Clients login/varies by computer

japoscjaposc Registered Users Posts: 7 Beginner grinner
edited October 25, 2013 in SmugMug Support
I'm using the new smugmug with a template set up by fastline. It worked great with the legacy smugmug and has seemed to work great with the new, except of an issue I just learned of. And that is that some visitors to my site who click on my 'client' tab are shown ALL my client galleries and some are prompted by a pop up box asking for the gallery name.:scratch This has opened up some HUGE privacy issues. So, every browser I use on my computer i get the pop up, so i can't figure out whats going on. Does any one have some insite to why this is happening?

btw: my goal is to make sure that only clients have access to their own gallery. Not other clients and definitely not the public.

Comments

  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited October 19, 2013
    Any chance of a link to your site?
    https://www.sherlockphotography.org/

    Please check out my gallery of customisations for the New SmugMug, more to come!
  • japoscjaposc Registered Users Posts: 7 Beginner grinner
    edited October 20, 2013
    Thanks Lamah. I missed that part

    http://www.soniphotography.com
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited October 20, 2013
    If you middle-click on your clients link, it takes you straight to the clients folder instead of showing the pop up asking for the gallery name.

    You may or may not be able to change your clients folder to Unlisted to stop that. It would depend on Fastline's customisation and you should really speak to their support about it.
    https://www.sherlockphotography.org/

    Please check out my gallery of customisations for the New SmugMug, more to come!
  • Justin BJustin B Registered Users, Retired Mod Posts: 488
    edited October 20, 2013
    japosc wrote: »
    I'm using the new smugmug with a template set up by fastline. It worked great with the legacy smugmug and has seemed to work great with the new, except of an issue I just learned of. And that is that some visitors to my site who click on my 'client' tab are shown ALL my client galleries and some are prompted by a pop up box asking for the gallery name.headscratch.gif This has opened up some HUGE privacy issues. So, every browser I use on my computer i get the pop up, so i can't figure out whats going on. Does any one have some insite to why this is happening?

    btw: my goal is to make sure that only clients have access to their own gallery. Not other clients and definitely not the public.

    Hi japosc,

    Shoot us an email at info@fastlinemedia.com (if you haven't already) and we'll take a look at this first thing tomorrow. Thanks!

    Justin
    Justin

    FastLine MediaSmugMug CustomizationWebsite DesignLogo DesignWordPress Page BuilderTwitter
  • japoscjaposc Registered Users Posts: 7 Beginner grinner
    edited October 24, 2013
    Justin B wrote: »
    Hi japosc,

    Shoot us an email at info@fastlinemedia.com (if you haven't already) and we'll take a look at this first thing tomorrow. Thanks!

    Justin

    Thanks Justin. Billy and I have been talking about this. it seems the issue is that it works like it should when I'm logged into my custom domain, but when someone, somehow finds their way to my smugmug domain, they seem to have access to all clients private galleries. Let's keep our fingers crossed we can get this straightened out.
  • thenickdudethenickdude Registered Users Posts: 1,302 Major grins
    edited October 24, 2013
    Nope, it doesn't work in any circumstance. The Clients link in your sidebar is literally just a link to this folder: http://www.soniphotography.com/Clients . If you right click on the Clients link, and click "open in new tab", it'll go straight to that folder. And since your client galleries are all Public, they all appear in that folder listing. Plus they appear in all of your date and keyword search results, such as this:

    http://www.soniphotography.com/date/2013-01-01/2013-12-31

    Or this:

    http://www.soniphotography.com/keyword/prom13

    The "right way" for Fastline to do this would be to mark the clients folder as unlisted. Then Fastline would need to add themselves to your account as an authorised application with read-only access (or a similar backdoor provided by SmugMug which achieves the same effect). Then they can create a JSONP endpoint on their own Fastline server which, given a client's name, uses its authorisation on your account to check if it is the name of one of the galleries in the designated clients folder. Then they can redirect the viewer to the URL for that client gallery (including the required "n-t9aCd" random ID on the end of the URL which stymies the use of unlisted galleries in their current implementation).

    Alternatively, if they don't want to do any server-side engineering, they can create a login generator that creates a gallery password for each unlisted client gallery which is reversibly derived from the random "n-t9aCd" ID found on the end of each gallery link. Then when a client enters their username and derived password, they have all the information they need to redirect them to the right gallery.

    Their current implementation is a disaster, since it's vulnerable to simple folder name guessing ("Clients"), keyword search, date search, enumeration by tools such as SmugRoom, and since it includes a naked link to the clients folder, it causes the whole folder to be indexed by search engines:

    https://www.google.co.nz/#q=site%3Awww.soniphotography.com+clients

    And for Google in particular, setting the folder to Public causes every single client gallery to appear in your Google Sitemap:

    http://www.soniphotography.com/sitemap-base.xml

    You can significantly reduce the amount of search results that turn up your client images by changing the search privacy settings for each of your client galleries to deny all searches, although keyword functionality for those galleries will probably break.
    https://www.sherlockphotography.org/

    Please check out my gallery of customisations for the New SmugMug, more to come!
  • Justin BJustin B Registered Users, Retired Mod Posts: 488
    edited October 25, 2013
    japosc wrote: »
    Thanks Justin. Billy and I have been talking about this. it seems the issue is that it works like it should when I'm logged into my custom domain, but when someone, somehow finds their way to my smugmug domain, they seem to have access to all clients private galleries. Let's keep our fingers crossed we can get this straightened out.

    Hi Jason,

    Unfortunately, we can't get around the SmugMug domain issue as our client login code won't run on SmugMug domains.

    The purpose of the client login has never been to completely secure things and protect your galleries but provide a simple way for clients to find their photos other than searching through potentially hundreds of galleries in a folder. That is why we always recommend that you password protect your client galleries. Lamah's solution sounds like it would work fine but we've never really been fans of overcomplicated hacks.

    If password protecting the galleries doesn't work for you, we can always remove the login feature and you can email links to the unlisted galleries to your clients. Let Billy know if you want to go that route and he'll make it happen for you.
    Justin

    FastLine MediaSmugMug CustomizationWebsite DesignLogo DesignWordPress Page BuilderTwitter
Sign In or Register to comment.