Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#1432 closed bug (fixed)

gallery - privacy issue - all pics public

Reported by: crumbking Owned by: planetcruiser
Priority: major Milestone: 0.9
Component: BW Gallery Keywords:
Cc:

Description

It's not a bug and not a feature. It's a privacy issue. You are absolutly right!

For the beginning I would add a note somewhere on this page:

http://www.bewelcome.org/gallery/upload

Something like: These pictures will be uploaded to our personal public accessible gallery. Please be aware that you currently can't hide these pictures"

Maybe someone have a better wording?

In the long run (needs some dev power) we should have an option public/nonpublic for every pic/gallery/all.

see http://www.bewelcome.org/forums/s1278-found_a_bug__privacy_pictures/#post7001

Change History (25)

comment:1 Changed 7 years ago by crumbking

I changed the wording on the upload page via translation tool but in the long run there should be solution to say public or non public (members only)

comment:2 Changed 6 years ago by mahouni

I suggest to change the gallery to members only.

Merge requested here: https://gitorious.org/bewelcome/rox/merge_requests/5

comment:3 Changed 6 years ago by mahouni

  • Milestone changed from unassigned to 0.9
  • Owner set to mahouni
  • Status changed from new to assigned

comment:4 Changed 6 years ago by crumbking

So how does it work? We simply hide the whole gallery to members only?

Thought people with a public profile should also have a public gallery.

comment:5 Changed 6 years ago by mahouni

yes, the suggestion is to make the pictures accessible for logged in members, as long as we don't offer the possibility to chose if a photo should be public or not.. At the moment all pictures could be found by Google. It's time to do something against that. So the ticket won't be closed after applying the current patch in develop, but at least it won't be a critical ticket anymore.

Keeping the pictures from members with public profiles search-able by Google should be an easy task. I might have a look at it later this week, but it's not on my priority list.

comment:6 follow-up: Changed 6 years ago by crumbking

I checked the chnages locally. I suggest if click gallery, than login to actually come back to the gallery page not the the main startpage.

comment:7 in reply to: ↑ 6 Changed 6 years ago by mahouni

Replying to crumbking:

I checked the chnages locally. I suggest if click gallery, than login to actually come back to the gallery page not the the main startpage.

I will try this. Is that the way how the login tool works to get back to the request? /login/RequestedUrl

Replying to crumbking:

Thought people with a public profile should also have a public gallery.

Getting the member from a gallery item seems to be a bit more complicated, so I am not sure if I'll have that ready for the release soon. But I would keep the ticket open for later.

comment:8 Changed 6 years ago by crumbking

After some discussion with globe,jsfan on IRC I suggest we hide the menu link "Gallery" and the section in "Explore" for not logged in people.

Also check public profiles with pictures like http://alpha.bewelcome.org/members/planetcruiser The pictures seems not to show up. I guess we have 2 options:

A) repair the view and to show the thumps after the click forward to login page

B) Remove the whole section "Latest pics" on public profiles while not logged in

I will try this. Is that the way how the login tool works to get back to the request? /login/RequestedUrl

That's the only way I know. But I guess the answer is yes ;-)

comment:9 Changed 6 years ago by mahouni

These are all good suggestions.

Option B would be ready. See my last commits on develop: http://gitorious.org/bewelcome/rox/commit/3aa75dd779c9ceb05f5b8bb67807351f363088d4/diffs/abd3810f38ffb7732025c237d034d6b2f2a8a517

I also changed the call to the login function, so that it redirects to the request after a successful login.

Option A could be done with something like:

if (isset($request[3]) && preg_match(User::HANDLE_PREGEXP, $request[3]) && ($member = $membersmodel->getMemberWithUsername($request[3])) && $userId = $member->get_userid()) {
    if (!$member->publicProfile) {
        $this->redirectToLogin(implode('/', $request));
    }
}

but it needs more work.

comment:10 Changed 6 years ago by globetrotter_tt

The link to the gallery is still visible in the menu and on the explore page. If it should be visbile for logged in users only, there is to need to show it on the public pages.

comment:11 follow-up: Changed 6 years ago by mahouni

The link shouldn't be visible anymore now.

Some notices if we go for option A later: (I haven't checked it again now, so this is what I remember...) there are 2 functions to get the owner of a gallery or an image in the gallery model: galleryOwner() and imageOwner(). They will return the userid from table user, which should be the same as the memberid in table member.

So what we would need to do is:

  • get that userid and create a member model (A) or member entity (B).

(A) Check $member->PublicProfile? true, or redirect to login if not.
OR
(B) Check $member->get_publicProfile() , or redirect to login if not.

