Jørn Wildt

I've been using Photoshare for a while. Had some issues with it (bug with a particular view of the albums), really missed the "preview" size that gallery has, so I've been eagerly awaiting Mediashare.

I'm successfully using Photoshare with a folder that's not accessible to the public, and was hoping to do the same with Mediashare. However it doesn't seem to work.

Current Photoshare folder: /home/xyz_web/data/images/photoshare_images
Current Mediashare folder: /home/xyz_web/data/media/mediashare

Module folder is: /home/xyz_web/public_html/modules/mediashare

I noted this - "Make sure it corresponds to a directory named 'mediashare' in PostNuke's top directory". So I wondered if it might not work this way.

I can upload the images OK. Using FTP I can see that the 3 images uploaded are now inthe right place, and there's 9 files. 3 images x 3 sizes, all with long filenames. So it all looks OK. The album says there's 3 images, but you can't see any image.

Does Mediashare work in a different way, so that you can't "hide" the images.

I found the notes on storage for Photoshare:

Third - you should not - never - place you Photoshare images beneath the /public_html folder (or similar - some places it is /httpdocs). This makes it possible to access the images directly and bypassing Photoshare access control.

In the above case you should use the folder /www/users/ix4517/photoshare_images and /www/users/ix4517/photoshare_tmp for the image and tmp folder. On your FTP client it would be /photoshare_images and /photoshare_tmp.

Does Mediashare support the same method?

The readme.txt indicates not:

Create a directory named "mediashare" in the main PostNuke directory

Please read the security section in the readme file:

Yes, I did read that, so I was afraid that the answer would be "no you can't do that".

I'm interested to know what is it about the new technique which prevents using the Photoshare-style path. I'm assuming that you're using GD to do the resizing, and perhaps that needs public_html access. :-(

Nothing to do with GD. It's purely a design decision.

Photoshare served images by streaming them through PHP - that takes some performance out of the server when you have to kick life into PostNuke everytime you show one image.

So Mediashare lets the webserver display the images directly from the disk without starting any PHP. That's why the filenames have to be so cryptic - I don't want people to be able to guess them.

You could argue that the image security is better than your PostNuke security. Each filename consists of approx. 20 characters - how many characters do you have in your administrator password?

My concern is not people guessing the filename, but the URL being discovered by a legitimate user, who then distributes that to others.

Anyway, the photos are really that important, security wise, so I'll probably stick with it. The reason I moved from Gallery to Photoshare was specifically due to the "hidden" store.

Off to install beta2 now... :D

The module is prepared for storage plugins so maybe it will be possible to use the hidden store later on. Probably not without new URLs (although a lot can be done with mod-rewrite).