Invalid Gallery ID Weirdness

mikegrb

I have a webpage where a customer can enter a photo shoot or event ID into a box to be brought to the corresponding private SmugMug gallery. Unfortunately SmugMug seems to be doing some odd stuff if the gallery doesn't exist.

Here is the response from the perl script redirecting the person's browser to http://prints.michaelgreb.com/gallery/123

HTTP/1.x 302 Moved
Date: Sun, 04 Mar 2007 09:48:04 GMT
Server: Apache/2.2.3 (Debian)
Location: http://prints.michaelgreb.com/gallery/123
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/x-perl
----------------------------------------------------------
http://prints.michaelgreb.com/gallery/123

The browser then properly requests the invalid URL:

GET /gallery/123 HTTP/1.1
Host: prints.michaelgreb.com
<snip>

But then the odd part, SmugMug redirects again:

HTTP/1.x 302 Found
Date: Sun, 04 Mar 2007 09:51:52 GMT
Server: Apache
X-Powered-By: smugmug/1.2.0
Set-Cookie: SMSESS=80188e6b70a0df1569e49ef3af2cf056; path=/; domain=.michaelgreb.com
Cache-Control: private, max-age=1, must-revalidate
Location: http://LightGiver/gallery/123
Etag: "39d1f48e3d68e230ce15bde34f2cf480"
Content-Length: 28
Keep-Alive: timeout=10000
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

I'm guessing that a user that once existed with the nick 'LightGiver' was the proud owner of the gallery with id 123? At any rate, is there any way to prevent this from happening and instead give the user a an error message in a skinned page? If not, it seems using the API to retrieve a list of valid gallery ids and check against that before sending would be necessary.

On the subject of the API, I would like to release the source code for my script for others to use, if I end up using the API, that means the API key would need to be in the source, is this kosher or should I leave it out and let users get their own API key?

devbobo

<snip>Hi Mike,

</snip>

mikegrb wrote:

<snip>I'm guessing that a user that once existed with the nick 'LightGiver' was the proud owner of the gallery with id 123? At any rate, is there any way to prevent this from happening and instead give the user a an error message in a skinned page? If not, it seems using the API to retrieve a list of valid gallery ids and check against that before sending would be necessary.

I guess I am confused as to how you would end up with the wrong gallery id if you are using the api method correctly. SmugMug does automatically redirect to the correct owner's website if a user attempts to manufacture a url which includes a gallery that doesn't belong to them.

What api method are you using to retrieve the gallery ids ?

</snip>

mikegrb wrote:

<snip> On the subject of the API, I would like to release the source code for my script for others to use, if I end up using the API, that means the API key would need to be in the source, is this kosher or should I leave it out and let users get their own API key?

There are two lines of thought here. One is to provide the API Key in the script as you mentioned or the other is to provide instructions that an API Key is required and the person using the script must request their own key. Either method is acceptable imo.

Cheers,

David
</snip>

mikegrb

devbobo wrote:

<snip>Hi Mike,

</snip>
I guess I am confused as to how you would end up with the wrong gallery id if you are using the api method correctly. SmugMug does automatically redirect to the correct owner's website if a user attempts to manufacture a url which includes a gallery that doesn't belong to them.

What api method are you using to retrieve the gallery ids ?

This is what I decided with further testing. I am currently not using any API. The numbers come via user input. There is a box on my website that says "Enter an Event ID or Shoot ID to view proofs or purchase prints." that then redirects them to the gallery. My comment regarding API usage was as a possible solution to the problem. Is there any way to disable the redirection when the gallery doesn't belong to me?

devbobo wrote:

There are two lines of thought here. One is to provide the API Key in the script as you mentioned or the other is to provide instructions that an API Key is required and the person using the script must request their own key. Either method is acceptable imo.

Cheers,

David

I think I may have found an alternative solution that won't require the API key. Since I'm not dealing with password protected (just private) galleries, I can simply attempt to retrieve the RSS feed for the entered gallery and verify that the link is for my gallery and not another user.

RogersDA

devbobo wrote:

<snip></snip>SmugMug does automatically redirect to the correct owner's website if a user attempts to manufacture a url which includes a gallery that doesn't belong to them.

Is this why, when an incorrect image name is used with a correct path that the user is directed to another person's site?

For example, the correct link might be http://DaRPhotos.smugmug.com/photos/133761018-M.jpg

The incorrect link http://DaRPhotos.smugmug.com/photos/33761018-M.jpg (missing the leading "1" in the filename) takes your browser to someone else's site (http://neskora.smugmug.com/photos/33761018-M.jpg). Seems to me that an error message should be generated?

mikegrb

RogersDA wrote:

Is this why, when an incorrect image name is used with a correct path that the user is directed to another person's site?

For example, the correct link might be http://DaRPhotos.smugmug.com/photos/133761018-M.jpg

The incorrect link http://DaRPhotos.smugmug.com/photos/33761018-M.jpg (missing the leading "1" in the filename) takes your browser to someone else's site (http://neskora.smugmug.com/photos/33761018-M.jpg). Seems to me that an error message should be generated?

Yes, I agree. The current behavior is definately the wrong behavior, no offense to the other photographer's on the site . At least now that I know what is going on, I can check on my end and generate my own error message but there isn't anything that can be done in your situation

Andy

mikegrb wrote:

Yes, I agree. The current behavior is definately the wrong behavior, no offense to the other photographer's on the site . At least now that I know what is going on, I can check on my end and generate my own error message but there isn't anything that can be done in your situation

The reason for that is so that no urls are ever broken, if a photographer on SmugMug changes his / her nickname

mikegrb

Andy wrote:

The reason for that is so that no urls are ever broken, if a photographer on SmugMug changes his / her nickname

This is logical. I couldn't think of a logical reason for the current behavior on my own

My initial thought for checking id validty before redirecting my customer was to retreive the rss feed and check the links there. Turns out rss feeds aren't available for private galleries so I came up with a different solution that was actually better.

mikegrb

I've posted my script with some basic instructions for use to the forum at http://www.dgrin.com/showthread.php?t=55635. Hopefully it will be useful to other SmugMug users.