Gallery Server Pro uses a system of anonymous browsing, user accounts, and roles to provide a flexible security model that should satisfy most security needs. There is no limit to the number of users and roles.
Gallery Server Pro 2.3 Administrator’s Guide Page 112 of 238 By default, anonymous users - that is, those who are not logged on - can browse the albums and media objects, but they cannot perform tasks that modify data, such as adding albums, rotating an image, site administration, etc…
To perform a task, a user must belong to a role that has the appropriate permission. Roles can be configured with any of several permissions. Here we see a role named Read Only All Albums that provides viewing permission to all albums:
A user in the Read Only All Albums role can view any album and media object in the gallery, but cannot perform any task. The power and flexibility of Gallery Server Pro becomes apparent when you add users to more than one role. For example, a separate role can be created that provides edit permission to a single album. A user belonging to both of these roles can view all objects in the gallery but can only edit the one album.
Gallery Server Pro uses the ASP.NET Membership and Role provider model. By default, the users and roles are stored in the same database as the Gallery Server Pro data. You can optionally configure Gallery Server Pro to connect to an existing store of users. For example, you may want to integrate Gallery Server
Gallery Server Pro 2.3 Administrator’s Guide Page 113 of 238 Pro with your DotNetNuke users or you may want to use the existing accounts in Active Directory. Read more about configuring the membership provider in the Membership Configuration section.
Require everyone to log on
The default configuration allows users to anonymously browse the gallery, but they are prevented from any action that modifies the media objects. To require all users to log on, even to browse, disable the anonymous browsing feature on the Site Settings - General page in the Site admin area.
As the screen shot shows, you can also prevent anonymous users from viewing the high resolution version of your photos. This can be helpful when you want to restrict access to your original photos. A special role permission named View original, high-res images can be used to give logged-on users access to these images.
Remember - a user that doesn't belong to a role has no permission to view or edit objects. Be sure to include each user in at least one role to provide the desired level of access.
Note: Gallery Server Pro cannot be configured to give anonymous users edit permission. Any action other than viewing requires that the user log in.
Users
Individuals access Gallery Server Pro anonymously or by logging on with user accounts. User accounts have access to albums and administrative tasks based on the roles to which the user belongs. Users are created and maintained on the Manage Users page in the Site administration console.
Gallery Server Pro 2.3 Administrator’s Guide Page 114 of 238 If you integrate Gallery Server Pro with an existing membership system, you can manage your users with your original system or with the user management function in Gallery Server Pro.
Create a user
Create a user by clicking Add new user… on the Manage Users page in the Site admin area.
Gallery Server Pro 2.3 Administrator’s Guide Page 115 of 238 Enter a username and password for the user. An email address can be used for the username if desired. When you leave the username field, an AJAX callback validates the username and reports whether it is already in use.
An email address is optional but is useful for allowing users to retrieve forgotten passwords.
Gallery Server Pro 2.3 Administrator’s Guide Page 116 of 238 Click Create User. A confirmation message appears in the pop-up box. Close the pop-up box and the Manage Users page will be updated with the new user you just created.
Edit a user
Gallery Server Pro 2.3 Administrator’s Guide Page 117 of 238 The General tab of the Edit user dialog allows a description and email address for the user to be
updated. You can disable a user account by clicking No on the Is approved setting. Disabled users cannot log on to access.
You can also enable or disable the user's personal album. Note that this option does not appear when user albums are disabled.
WARNING: Disabling a user's album causes the album and its contents to be deleted! The Roles tab allows one to configure the roles to which the user belongs.
Gallery Server Pro 2.3 Administrator’s Guide Page 118 of 238 The Password tab provides the ability to change the user’s password.
Note: To reset or change a password, select the desired option and then click the Update password button.
Gallery Server Pro 2.3 Administrator’s Guide Page 119 of 238
Roles
Permissions in Gallery Server Pro are applied to roles rather than users. Users are allowed to carry out tasks when they are a member of one or more roles that provide the appropriate permission. By combining users and roles in different configurations, you can achieve a highly configurable gallery.
Gallery Server Pro will give a user permission to perform an activity if any of the user's roles contain the requested permission, even if the others do not. For example, consider a user who belongs to three roles. Two of the roles do not have Delete album permission but the third one does. In this case, the user has permission to delete the album that is specified in the role with the Delete album permission.
Below is a list of the permissions that can be applied to a role.
Role permission Description
Gallery Server Pro 2.3 Administrator’s Guide Page 120 of 238 albums) only permission that applies to all albums in the gallery and cannot be selectively
applied to individual albums.
View albums / objects Provides a read-only view of photos, videos and other media objects. Note that it does not give access to the original, high resolution versions of images (if they exist).
