User guide

An overview of zenphoto users (Rights management)

    Zenphoto has several classes of user. Each is endowed with different capabilities. This article provides an overview of the capabilities this user model provides.

    Zenphoto users and user rights

    Zenphoto users are granted rights when their user/password is assigned. This is done on the Options-User tab (Options-Admin-User tab if the user_groups plugin is enabled). The rights assigned control the privileges the user has.

    • General
      • Overview: Allows the user to view the admin overview page.
      • User: Users must have this right to change their credentials.
      • Codeblock: Users with this right may edit codeblocks.
      • Options: Allows the user to make changes on the options tabs. 
      • Admin: This is kind of a master privilege. A user with these rights can do anything. (No matter what the other rights might say!)
    • Gallery
      • View gallery: Users with this right may view otherwise protected generic gallery pages (front end)
      • View search: View search pages even if password protected (front end)
      • Post comments: When the comment_form plugin is used for comments and its Only members can comment option is set, only users with this right may post comments. (front end)
      • Comments: Allows the user to make comments tab changes to the objects checked in his managed lists.
      • Files: Allows the user access to filemanager located on the upload: files sub-tab.
      • Themes: Allows the admin to view/make themes related changes. 
      • Tags: Allows the user to make additions and changes to the set of tags.
    • Albums
      • View fullimage: View all full size (raw) images (front end)
      • Access all: Access all albums without a password. Without this right, a user can access only public ones and those checked in his managed object lists. (front and back end)
      • View unpublished: Users with this right will see unpublished items (front end)
      • Upload: Upload to the albums for which a user has management rights.
      • Manage all: Users who do not have Admin rights normally are restricted to manage only (top level) albums to which they have been assigned. This right allows them to manage any album object and its images and/or subalbums in the gallery.
        • Managed albums: Users without the superior right can only manage top level albums they are assigned to
          • Edit: Edit the album assigned to
          • View: View unpublished (front and back end)
    • News (only available with the Zenpage CMS plugin)
      • Access all: Allows the user to access all news articles without a password. Without this right, the user can access only public ones and those categories checked in his managed object lists. (front and back end)
      • Manage all: Users who do not have Admin rights normally are restricted to manage only news articles of news categories to which they have been assigned. This right allows them to manage any news article in the gallery.
        • Managed news categories: A user without the parent right can only manage news categories and its articles he is assigned to.
    •  Pages (only available with the Zenpage CMS plugin)
      • Access all: Allows the user to access all pages without a password. Without this right, the user can access only public ones and those checked in his managed object lists. (front and back end)
      • Manage all: Users who do not have Admin rights normally are restricted to manage only objects to which they have been assigned. This right allows them to manage any page object in the gallery.
        • Managed pages: A users without the superior right can only manage pages he is assigned to

    Notes:

    1. One Admin user will be designated "master". This user will always have Admin rights even if this privilege is not explicitly assigned. The master user is determined by the rights assigned and the seniority of the user. "Master" status will be assigned to the most senior user from the set of users with the most rights assigned. "Master" status is used to insure that there is at least one user with the rights to manage the entire gallery. If the  "master" user is deleted, another user will be promoted to take his place.
    2. Users without full Admin rights may be assigned objects (albums, pages, news categories) to "manage". The rights the user has with respect to these objects will depend on the above rights list. These rights can be "reduced" for individual managed albums. Unchecking the "edit" or "upload" boxes will prevent the user from accessing those capabilities.
    3. A Zenphoto user with appropriate rights is NOT required to login with a guest username/password to view guest protected items.
    4. Where it makes sense, the rights applied to a managed objects also apply to that object's offspring.
    Extra note: Users can only be assigned to top level albums. This is a performance issue because Zenphoto's gallery is entirely file system based.
    With only the root album in control we can easily see if the album is managed. If subalbums could be in this category several things would be needed:
    1. Testing for management would have to climb the object tree of the subalbum each time an album is accessed. 
    2. The selector list for managing albums would have to include all albums in the gallery. 
    3. There is also an implication of a hierarchy of user rights that would be a serious can of worms.

