User rights

    Zenphoto has several classes of users. Each is endowed with different capabilities. This article provides an overview of the capabilities this user model provides.

    Users and user rights

    Zenphoto users are granted rights when their user/password is assigned. This is done on the Options-User tab (Options-Admin-User tab if the user_groups plugin is enabled). The rights assigned control the privileges the user has.

    • General
      • Overview: Allows the user to view the admin overview page (OVERVIEW_RIGHTS)
      • User: Users must have this right to change their credentials (USER_RIGHTS)
      • Codeblock: Users with this right may edit codeblocks (CODEBLOCK_RIGHTS)
      • Options: Allows the user to make changes on the options tabs (OPTIONS_RIGHTS)
      • Admin: This is kind of a master privilege. A user with these rights can do anything. (No matter what the other rights might say!) (ADMIN_RIGHTS)
    • Gallery
      • View gallery: Users with this right may view otherwise protected generic gallery pages (front end) (VIEW_GALLERY_RIGHTS)
      • View search: View search pages even if password protected (front end) (VIEW_SEARCH_RIGHTS)
      • Post comments: When the comment_form plugin is used for comments and its Only members can comment option is set, only users with this right may post comments. (front end) (POST_COMMENTS_RIGHTS)
      • Comments: Allows the user to make comments tab changes to the objects checked in his managed lists. (COMMENTS_RIGHTS)
      • Files: Allows the user access to filemanager located on the upload: files sub-tab (FILES_RIGHTS)
      • Themes: Allows the admin to view/make themes related changes (THEMES_RIGHTS)
      • Tags: Allows the user to make additions and changes to the set of tags (TAGS_RIGHTS)
    • Albums
      • View fullimage: View all full size (raw) images (front end) (VIEW_FULLIMAGE_RIGHTS)
      • Access all: Access all albums without a password. Without this right, a user can access only public ones and those checked in his managed object lists. (front and back end) (ALL_ALBUMS_RIGHTS)
      • View unpublished: Users with this right will see unpublished items (front end) (VIEW_UNPUBLISHED_RIGHTS)
      • Upload: Upload to the albums for which a user has management rights (UPLOAD_RIGHTS)
      • Manage all: Users who do not have Admin rights normally are restricted to manage only (top level) albums to which they have been assigned. This right allows them to manage any album object and its images and/or subalbums in the gallery. (MANAGE_ALL_ALBUM_RIGHTS)
        • Managed albums: Users without the superior right can only manage the top level albums and their subalbums they are assigned to (ALBUM_RIGHTS)
          • Edit: Edit the album assigned to (MANAGED_OBJECT_RIGHTS_EDIT)
          • View: View unpublished (front and back end) (MANAGED_OBJECT_RIGHTS_VIEW)
    • News (only available with the Zenpage CMS plugin)
      • Access all: Allows the user to access all news articles without a password. Without this right, the user can access only public ones and those categories checked in his managed object lists. (front and back end) (ALL_NEWS_RIGHTS)
      • Manage all: Users who do not have Admin rights normally are restricted to manage only news articles of news categories to which they have been assigned. This right allows them to manage any news article in the gallery (MANAGE_ALL_NEWS_RIGHTS)
        • Managed news categories: A user without the parent right can only manage news categories and its articles he is assigned to. (ZENPAGE_NEWS_RIGHTS)
    •  Pages (only available with the Zenpage CMS plugin)
      • Access all: Allows the user to access all pages without a password. Without this right, the user can access only public ones and those checked in his managed object lists. (front and back end) (ALL_PAGES_RIGHTS)
      • Manage all: Users who do not have Admin rights normally are restricted to manage only objects to which they have been assigned. This right allows them to manage any page object in the gallery (MANAGE_ALL_PAGES_RIGHTS)
        • Managed pages: A users without the superior right can only manage pages he is assigned to (ZENPAGE_PAGES_RIGHTS)

    Notes:

    1. One Admin user will be designated "master". This user will always have Admin rights even if this privilege is not explicitly assigned. The master user is determined by the rights assigned and the seniority of the user. "Master" status will be assigned to the most senior user from the set of users with the most rights assigned. "Master" status is used to insure that there is at least one user with the rights to manage the entire gallery. If the  "master" user is deleted, another user will be promoted to take his place.
    2. Users without full Admin rights may be assigned objects (albums, pages, news categories) to "manage". The rights the user has with respect to these objects will depend on the above rights list. These rights can be "reduced" for individual managed albums. Unchecking the "edit" or "upload" boxes will prevent the user from accessing those capabilities.
    3. A Zenphoto user with appropriate rights is NOT required to login with a guest username/password to view guest protected items.
    4. Where it makes sense, the rights applied to a managed objects also apply to that object's offspring.
    Extra note: Users can only be assigned to top level albums which then includes rights to any subalbums. This is a performance issue because Zenphoto's gallery is entirely file system based.
    With only the root album in control we can easily see if the album is managed. If subalbums could be in this category several things would be needed:
    1. Testing for management would have to climb the object tree of the subalbum each time an album is accessed. 
    2. The selector list for managing albums would have to include all albums in the gallery. 
    3. There is also an implication of a hierarchy of user rights that would be a serious can of worms.

    However, you can set specific general album passwords on any albumon any level (see below).

     

    Guest users

    User names and passwords for guest users are assigned by an administrator. The user name is optional. That is, it is allowed to be empty and users logging in will only enter the password. The categories of guest user are described below. In each case, if there is a password assigned, a login is required to view the object. Password protection is inherited. If the gallery is protected, that protects all albums in the gallery as well as the search page. If an album is protected all of its subalbums are protected as well.