  • add this check to all cases of a gallery request.

Though I think it would be even better to write something that allows to set the visibility for every gallery separately. Additionally all images should be in a gallery.

comment:12 in reply to: ↑ 11 Changed 6 years ago by globetrotter_tt

Though I think it would be even better to write something that allows to set the visibility for every gallery separately. Additionally all images should be in a gallery.

Yes, that would be important. Can we consider this ticket as fixed, or do you want to work more on option A?

Last edited 6 years ago by globetrotter_tt (previous) (diff)

comment:13 Changed 6 years ago by mahouni

I would say this ticket is fixed. And let's create a new ticket for the options public/nonpublic galleries.

comment:14 Changed 6 years ago by globetrotter_tt

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:15 Changed 6 years ago by planetcruiser

  • Resolution fixed deleted
  • Status changed from closed to reopened

sorry guys, this is breaking existing behaviour in an unexpected way.

sure, private profiles should have their gallery hidden, but i want my gallery and images to stay publicly visible when i have set my profile to public. :) probably i am not alone in this.

with your current solution you are breaking links that lead to bw galleries from outside. for example on these pages:

solution:

  • show gallery as if logged in when profile is set to public

i will look into solving this now.

comment:16 Changed 6 years ago by planetcruiser

  • Owner changed from mahouni to planetcruiser
  • Status changed from reopened to accepted

comment:17 Changed 6 years ago by mahouni

  • Priority changed from critical to major

Hey Meinhard,
no problem if you find an easy way to implement it like that. But I'd rather go for an option to set the visibility for every gallery album separately. Regardless of whether the member has set his profile to public or not.

Though, I don't think it needs to be done necessarily in release 0.9.

comment:18 follow-up: Changed 6 years ago by planetcruiser

i implemented my suggestion (show photos of public profiles publicly) with these commits:

enjoy! :)

the following pages still need fixing (don't show pictures of private profiles):

..but i'll do that tomorrow, it's 4am here. ;)

anything else?

comment:19 Changed 6 years ago by mahouni

impressive! thanks ;)

comment:21 Changed 6 years ago by planetcruiser

  • Resolution set to fixed
  • Status changed from accepted to closed

well, looks fixed to me.. now *that* was easy. ;)

individual privacy settings for images and galleries are a nice-to-have, but not as pressing as solving this privacy fail. https://www.google.com/search?q=site:http://www.bewelcome.org/gallery/&prmd=imvns&tbm=isch is full of photos of people that probably are not aware of this

comment:22 follow-up: Changed 6 years ago by mahouni

I tested it too. Everything worked well.

Only one little error notice for this link, if the image doesn't exist: http://alpha.bewelcome.org/gallery/img?id=245254235235

I added an if statement, to fix that. PPHP::PExit() in the index() method is called afterwards.
https://gitorious.org/bewelcome/rox/commit/1a3761e8de1712ecc335f3fe4f95b06311a4456d
Do we need a redirect to the gallery or to the login/request (if that id is a non-public image)?

Last edited 6 years ago by mahouni (previous) (diff)

comment:23 in reply to: ↑ 22 Changed 6 years ago by planetcruiser

Replying to mahouni:

Only one little error notice for this link, if the image doesn't exist: http://alpha.bewelcome.org/gallery/img?id=245254235235

I added an if statement, to fix that.

well spotted. :) because we don't have a proper exception handling that's probably the best thing to do. in an ideal world we would raise an exception here, because saying it's not public if the image isn't found strictly speaking is wrong information. anyway..

https://gitorious.org/bewelcome/rox/commit/1a3761e8de1712ecc335f3fe4f95b06311a4456d
Do we need a redirect to the gallery or to the login/request (if that id is a non-public image)?

i was thinking about that and decided not to redirect, because an image mime-type is expected, so we shouldn't send a text/html instead. a pretty "image not available" dummy image would be the cleanest solution, but let's be pragmatic here. i don't think many people use bw for image hosting (yet). ;)

comment:24 follow-up: Changed 6 years ago by crumbking

The gallery was really good for "looking around before register" As we separate between public/non public why not bringing the main menu gallery link back to anonymous users? (the explore text, too)
I know a bit late, sorry ;-)

Reopen, hotfix or new ticket?

comment:25 in reply to: ↑ 24 Changed 6 years ago by planetcruiser

Replying to crumbking:

The gallery was really good for "looking around before register" As we separate between public/non public why not bringing the main menu gallery link back to anonymous users? (the explore text, too)
I know a bit late, sorry ;-)

Reopen, hotfix or new ticket?

new ticket. :)

Note: See TracTickets for help on using tickets.