Support community for TTG plugins and products.
NOTICE
The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.
This forum is now closed, and exists here as a read-only archive.
You are not logged in.
Pages: 1
I'm getting lost trying to setup, and understand, the password functionality.
Is there a reference to point out (I couldn't find anything in the docs or wiki). Something like a "best practices" or "tip & tricks" available?
As I understand it, as the admin I should use the Master Password in the gallery template, which I then use for publishing. The Guest password is for users.
But the Publisher only allows for one password - so how does the Publisher & Gallery template interact in this case?
Then how can I test this as a user, rather than as the admin of my server using the master password. I want to clear everything, so I can be forced the password prompt.
One thing that's a mystery, after I've logged in one with my browsers they always just want to go straight to the page again. I've tried clearing the cache, passwords, cookies, etc. That confuses me because now it seems like there's no password.
Which folders are being protected by the password? Everything within that folder? That would block access to the thumb needed by the Auto Index page, right?
Another thing I've found. I can skip over the password and get the images. For example, I password protect this gallery:
mydomain.com/private
But I can still get the photos without the password (just add "photos" to the URL). I must be setting this up incorrectly.
mydomain.com/private/photos
Last edited by JimR (2013-04-21 13:30:14)
--Jim
Offline
Our password protection is relatively low-security, though adequate in most cases.
The Master password is set in the Web module, even for publisher templates. The publisher only sets the Guest password.
When logged in as Master, you will be able to browse protected galleries freely. When logged in as Guest, you will only have access to the specific galleries into which you have logged in.
To logout of a protected gallery, access the URL appending ?logout. For example, http://yourdomain.com/gallery/?logout. You can create a logout link in the gallery or the block if you so desire.
Password protection does not block access to /thumbnails/, /photos/, or other assets. Security through obscurity.
To implement greater protection, you would need to turn to server-side security. Password protecting branches of the file try (e.g. implementing a server-side password on an entire folder) would block the auto index from accessing thumbnails, so we don't recommend it.
You can implement .htaccess directives to prevent the browsing of folders on your server. For example, accessing the /photos/ folder directly could return a "Forbidden" error rather than listing the folder contents for download. I have compiled a .htaccess reference here. In this case, we're discussing the directive listed under "File Access" on that page.
Offline
Password protection does not block access to /thumbnails/, /photos/, or other assets.
OK - that's what I noticed, and came to the conclusion this was generally good enough.
I was just thinking of using .htaccess to turn off the indexes for the assets pages. So anyone going to /photos/ wouldn't find the file names. Hmmm, couldn't this be added to Publisher? That would be even better than good enough.
Then I have a case where I want the entire directory locked down, and did so server-side and found the problem with having assets being locked out of the Auto Index.
implement .htaccess directives
I was thinking about that, so I'll read up on your reference.
So how to completely lock down a set of galleries...hmmm
I was thinking of creating a Publisher to point at a completely private folder (e.g., "privatedir"), but not have an Auto Index in there, or I could redirect it to the home page (or even an error page).
I could even turn off index listing in .htaccess for privatedir, so people can't find the names of its sub-directories.
For each gallery, I assign a server-side password. Then email people the direct URL and password info.
domain.com/privatedir
domain.com/privatedir/gallery1
domain.com/privatedir/gallery2
domain.com/privatedir/gallery3
I think this would be ultra secure for each gallery. You won't see anything without the password.
And I think the privatedir lets me publish galleries, while also having that directory locked out to users.
Last edited by JimR (2013-04-21 14:49:18)
--Jim
Offline
Pages: 1