[Tickets #12668] Re: gallery prieview images doesn't respect permissions
noreply at bugs.horde.org
noreply at bugs.horde.org
Fri Sep 13 20:43:21 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12668
------------------------------------------------------------------------------
Ticket | 12668
Updated By | Michael Rubinsky <mrubinsk at horde.org>
Summary | gallery prieview images doesn't respect permissions
Queue | Ansel
Version | 3.0.0
Type | Bug
-State | Assigned
+State | Feedback
Priority | 1. Low
Milestone |
Patch |
Owners | Michael Rubinsky
------------------------------------------------------------------------------
Michael Rubinsky <mrubinsk at horde.org> (2013-09-13 20:43) wrote:
This happens when:
1) The "private" sub gallery has SHOW perms, but not READ perms.
2) The parent gallery has READ permissions, but not enough images in
it to generate a key-image thumbnail so we look in the sub galleries
that are readable *for the currently logged in user*. If the currently
logged in user has READ on the sub galleries when the key-image
thumbnail is generated the image could possible include a "private"
image.
3) A user with SHOW, but not READ on the private gallery logs in.
Since the parent gallery's thumbnail was already generated, it is used
as is.
For the record, this will be an issue even if a gallery does not
contain any sub galleries. This key point is that the key-image
thumbnail may be generated by a user that has less restrictive
permissions than the current user viewing the gallery.
Really not sure how to fix this since we are not going to generate
these thumbnails on each page load, and we don't currently have
image-level permissions.
Thoughts?
More information about the bugs
mailing list