    Guest users

    User names and passwords for guest users are assigned by an administrator. The user name is optional. That is it is allowed to be empty and users logging in will only enter the password. The categories of guest user are described below. In each case, if there is a password assigned, a login is required to view the object. Password protection is inherited. If the gallery is protected, that protects all albums in the gallery as well as the search page. If an album is protected all of its subalbums are protected as well.

    If a password is applied to an album (subalbum) this password takes precidence over any parent password. What this means is that you must know the password to view the album but you would not need to know a higher level password if you have a direct link to the album.

    A similar hierarchy exists for News Article Categories and for Pages.

    • Gallery guest user: This username/password is set on the Options-Gallery Configuration tab. When set, the entire gallery is protected and viewers must login to view anything.
    • Search page guest user: This username/password is set on the Options-Gallery Configuration tab. When set, search results are protected and viewers must login to view them.
    • Album guest user: This username/password is set in the edit tab for the album in question. Viewers must login to view this album or its subalbums.
    • Protected image guest user: This username/password is set in the Options-Image display tab. When these are set and image protection is set to protected, viewers will be required to login to view the full sized image.
    • Page guest user: This username/password is set in the Publish box of the edit tab for a Page. Viewers must logon to view the page or its offspring pages.
    • News guest user: This username/password is set in the Publish box of the edit tab for a Category. Viewers must logon to view News articles contained in this category. NOTE: if a News article belongs both to a protected and a not-protected Category the article is NOT protected!

    Rules of protection and visibility for Zenphoto objects

     Galleries can be either public or private.

    In a public gallery there are four possible states of an object as described below. Logged on Zenphoto users may have rights that override local password protection and published state. See above.

    • Published/not password protected: Any one can see these items.
    • Not published/not password protected: People have to "know about" these items to view them. (That is they need to know the URL, they will not show in menus if the visitor does not have the appropriate credentials.)
    • Published/password protected: People will know of these items (they will show in menus) but not be able to access them without the password.
    • Not published/password protected: These are truely restricted to "logged in users". They require the appropriate credentials to access or see in menus.

    Private galleries are equivalent to having all objects password protected. In a private gallery objects can be granted any of the four possible states listed above through use of the appropriate user rights.

    The use of the groups plugin alongside setting a gallery private can allow the admin to set different permissions for different albums based on group membership. For a private gallery hosting different groups and album permissions to be properly configured, all albums exusive to a group must be set as unpublished. Thus, only users/groups with permission to access a given album would be allowed to view/edit it. If, in this context, the status of an album were set to published, any user/group would be able to access it. (Note: for the users to see the images in the album they must be set to published by the above rules.)

    For global privacy and local access permissions to apply, objects should only be allowed the state Album unpublished/ password-protected gallery. These are truely restricted to "logged in users". They require the appropriate credentials to access or see in menus.

    Note: These rules apply only to Zenphoto pages. It does not protect the images on the file system if accessed directly in the /albums or /cache folders as naturally Zenphoto is not involved in that case. To protect the images itself use server side protection like .htaccess. You find a htaccess template for this here.

    ZenPhoto is a product in development. This article describes what exists in current development stream. Not all these features are available in earlier releases.

    User management plugins

    • user_login-out will allow one to place a logout link (or if no one is logged in a login form) on a theme page. This is the same form that is displayed when the album/gallery/search page is password protected with a guest password. Guest users may login only from this form. Admin users may login from this login form as well as from the http:\\mydomain.com\zenphoto\zp-core\admin.php page.
    • user_groups provides the addition of user groups and rights templates. When this plugin is enabled a user may be assigned to a group or have his priviledges initially set from a template. In the first case, any change to the priviledges of the group will be reflected on the priviledges of the user.
    • comment_form adds some fields for address information to the admin user. [before 1.4.6]
    • userAddressFields adds some fields for address information to the admin user. [1.4.6]
    • register_user provides a vehicle for site visitors to request and be granted Zenphoto user credentials.
    • quota_manager and image_upload_limiter provide means for throttling uploads by users.
    • user_expiry provides a means for limiting the duration that Zenphoto user credentials are valid.
    • federated_logon provides a mechanism for using OpenID provider services for Zenphoto credentials.

    See the individual plugin documentation for specifics.

    Creative Commons LicenseThis text by www.zenphoto.org is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

    For questions and comments please use the forum or discuss on the social networks.

    Related items