-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Use of "guest" sessions instead of authenticated one to download some images from iOS #554
Comments
Can confirm. If you access a piwigo 13.8.0 server site, such as my own https://benchodroff.com/photos, using the latest TestFlight piwigo mobile 3.1 ios app, and do not login, you will be unable to download any photos from the iOS app even though everything else works. However, if you then login, you can download photos. Would greatly appreciate a fix so that even anonymous users can download photos. |
I'm not sure this is the exact same problem but may be related. My issue is that it is using a guest session when it shouldn't but yours seems to be that it is not using a guest one when you want it to. They may definitely be related. Any update from the developers? Happy to provide more information if it helps. Thanks! |
Gentle ping on this? I am happy to help if I can. This is not an area I am too familiar with but happy to try with a bit of guidance. Thanks! |
Hi @romain-intel |
Hello @EddyLB, thanks for your response. Yes, I saw it opening a session and that part works fine. I think we are saying the same thing namely: images are then currently sometimes downloaded without a session and you are saying that you will fix it so that image URLs as well as images are fetched using the authenticated session. Is that correct? If so, then yes, I think this would fix the issue I am seeing. (and to be clear, sometimes pictures are downloaded with a session, sometimes not, it's very weird :) ). |
Describe the bug and how to reproduce
I hadn't used Piwigo in a while and recently updated everything (the server to 14b3 and the iOS app). I also use a version of piwigo_privacy (https://github.com/yonjah/piwigo_privacy) which ensures that images are always protected (ie: you need to have access to them to actually get to them).
The issue seems to be that, in some cases, the iOS app does not use a logged in session to download images and instead downloads "as guest" which breaks this protection. It only seems to do this for the representative image of an album (and that too not in all cases so it is a bit weird). All other images load fine (thumbnail or full version).
I've been trying to figure this out because I know I have a bit of an exotic setup but I believe the issue is in the iOS app (and not the PHP server code).
I instrumented things in user.inc.php to see what requests were coming in and here is what I see (user 2 is the "guest" user and user 3 is an actual registered user):
You can see in the log above that there is an authenticated session
tqfe3uka6ijafjrkt1okb7erq1
and that it uses that for things likegetStatus
request but then, it has unknown sessions (not logged in), herer7gg164uve755672f0oms6b7m4
andqb5qmhe7uifjab339jmuoiqd2l
, to access images directly. I can also confirm that all these sessions appear in the DB and that only one of them contains the pwg_id (the others do not since they correspond to a guest login).Steps to reproduce the behavior:
To reproduce, just login into a brand new piwigo instance should produce the requests shown above but it will most likely work unless images are protected.
Expected behavior
I would expect the iOS app to always use the authenticated session to access anything from the server and never use a "guest" login to download or upload anything.
Note that in a lot of cases, it actually uses the proper session but it's just in some cases that it does not. I am pretty sure this worked before and I suspect some of the new cache code may have introduced a code path where a "guest" session attempts to get photos.
What did you do already
I searched for similar issues and also tried looking at past commits to see if I could understand where the issue was coming from but no luck. I disable guest login (which I think is part of the issue) and it is not reproducible on the demo because I suspect the demo is not protecting URLs.
Screenshots
If applicable, add screenshots to help explain your problem.
Smartphone (please complete the following information):
Additional context
As mentioned above, I do use the piwigo_privacy extension (well somewhat modified) and I initially looked there for the issue but it seems to be doing as it should (ie: denying guest access to images). The issue seems to be the iOS app making guest requests when it should ideally be making authenticated ones.
The text was updated successfully, but these errors were encountered: