Zenphoto 1.5

    Sorry that it took a bit longer (or as some may say too long) for this bugfix and minor security update. But some personal family related cirumstances ate a lot time the last months. And this is not the next major release we talked about every now and then. Look out for a separate info update on that soon.

    Since on May 25th the new European General Data Privacy Rule (GDPR) took effect, we added some features to help and also prepared an article about Zenphoto and privacy considerations.

    Raised requirments

    By now we actually develop and test on PHP 7.2 so we raised requirements. Although the code will probably will still work on older PHP versions we neither test it nor make any effort to make things work below PHP 5.6. Although we simply can't and won't rewrite all code into "pure" PHP 7+ only unless really needed.

    We also recommend to use MySQL 5.5.3 or later. You will still be able to install on as low as PHP 5.3 for now but setup will show an error with some explaination.

    Caution: Removal of deprecated functions and parameters

    We have removed all older deprecated functions and parameters within core and plugins. Some we carried for years already so it was really time for some spring cleaning.

    So if you use custom themes/plugins or older third party stuff, make sure all works without the deprecated functions plugin before upgrading an important live site. Review the ZP debug log and your server PHP logs! A backup is always a good idea. 

    We may remove deprecated functions much faster from now on so always keep an eye on the deprecated functions list on our documentation on http://docs.zenphoto.org/1.5.x/annotation-group-deprecated.html (or the @deprecated notices in code doc blocks) which note which version we intendent to remove a function.


    • Fixes three very minor local file inclusion security issues on the backend and only if you already had access to the backend anyway [acrylian, Thanks to JPCERT/CC for the report]
    • Setup now does not expose the MySQL password in the source code in case db credentials don't work or are wrong. However only admins with the full rights to run setup would have been exposed [acrylian|


    GDPR (General Data Protection Rule) tools

    Since we are primarily based in the EU we do take the GDPR (General Data Protection Rule) that is going live on May 25th seriously. While we can't tell you what your individual site needs to do we did add a few things for privacy friendlyness. This is provided without any legal warranties, use on your own risk. You are responsible for your site yourself to comply with any rules within your juristiction. And we prepared a general article about Zenphoto and the GDPR.

    • Adds new option (Options > Security) to anonymize IP addresses which Zenphoto stores internally on some occasions (e.g. spam fighting & comments) for privacy concerns. Required and strongely recommended in e.g. EU countries especially regarding the new European General Data Privacy Rule (GDPR). The function getUserIP() also has a parameter to override the option if needed [acrylian, Thanks to Ralf Kerkhoff]
    • Adds new options for a general data usage confirmation notice and a related defined data privacy page (static or Zenpage page) also to comply with the EU GDPR.
      • This option is used by official form plugins (see next list entry and the plugin section below), others can implement it if needed. [acrylian]
      • Themes that don't support the Zenpage CMS plugin and its pages features, can use the new printPrivacyPageLink() function to automatically add such a link if a data privacy page is defined on. The included Basic theme provides example usage. [acrylian]
    • Official form plugins (contact, comment, register_user) got a GDPR compliant checkbox option for data storage and handling confirmation [acrylian]
    • There is now a utitily button to export an overview of personal data stored about user name and mail address combinations. as HTML or JSON. Full admins can use this to export any user's data. Additionally users with lower rights can export their data from their own user account. [acrylian]
    Other changes
    • Some improvements on cookie/session handling. The login cookies are now set with https paths if the server uses it and always with the httponly parameter so scripts have no access. If sessions are used, they are properly destroyed on logout. NOTE: Since cookies can only be deleted safely if deleted with the same parameters as set and these parameters have changed, you may need to force clear cookies via your browser first if encountering login issues. [acrylian]
    • Setup files are now automatically protected after setup has run successfully. [acrylian]
    • Setup does not run automatically anymore if Zenphoto detects a (smaller) change. You will only get an info window. And if you know what you are doing you can now choose to skip the request. You will not be reminded again unless further changes are detected since a new install signature will then be generated internally! If the security_logger plugin is active this action will be logged. [acrylian]
    • Fixes wrong trailing slash in .htaccess file's rewriteBase created by setup for root installs [fretzl]
    • Adds table for albums by most viewed (popular) images to backend gallery statistics [wongm]
    • The extra zenphoto.js file is not loaded on the frontend anymore if not logged in [acrylian, Thanks to Simounet]
    • Access to files within the root /backup folder that is created when using the auto_backup plugin is now protected by .htaccess. Users on non Apache systems or systems not supporting .htaccess will need other server settings to achieve something similar [acrylian,Thanks to simonrash]
    • Fixed missing automatic rotation of sidecar images like video/audio thumbs [acrylian]
    • Owner of primary album is now set to the user's ID [fretzl]
    • Improvements of unnecessary form warnings regarding unsaved data [acrylian, Thanks to vincent3569 and thany]
    • Core rewrite token support for the standard custom index page gallery.php based on sbillard's old unsupported galleryToken plugin [acrylian, Thanks to vincent3569]
    • Introduces new (internal) path constant SERVER_HTTP_POST [acrylian]
    • New default sort order options for search results of Zenpage news articles and pages (Options > Search) [acrylian]
    • Fixes for dynamic albums and search cache [acrylian]
    • Improvements to custom text truncation and repairing broken HTML applied generally to Zenpage items but also if you are using shortendContent() [acrylian, vincent3569]
    • The links to the functions/class documentation of included official plugins from the backend plugins page work again [acrylian]
    • The admin tool box now provides links to delete items [acrylian]
    • Title attribute added as optional parameter to all "print" image template functions [acrylian, Thanks to mebels]
    • SQL improvements for print/getRandomImages() template functions [wongm]


