An overview of zenphoto users (Rights management) Jul 15, 2008 / Updated: Dec 06, 2013
Zenphoto has several classes of user. Each is endowed with different capabilities. This article provides an overview of the capabilities this user model provides.
User names and passwords for guest users are assigned by an administrator. The user name is optional. That is it is allowed to be empty and users logging in will only enter the password. The categories of guest user are described below. In each case, if there is a password assigned, a login is required to view the object. Password protection is inherited. If the gallery is protected, that protects all albums in the gallery as well as the search page. If an album is protected all of its subalbums are protected as well.
If a password is applied to an album (subalbum) this password takes precidence over any parent password. What this means is that you must know the password to view the album but you would not need to know a higher level password if you have a direct link to the album.
A similar hierarchy exists for News Article Categories and for Pages.
- Gallery guest user: This username/password is set on the Options-Gallery Configuration tab. When set, the entire gallery is protected and viewers must login to view anything.
- Search page guest user: This username/password is set on the Options-Gallery Configuration tab. When set, search results are protected and viewers must login to view them.
- Album guest user: This username/password is set in the edit tab for the album in question. Viewers must login to view this album or its subalbums.
- Protected image guest user: This username/password is set in the Options-Image display tab. When these are set and image protection is set to protected, viewers will be required to login to view the full sized image.
- Page guest user: This username/password is set in the Publish box of the edit tab for a Page. Viewers must logon to view the page or its offspring pages.
- News guest user: This username/password is set in the Publish box of the edit tab for a Category. Viewers must logon to view News articles contained in this category. NOTE: if a News article belongs both to a protected and a not-protected Category the article is NOT protected!
Zenphoto users are granted rights when their user/password is assigned. This is done on the Options-User tab (Options-Admin-User tab if the user_groups plugin is enabled). The rights assigned control the privileges the user has.
- Admin rights: This is kind of a master privilege. A user with these rights can do anything. (No matter what the other rights might say!)
- Options rights: Allows the user to make changes on the options tabs. (All Zenphoto users may modify their own login credentials.)
- Tags rights: Allows the user to make additions and changes to the set of tags.
- Themes rights: allows the admin to view/make themes related changes. These are limited to the albums checked in his managed albums list.
- Manage all rights [Albums or News or Pages]: Administrators who do not have Admin rights normally are restricted to manage only objects to which they have been assigned. This right allows them to manage any [Albums or News or Pages] object in the gallery.
- Comment rights: Allows the user to make comments tab changes to the albums checked in his managed albums list.
- Post comment rights: When the comment_form plugin is used for comments and its Only members can comment option is set, only users with this right may post comments.
- Upload rights: Allows the user to upload to the albums for which they have management rights.
- Files rights: Allows the user access to filemanager located on the upload: files sub-tab.
- View album rights*: Allows the user to access all albums without a password. Without this right, the user can access only public ones and those checked in his managed object lists.
View pages rights*: Allows the user to access all pages without a password. Without this right, the user can access only public ones and those checked in his managed object lists.
View news rights*: Allows the user to access all news articles without a password. Without this right, the user can access only public ones and those categories checked in his managed object lists.
- View gallery rights: Allows the user to access non-object pages that are not public.
- Overview rights: Allows the user to view the admin overview page.
* The use of "view" in these rights is often confused with the ability to see unpublished items. For the 1.4.3 release we will rename the rights replacing "View..." with "Access all" for better clarity.
- One Admin user will be designated "master". This user will always have Admin rights even if this privilege is not explicitly assigned. The master user is determined by the rights assigned and the seniority of the user. "Master" status will be assigned to the most senior user from the set of users with the most rights assigned. "Master" status is used to insure that there is at least one user with the rights to manage the entire gallery. If the "master" user is deleted, another user will be promoted to take his place.
- Users without full Admin rights may be assigned objects (albums, pages, news categories) to "manage". The rights the user has with respect to these objects will depend on the above rights list. These rights can be "reduced" for individual managed albums. Unchecking the "edit" or "upload" boxes will prevent the user from accessing those capabilities.
- A Zenphoto user with appropriate rights is NOT required to login with a guest username/password to view guest protected items.
- Where it makes sense, The rights applied to a managed objects also apply to that object's offspring.
With only the root album in control we can easily see if the album is managed. If subalbums could be in this category several things would be needed:
- Testing for management would have to climb the object tree of the subalbum each time an album is accessed.
- The selector list for managing albums would have to include all albums in the gallery.
- There is also an implication of a hierarchy of user rights that would be a serious can of worms.
- user_login-out will allow one to place a logout link (or if no one is logged in a login form) on a theme page. This is the same form that is displayed when the album/gallery/search page is password protected with a guest password. Guest users may login only from this form. Admin users may login from this login form as well as from the http:\\mydomain.com\zenphoto\zp-core\admin.php page.
- user_groups provides the addition of user groups and rights templates. When this plugin is enabled a user may be assigned to a group or have his priviledges initially set from a template. In the first case, any change to the priviledges of the group will be reflected on the priviledges of the user.
- comment_form adds some fields for address information to the admin user.
- register_user provides a vehicle for site visitors to request and be granted Zenphoto user credentials.
- quota_manager and image_upload_limiter provide means for throttling uploads by users.
- user_expiry provides a means for limiting the duration that Zenphoto user credentials are valid.
- federated_logon provides a mechanism for using OpenID provider services for Zenphoto credentials.
See the individual plugin documentation for specifics.
Galleries can be either public or private.
In a public gallery there are four possible states of an object as described below. Logged on Zenphoto users may have rights that override local password protection and published state. See above.
- Published/not password protected: Any one can see these items.
- Not published/not password protected: People have to "know about" these items to view them. (That is they need to know the URL, they will not show in menus if the visitor does not have the appropriate credentials.)
- Published/password protected: People will know of these items (they will show in menus) but not be able to access them without the password.
- Not published/password protected: These are truely restricted to "logged in users". They require the appropriate credentials to access or see in menus.
Private galleries are equivalent to having all objects password protected. In a private gallery objects can be granted any of the four possible states listed above through use of the appropriate user rights.
The use of the groups plugin alongside setting a gallery private can allow the admin to set different permissions for different albums based on group membership. For a private gallery hosting different groups and album permissions to be properly configured, all albums exusive to a group must be set as unpublished. Thus, only users/groups with permission to access a given album would be allowed to view/edit it. If, in this context, the status of an album were set to published, any user/group would be able to access it. (Note: for the users to see the images in the album they must be set to published by the above rules.)
For global privacy and local access permissions to apply, objects should only be allowed the state Album unpublished/ password-protected gallery. These are truely restricted to "logged in users". They require the appropriate credentials to access or see in menus.
Note: These rules apply only to Zenphoto pages. It does not protect the images on the file system if accessed directly in the /albums or /cache folders as naturally Zenphoto is not involved in that case. To protect the images itself use server side protection like .htaccess. You find a htaccess template for this here.
ZenPhoto is a product in development. This article describes what exists in current development stream. Not all these features are available in earlier releases.
This text by www.zenphoto.org is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.