Options
Clients login/varies by computer
japosc
Registered Users Posts: 7 Beginner grinner
I'm using the new smugmug with a template set up by fastline. It worked great with the legacy smugmug and has seemed to work great with the new, except of an issue I just learned of. And that is that some visitors to my site who click on my 'client' tab are shown ALL my client galleries and some are prompted by a pop up box asking for the gallery name.:scratch This has opened up some HUGE privacy issues. So, every browser I use on my computer i get the pop up, so i can't figure out whats going on. Does any one have some insite to why this is happening?
btw: my goal is to make sure that only clients have access to their own gallery. Not other clients and definitely not the public.
btw: my goal is to make sure that only clients have access to their own gallery. Not other clients and definitely not the public.
0
Comments
Please check out my gallery of customisations for the New SmugMug, more to come!
http://www.soniphotography.com
You may or may not be able to change your clients folder to Unlisted to stop that. It would depend on Fastline's customisation and you should really speak to their support about it.
Please check out my gallery of customisations for the New SmugMug, more to come!
Hi japosc,
Shoot us an email at info@fastlinemedia.com (if you haven't already) and we'll take a look at this first thing tomorrow. Thanks!
Justin
FastLine Media • SmugMug Customization • Website Design • Logo Design • WordPress Page Builder • Twitter
Thanks Justin. Billy and I have been talking about this. it seems the issue is that it works like it should when I'm logged into my custom domain, but when someone, somehow finds their way to my smugmug domain, they seem to have access to all clients private galleries. Let's keep our fingers crossed we can get this straightened out.
http://www.soniphotography.com/date/2013-01-01/2013-12-31
Or this:
http://www.soniphotography.com/keyword/prom13
The "right way" for Fastline to do this would be to mark the clients folder as unlisted. Then Fastline would need to add themselves to your account as an authorised application with read-only access (or a similar backdoor provided by SmugMug which achieves the same effect). Then they can create a JSONP endpoint on their own Fastline server which, given a client's name, uses its authorisation on your account to check if it is the name of one of the galleries in the designated clients folder. Then they can redirect the viewer to the URL for that client gallery (including the required "n-t9aCd" random ID on the end of the URL which stymies the use of unlisted galleries in their current implementation).
Alternatively, if they don't want to do any server-side engineering, they can create a login generator that creates a gallery password for each unlisted client gallery which is reversibly derived from the random "n-t9aCd" ID found on the end of each gallery link. Then when a client enters their username and derived password, they have all the information they need to redirect them to the right gallery.
Their current implementation is a disaster, since it's vulnerable to simple folder name guessing ("Clients"), keyword search, date search, enumeration by tools such as SmugRoom, and since it includes a naked link to the clients folder, it causes the whole folder to be indexed by search engines:
https://www.google.co.nz/#q=site%3Awww.soniphotography.com+clients
And for Google in particular, setting the folder to Public causes every single client gallery to appear in your Google Sitemap:
http://www.soniphotography.com/sitemap-base.xml
You can significantly reduce the amount of search results that turn up your client images by changing the search privacy settings for each of your client galleries to deny all searches, although keyword functionality for those galleries will probably break.
Please check out my gallery of customisations for the New SmugMug, more to come!
Hi Jason,
Unfortunately, we can't get around the SmugMug domain issue as our client login code won't run on SmugMug domains.
The purpose of the client login has never been to completely secure things and protect your galleries but provide a simple way for clients to find their photos other than searching through potentially hundreds of galleries in a folder. That is why we always recommend that you password protect your client galleries. Lamah's solution sounds like it would work fine but we've never really been fans of overcomplicated hacks.
If password protecting the galleries doesn't work for you, we can always remove the login feature and you can email links to the unlisted galleries to your clients. Let Billy know if you want to go that route and he'll make it happen for you.
FastLine Media • SmugMug Customization • Website Design • Logo Design • WordPress Page Builder • Twitter