    • New $plugin_category variable for (official) plugins. This category determines the tab under which the plugin appears on the backend plugins page. Although it primarily applies to included official plugins @subpackage instead now should be the name of the plugin (no special chars and dashes instead of underscores) so the doc generator can properly group procedural functions as a package. This fixes the broken plugin doc links from the backend. [acrylian]
    • New $plugin_deprecated variable for (official) plugins. Set to true to use a predefined default message or add an actual message so this will be displayed as a warning box on the plugin list. [acrylian]
    • Adds an "active" tab for plugins on the backend. [acrylian]
    Plugin changes
    • cacheManager: There are now specific methods for themes to add default sized sizes and thumb sizes to the pre-caching.These are not automatically generated/added because you may choose not to use them at all. The new methodes are cacheManager::addThemeDefaultThumbSize() and cacheManager::addThemeDefaultSizedImageSize(). Note if you set custom sizes and still want to use defaults for gray scale or watermarks you still need to set these paramaters manually [acrylian, vincent3569]
    • class-video: Dropped support for the outdated legacy Quicktime format no one should be using anymore. Adds native HTML5 support for mp4/m4v (video) and mp3 (audio) in capable browsers. [acrylian]
    • comment_form: GDPR compliant checkbox option for data storage and handling confirmation [acrylian]
    • contact_form: GDPR compliant checkbox option for data storage and handling confirmation [acrylian]
    • downloadlist: Zip downloads now correctly include sidecar files (e.g. video thumbs) and also if they have uppercase suffixes for some reason [acrylian]
    • GoogleMaps: Better map styling in repsonsive layouts [fretzl, Thanks to vincent3569]
    • html_meta_tags: Removes unused OpenGraph checkboxes and fixes issues with enabling OpenGraph in general; adds options for Facebook app ID and googe site verification [acrylian, fretzl]
    • tinymce4:
      • The plugin now provides options for entity_encoding (default "raw") and entities for character encoding. [acrylian]
      • The pagebreak and imagetools plugins are now included in all default configurations [acrylian]
    • mobile_detect: Library update to 2.8.25 [Thanks to vincent3569]
    • reCaptcha: Google deprecated the reCaptcha v1 API we used and stopped supporting it starting March 31, 2018. This is an adaption of Ben Feather's [epsilon] already existing and working third party plugin to replace it with the current v2 API. NOTE: If you used zpCaptcha before you need to get new v2 API public and secret keys. Also, it is not possible anymore to create own themes. [acrylian]
    • register_user: GDPR compliant checkbox option for data storage and handling confirmations [acrylian]
    • rss:
      • The parent base feed class now validates some feed GET parameters before actual processing is done. This also prevents loads of unnecessarily created, invalid named rss cache files (which we encountered ourselves) [acrylian]
      • If a requested valid feed does not return items, a valid empty feed is returned so feed readers don't reject accidentally empty but valid feeds [acrylian]
    • sitemap-extended: Proper custom gallery index support. The plugin now automatically chooses the page set via the theme option "custom_index_page", therefore the former gallery index page option is now obsolete and has been removed, various trailing slash path fixes, internal restructuring within static class [acrylian, Thanks to vincent3569]
    • site_upgrade: Fix broken redirection for pages other than the index page [acrylian]
    • static_html_cache:
      • Re-introduce somehow lost "index" cache subfolder and introduce separate "news" cache subfolder [acrylian]
      • cachefilenames now support sorttype (order) and sort direction on index, albums and news loop pages [acrylian]
    • Zenpage:
      • The "locked" status of articles and pages has been fixed. Now the author himself or master users can edit it again. Note that this status overrides the manage all and manage rights [acrylian]
      • Fixed default behaviour that logged in users will see only see those unpublished articles and categories on the front end they have rights to. [acrylian]
      • Easier blocking of news or pages content on themes. Just use if(ZP_NEWS_ENABLED) { …} or if(ZP_PAGES_ENABLED) { … } to do so. The theme files news.php and pages.php don't need any additional checks anymore. [acrylian]
      • The news article admin page has now a dropdown selector for authors [acrylian]
    New plugins
    • cookieconsent: Former "half-official" plugin zp_cookieconsent for cookie usage notice. This is also a plugin update so please review the option settings for changes. Otherwise general options should be re-used from earlier versions.  If you used this before you need to remove it from the /plugins folder before upgrading.  [acrylian, vincent3569]
    • matomo: Adds the old, formerly unsupported Matomo (formlery Piwik) plugin by former team member sbillard and extends it as we use it ourselves. If you used the unsupported version before you need to update your Matomo URL option. See the plugin option text for info. [acrylian, vincent3569|
    • openstreetmap: Former "half-official" plugin zp_openstreetmap now included as a free and more privacy compliant alternative to GoogleMaps. This is also a plugin update so please review the option settings. If you used the internal class note that it has been renamed from zpOpenStreetMap to just openStreetMap. All else is the same and also options should be re-used from earlier versions. If you used this before you need to remove it from the /plugins folder before upgrading. [acrylian, vincent3569]
    • scriptless-socialsharing: Former "half-official" plugin for privacy friendly sharing buttons. This is also a plugin update and the already deprecated procedural template function printScriptlessSocialSharingButtons() has been removed. If  you used this before you need to remove it from the /plugins folder before upgrading. Option setting should be used as before. [acrylian]
    Removed plugins

    We removed a few plugins that are either outdated or we never had use ourselves so not really tested them regulary anyway so it seems honest to remove them actually. 

    As always these are not completely gone and have been moved to the unsupported-theme-official repository. And if you need and use them and like to contribute we welcome updates and fixes  via pull requests or even taking over a plugin's development.

    • externalFeed
    • federated_logon
    • googleVerify: The plugin's functionality has been incorporated into the html_meta_tags plugin
    • http_auth 
    • image_effects: Modern browsers support a wide range of effects via CSS which may be a good alternative . Examples: https://bennettfeely.com/image-effects/ 
    • jCarousel_thumb_nav: Already has a successor with bxslider_thumb_nav for a while.
    • legacySpam
    • slideshow: Already has a successor with slideshow2 for a while.
    • viewer_size_image: A bit outdated concept in times of responsive websites (yeah, we know the official themes are mostly not reponsive…)
    • tweet_news: Removed as we originally made it for our own use and actually don't use for years. However there is a bugfix for a wrong URL in tweets [acrylian]
    • wordpress_import: Originally made for our own use to export from our own former WP site.
    • zpCaptcha: Google deprecated the reCaptcha v1 API so this now useless anyway [acrylian] 


    There are no new themes yet. But all included themes are now labeled deprecated. That means we will keep them working but they will not be extended with features anymore. They are so old both in design and code that reworking is too much work. They will go unsupported with the next major update. We probably will include only 1-2 new themes in that major release.

    Theme updates
    • Basic: The theme now has a consistent set of footer links on all pages. Since it does not support Zenpage CMS pages, it supports an automatic privacy page link if you defined such a page on the related general option. [acrylian]
    • Support for new scriptless-socialsharing and openstreetmap plugins added to all included themes [fretzl, acrylian]
    Removed themes
    • Effervescence+ 


    • Danish [jesdnissen]
    • Dutch [fretzl]
    • French [vincent3569]
    • German [acrylian]
    • Italian [bic-ed]
    • Russian (doctorkru)
    • Slovak [tangorn]

    For questions and comments please use the forum or discuss on the social networks.

    Related items