    If a password is applied to an album (subalbum) this password takes precidence over any parent password. What this means is that you must know the password to view the album but you would not need to know a higher level password if you have a direct link to the album.

    A similar hierarchy exists for News Article Categories and for Pages.

    • Gallery guest user: This username/password is set on the Options-Gallery Configuration tab. When set, the entire gallery is protected and viewers must login to view anything.
    • Search page guest user: This username/password is set on the Options-Gallery Configuration tab. When set, search results are protected and viewers must login to view them.
    • Album guest user: This username/password is set in the edit tab for the album in question. Viewers must login to view this album or its subalbums.
    • Protected image guest user: This username/password is set in the Options-Image display tab. When these are set and image protection is set to protected, viewers will be required to login to view the full sized image.
    • Page guest user: This username/password is set in the Publish box of the edit tab for a Page. Viewers must logon to view the page or its offspring pages.
    • News guest user: This username/password is set in the Publish box of the edit tab for a Category. Viewers must logon to view News articles contained in this category. NOTE: if a News article belongs both to a protected and a not-protected Category the article is NOT protected!

    Rules of protection and visibility for objects

     Galleries can be either public or private.

    In a public gallery there are four possible states of an object as described below. Logged on Zenphoto users may have rights that override local password protection and published state. See above.

    • Published/not password protected: Anyone can see these items.
    • Not published/not password protected: People have to "know about" these items to view them. (That is they need to know the URL, they will not show in menus if the visitor does not have the appropriate credentials.)
    • Published/password protected: People will know of these items (they will show in menus) but not be able to access them without the password.
    • Not published/password protected: These are truly restricted to "logged in users". They require the appropriate credentials to access or see in menus.

    Note: The status is inherited from parent items. For example published images or albums within unpublished or protected albums are also unpublished or protected.

    Private galleries are equivalent to having all objects password protected. In a private gallery objects can be granted any of the four possible states listed above through use of the appropriate user rights.

    The use of the groups plugin alongside setting a gallery private can allow the admin to set different permissions for different albums based on group membership. For a private gallery hosting different groups and album permissions to be properly configured, all albums exusive to a group must be set as unpublished. Thus, only users/groups with permission to access a given album would be allowed to view/edit it. If, in this context, the status of an album were set to published, any user/group would be able to access it. (Note: for the users to see the images in the album they must be set to published by the above rules.)

    For global privacy and local access permissions to apply, objects should only be allowed the state Album unpublished/ password-protected gallery. These are truly restricted to "logged in users". They require the appropriate credentials to access or see in menus.

    Important note: These rules apply only to Zenphoto pages itself. It does not and cannot protect the images on the file system if accessed directly in the /albums or /cache folders as naturally Zenphoto is not involved in that case. You have basically two options against that:

    a) To protect the images itself use server side protection like .htaccess. You find a htaccess template for this here.  Additionally you can protect the whole folder Zenphoto is installed in via a .htaccess password if you need to hide your site from the outside completely. 
    b) Alternatively you can also move the location of the /albums folder out of the webroot by setting defines in the config file. See the file comments in /zp-data/zenphoto.cfg.php for more info.

    Checking rights

    On the list above you see uppercase names within brackets. These are the rights names of the constants you can use to check for.

    Theme page access check

    To check if a visitor is allowed to see a theme page use:

    https://docs.zenphoto.org/1.5.x/function-checkAccess.html 

    Check for guest login:

    https://docs.zenphoto.org/1.5.x/function-checkForGuest.html 

    Use this on the front end(theme) to for example hide a download button for only users with certain rights (here: full rights):

    if(zp_loggedin(ADMIN_RIGHTS) { … } 

    Or for several rights if not a user with full rights like this:

    if(zp_loggedin(MANAGE_ALL_ALBUM_RIGHTS | ALL_NEWS_RIGHTS) { … } 

    https://docs.zenphoto.org/1.5.x/function-zp_loggedin.html 

    Object model level

    If you are coding custom theme functionality or plugins you can also check on items directyl on the object model level:

    You can also check access on items directly:

    if($obj->checkAccess()) { … } 

    https://docs.zenphoto.org/1.5.x/function-checkAccess.html

    Or if it is an item assigned for managing (checkAccess includes that plus guest acces):

    if($obj->isMyItem()) { … }

    https://www.zenphoto.org/documentation/classes/ThemeObject.html#methodisMyItem

     

     

    ZenPhoto is a product in development. This article describes what exists in current development stream. Not all these features are available in earlier releases.

    User management plugins

    • user_login-out will allow one to place a logout link (or if no one is logged in a login form) on a theme page. This is the same form that is displayed when the album/gallery/search page is password protected with a guest password. Guest users may login only from this form. Admin users may login from this login form as well as from the http:\\mydomain.com\zenphoto\zp-core\admin.php page.
    • user_groups provides the addition of user groups and rights templates. When this plugin is enabled a user may be assigned to a group or have his priviledges initially set from a template. In the first case, any change to the priviledges of the group will be reflected on the priviledges of the user.
    • comment_form adds some fields for address information to the admin user. [before 1.4.6]
    • userAddressFields adds some fields for address information to the admin user. [1.4.6]
    • register_user provides a vehicle for site visitors to request and be granted Zenphoto user credentials.
    • quota_manager and image_upload_limiter provide means for throttling uploads by users.
    • user_expiry provides a means for limiting the duration that Zenphoto user credentials are valid.
    • federated_logon provides a mechanism for using OpenID provider services for Zenphoto credentials.

    See the individual plugin documentation for specifics.

    Creative Commons LicenseThis text by www.zenphoto.org is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

    Code examples are released under the GPL v2 or later license

    For questions and comments please use the forum or discuss on the social networks.

    Related items