We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

True privacy with pictures | Forum

Sebastian
Sebastian Sep 2 '13
Hi there!


Quite new to oxwall, but I like it so far :-)


Currently I am working on a plugin to block photos that are set to beeing shared with friends only. The initial install already contains fields in the ow_photo table for friends_only/everybody at the privacy field, but once the URL to the image is published elsewhere, anybody on the www can access it.


My approach is to create a rewrite roule like this:

RewriteEngine onRewriteBase /img/RewriteRule ^(.*).jpg$ /img/rewrite_img.php?data=$1 [L]


...then /img/rewrite_img.php will deliver the image after some checks (to the client it looks like: www.mypage.com/img/1/photo_4.jpg), instead of the direct Apache call. This will allow us to check for authorisation and even deny the image to be loaded if set so. This simple fix already works like a charm :-)


As any photo on the site would have to go through this, things have to be kept light and small, so I do:


1.) Check, if the desired image file exists.

2.) Query DB if photo is "friends_only".

3.) Check if user trying to load the image is a "friend" of image owner.

4.) Depending on results, deliver or deny image.


Except for 3.) I got it all working. The problem is, I can't get the "userId" of the logged in user outside of oxwall world. This is needed to check if the image owner and the person attempting to load the image are friends.


Maybe someone already went through ow session handling and is willing to help me out? For any image call I can't load ow core to get the data, as this slows down the server significantly with huge galleries.


Any ideas? 


Thanx,


Sebastian

Den Team
Den Sep 3 '13
Topic was moved from General Chat.
dave Leader
dave Sep 3 '13

Here are some rewrite options.  If you just want to keep people from hotlinking your images you can try something like this.  Worked very well for me on my old side.  I have not integrated this into oxwall yet but this will give you an idea.

 

This only allows authorized sites to view your images and prevents hotlinking.  This means that you should make site1 your doman or you will be blocking yourself..

 

#block images by direct url all sites listed are authorized
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www.)?site1.com/      [NC]

#add another site here if you want (commented out for now)
#RewriteCond %{HTTP_REFERER} !^http://(www.)?site2.com/      [NC]
#RewriteCond %{HTTP_REFERER} !^http://(www.)?site3.com/      [NC]

#browsers send blank referrer so block url in browser too
#optional  - allow blank referrer
#RewriteCond %{HTTP_REFERER} !^$

#

#now execute the rule
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|wmv)$ - [F,NC,L]
#end block

The Forum post is edited by dave Sep 3 '13
pit
pit Nov 7 '14
I use this and rules fine with 1.7.1 version.

#block images by direct url all sites listed are authorized
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
#RewriteCond %{HTTP_REFERER} !^http://(.+\.)?othersite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(gif|jpg|jpeg|png|bmp|zip)$ - [F,NC,L]


by steps:

"RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]"
This line acept open images from your own site

#RewriteCond %{HTTP_REFERER} !^http://(.+\.)?othersite\.com/ [NC]
If you want to enable hotlinking to other friendly page, can uncomment this line

RewriteCond %{HTTP_REFERER} !^$
This line enable permissions to other apps who can load your files. May charge http headers.

RewriteRule .*\.(gif|jpg|jpeg|png|bmp|zip)$ - [F,NC,L]
Here we apply the rules for a different type of files


* change "yoursite" for your website name and "othersite" for your friendly site name

Enjoy!!!
The Forum post is edited by pit Nov 7 '14
dave Leader
dave Nov 8 '14
nothing is private if you put it on the web lol