copy of the '.htaccess' file in the '/adminstrator' directory too.

An extra bonus is of course that you now also has protected ALL '.ht*****' files from being accessible from the normal surfer. Including the one in Joomla! root.

And that's it!

If you install other components or directories you want to protect from direct URL acess, then just copy the 'htacess' file into the directory of choice. Oh, and new users? Just add them to the two files '.htgroups' and '.htpasswd' in the same manner as above.

Moving the site to a hosting environment? Just create new passwords with the new path as instructed on the URL above under #8. And change the '.htaccess' paths for the group and password file to reflect the new environment.

All this of course leads to some more administrative tasks and can depending on the number of users in the files (read +100), lead to a slower site. But would you rather that the photos you are selling or the downloadable music your band is trying to sell get stolen? Didn't think so.

Just to really scare you: I've spent five hours just surfing and testing others installations of Phocagallery, wbGallery and some other well-known Joomla! gallery components. From approximately 75% of them I could download the large/original image/photo after some intelligent use of the normal web development tools that you can get as addons to Firefox! Ouch!

Have fun with your improved security!

Regards
Akerman