Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pages/siteimagesowner shouldn't be accessible when not logged in #13

Closed
Josh-Henly opened this issue Dec 8, 2014 · 4 comments
Closed

pages/siteimagesowner shouldn't be accessible when not logged in #13

Josh-Henly opened this issue Dec 8, 2014 · 4 comments

Comments

@Josh-Henly
Copy link

See screenshot re: "'s photos":

screen shot 2014-12-08 at 1 35 49 pm
@iionly
Copy link
Owner

iionly commented Dec 9, 2014

When logged out a visitor will only see the images/albums that have "public" access level. This is the same for other type of content, too, e.g. a users public blogs. So, a user's blogs, files etc. pages are also accessible when logged out. So I wonder why it should be different for images of a user of Tidypics.

Of course, the "Upload" button shouldn't be displayed when logged out. It seems I've forgotten to remove it from this page. But I see a user's name on the page also when logged out and not just ''s photos". May I ask which version of Tidypics you are currently using?

@Josh-Henly
Copy link
Author

Typically a logged-out user has no way of reaching photos/siteimagesowner. In my case I was logged in while viewing that page (via the 'Mine' tab) in a browser tab. In another browser tab I logged out, and then I went back to the siteimagesowner browser tab and either refreshed or hit enter in the URI bar. Admittedly, it's probably not a common scenario.

Agreed that the 'Upload photos' button shouldn't be there, but I'm confused -- which user's name did you see on that page when logged out? To me, "'s photos" (while unsightly) at least has a plausible explanation -- the code appended "'s photos" to the logged-in user's name, but there was no logged-in user.

We're using version 2014111701.

@iionly
Copy link
Owner

iionly commented Dec 9, 2014

I think I've got it now.

I had tested it by going to a profile page first and followed the "Photos" link from there. In this case you get this user's photos (including username) displayed correctly because the user's GUID is known. If you are logged in the fallback is to use the logged-in user's GUID but currently the case of a missing GUID (when logged-out and directly calling siteimageowner) is not correctly handled indeed. Most likely all public photos are displayed instead even.

I'll include this issue in my list of tasks. Though I might be able to work on Tidypics again not before the beginning of next year after holiday season.

@iionly
Copy link
Owner

iionly commented Jan 4, 2015

Fixed by commit fec406d which will be included in version 1.9.5.

@iionly iionly closed this as completed Jan 4, 2015
@davidspring davidspring mentioned this issue Jul 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iionly @Josh-Henly