Forums / Developer / How to deny access to image original size/alias?

How to deny access to image original size/alias?

« 
Previous topic
|
Developer
|
Next topic
 »
Author Message

Piotrek Karaś

Thursday 01 October 2009 8:37:19 am

Hello all,

I'm trying to deny public access to the original versions/aliases of uploaded images. Here's what I've come up so far (.htaccess/apache):

RewriteCond %{REQUEST_URI} ^/var/self/storage/images(.)*\.(jpe?g?|gif|png)$
RewriteCond %{REQUEST_URI} !_(small|large)\.(jpe?g?|gif|png)$
RewriteRule .* - [F,L]

where <i>small|large...</i> is a list of publicly available alias names (those defined in image.ini).

<b>Can you see any problems with that?
Do you know any alternative solutions?</b>

By the way, I was wondering. Shouldn't securing the original become a standard? In many scenarios original size aliases hold a high quality/resolution images without protection such as watermarks etc. And their name is very easy to assume from other alias filename variations...

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Gaetano Giunta

Thursday 01 October 2009 9:24:12 am

The 'standard' way to secure images would be to have them accessible only via content/download, as for other binary attributes.
That would unfortunately put a huge load on the webserver, and make the whole website feel slower, as the standard index.php controller file takes too much memory and time to execute.

For particular use cases, you can build a lightweight controller file, similar to the one used for serving images in cluster configurations, that servers images after checking if the user has a valid session cookie and if in his sessions data there is enough information present to identify him as having 'enough access rights' without having to load any eZP classes. Unfortunately the way php serializes session data + the way eZP stores profile information makes it a bit tricky for complex authorization configurations.

You can of course build a new datatype that stores the original image in a different folder from its variations, but sites often require different types of access to the different variations (eg. did the user buy the hi-res version?)

Principal Consultant International Business
Member of the Community Project Board

Piotrek Karaś

Thursday 01 October 2009 9:55:59 am

Hello Gaetano,

Thanks a lot for your ideas.

Dedicated image view did come to my mind, but just as you mentioned it is not performance wise. Cluster mode thing - not much experience, I will have to investigate that direction to get some ideas. Thanks for pointing to that direction though.

The idea with a dedicated datatype escaped me somehow and actually it's a most suitable one, I think. It's just a matter of decision - a hack or a datatype with classes extending the existing ones (probably alias handler?)... Might be important for future updates, isn't it?

And no, I don't need to put any business logic related to this (such as more advanced access control - I think that could easily use a dedicated view to deliver image as a purchased good).

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

eZ debug

Timing: Jan 18 2025 04:22:11
Script start
Timing: Jan 18 2025 04:22:11
Module start 'content'
Timing: Jan 18 2025 04:22:11
Module end 'content'
Timing: Jan 18 2025 04:22:11
Script end

Main resources:

Total runtime0.2636 sec
Peak memory usage2,048.0000 KB
Database Queries141

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0094 588.9609180.8125
Module start 'content' 0.00940.0087 769.773498.0547
Module end 'content' 0.01810.2454 867.8281527.1250
Script end 0.2635  1,394.9531 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00441.6866200.0002
Check MTime0.00190.7119200.0001
Mysql Total
Database connection0.00130.509910.0013
Mysqli_queries0.201176.28171410.0014
Looping result0.00170.63611390.0000
Template Total0.244792.810.2447
Template load0.00120.453710.0012
Template processing0.243592.369910.2435
Override
Cache load0.00080.316810.0008
Sytem overhead
Fetch class attribute can translate value0.00120.442110.0012
XML
Image XML parsing0.00030.127810.0003
General
dbfile0.00220.8292200.0001
String conversion0.00000.002030.0000
Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

CacheTypePacklevelSourceFiles
CSS0extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css
JS0extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1pagelayout.tpl<No override>extension/sevenx/design/simple/templates/pagelayout.tplEdit templateOverride template
 Number of times templates used: 1
 Number of unique templates used: 1

Time used to render debug report: 0.0001 secs