• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

Posting a new photo to a password-locked album removes its password and makes it publicly accessible

gareth.uk

gareth.uk

Chevereto Member
*️⃣ Must open one ticket per issue. If you are experiencing multiple issues don't hesitate to create multiple tickets for each issue.

▶ Reproduction steps
  1. Create a password-protected album and upload some photos to it
  2. Observe that when attempting to view that album in a private tab (with no session), the padlock icon appears as a thumbnail and you must enter a password to view its contents
  3. In your original browser tab with the session still active, go back into the album and add an additional photo
  4. Now go back to your private tab and observe that while the album's thumbnail is still a padlock icon, selecting the album leads to all photos being visible without the need to enter a password
  5. Go back to your original browser tab and open the album's settings and observe that it is still set as being a password-protected album, but the password field is now empty
  6. Re-enter your password
  7. In your private tab, refresh the page and observe that it now asks for you to enter the password in order to view the album's contents
😢 Unexpected result

The password on a password-protected album should NOT be removed just by adding a new photo to it.
 
I'm really surprised to see zero activity on this a month later given how potentially serious it is. Password-protected albums are literally available for anyone to view once you either add, remove or edit any image within that album. I can't be the only person who uses private albums, right?
 
gareth.uk said:
surprised to see zero activity on this a month later
Click to expand...
I think that one month is too soon, perhaps you got used to the old release cycle. I've dropped the monthly releases and I'm aiming to pack more bugs fixes per release.
 
The release schedule is fine. It's more the total lack of response to the post that was concerning. But you've done that now.
 
I'm sorry but while I noticed some issues (like showing the hash) I was unable to replicate the issue. Are you using encryption?
 
Interesting. I can reproduce 100%. No, there's no encryption. It's at http://www.gareth.net/.

If I so much as delete a photo from one of the password-protected albums, the password is gone and you no longer need to enter it to view the album. It still has the padlock icon on it but you can just click straight through and view the contents.
 
I've been unable to replicate the issue. Make me a video showing the issue.

While checking this I noticed another issue: As I'm hashing user album password, any album editing in that case makes password editing mandatory. I think that hashing messed the whole functionality, and if an user forgets the password the only way is to reset to a new one... I think that while it means safer data is too annoying to deal with.

I'm about to remove password hashing on albums to rely exclusively on encryption to protect that secret.
 
You must log in or register to reply here.
Back
Top