View original, hi-res images
Provides read only access to the original, high resolution versions of images, if they exist.
Add albums Allows a user to add an album in any of three ways: (a) The user can create a new album using the Create album menu item, (b) copy an album from another album, or (c) move an album from another album.
Note 1: Adding an album by moving it from another location is allowed only if the user also has delete permission for the source album.
Note 2: When moving or copying an album, users must have Add albums permission on the destination album.
Note 2: When a user moves or copies an album, any media objects within the album are also transferred regardless of whether the user has Add media objects permission on the destination album.
Add media objects Gives a user the ability to add media objects such as images, videos, audio files, and documents in any of three ways. The user can (a) add a new media object using the Add objects menu item, (b) copy a media object from another album, or (c) move a media object from another album.
Note 1: Adding a media object by moving it from another album is allowed only if the user also has Delete media object permission for the album from which the media object is being moved.
Note 2: A user must have both Add media objects permission and Add albums permission in order to add a ZIP file that contains one or more directories, since Gallery Server Pro converts the directories to albums.
Note 3: Only those media objects that are enabled on the Media Object Types page can be added.
Note 4: To add media objects through synchronizing, the Synchronize permission is also needed.
Edit album Allows a user to edit album information, such as the title; summary; begin and end dates; assigned thumbnail; and sequence of media objects and child albums.
Gallery Server Pro 2.3 Administrator’s Guide Page 121 of 238 Edit media object Allows a user to edit any media object's title. For images, it also allows rotation as
well as deletion of the original, high resolution image (if it exists).
Delete child albums Allows the deletion of a child album in one of two ways: the user can either delete an album outright, or move an album to another album.
Note: When moving an album, users must have this permission on the source album, as moving can be thought of as deleting an album from one location and adding it to another. (The user must also have permission to add an album to the destination album.)
Delete media object Allows the deletion of a media object in one of two ways. The user can either delete a media object outright or move a media object to another album. Note: When moving a media object, users must have this permission on the source album, as moving can be thought of as deleting an object from one location and adding it to another. (The user must also have permission to add a media object to the destination album.)
Synchronize Provides the ability to synchronize the media object files and directories on the web server's hard drive with the records in the data store.
Note: If a user has the ability to edit the media objects directory outside the security boundary of Gallery Server Pro (such as using a utility like Windows Explorer), and the user also has Synchronize permission here, she effectively has the ability to add and delete albums and media objects, even if those permissions are not included in a user's role.
Do not show
watermark on image
This permission causes images to be shown to the user in their original form, without a watermark applied. If a user belongs to more than one role with conflicting values, then watermarks are not shown. This permission is ignored if the watermark functionality is disabled for the gallery. Refer to the section Watermarking for more information.
If you integrate Gallery Server Pro with an existing role provider, you can use the original role
management function to manage the roles. However, you must use the role management function in Gallery Server Pro to execute tasks that are specific to Gallery Server Pro, such as specifying the permissions and albums each role applies to.
Creating, editing, and deleting roles
Gallery Server Pro 2.3 Administrator’s Guide Page 122 of 238 The following popup window appears.
Gallery Server Pro 2.3 Administrator’s Guide Page 123 of 238 Here we are creating a role named Read Only All Albums giving it view permission to all albums. Click Save changes to create the role.
Note: Users are assigned to a role on the Manage Users page.
Edit a role by clicking the Edit button next to a role. Similarly, a role can be deleted by clicking the Delete button.
Understanding how roles apply to the album hierarchy
Role permissions automatically propagate to all child albums of the selected album. The top level selected album(s) is considered to have explicitly assigned role permissions. Child albums are considered to have inherited role permissions because they inherit the permission from a parent album.
Since permissions apply to all child albums of a selected album, notice that all child albums become selected when you click an album, and you cannot de-select individual child albums.
Gallery Server Pro 2.3 Administrator’s Guide Page 124 of 238
Role behavior for new, moved or copied albums
Role permissions are assigned to the highest album you select, and child albums always inherit those permissions. If a child album is added, moved, or copied, it automatically inherits the permissions of its new parent album, and the previous permissions no longer apply.
When you move or copy an album that has a role explicitly assigned to it, that role stays with the album.
Self Registration
Gallery Server Pro supports anonymous users creating accounts in the gallery. There are several configuration options available such as requiring a valid e-mail address, setting the default security access and more.
When self-registration is combined with user albums, a maintenance-free community gallery is possible where visitors to your site each have their own gallery with no involvement required by administrators.
Setting up self-registration
The User Settings page in the Site admin area contains configuration options:
Allow visitors to create accounts
This enables the self-registration feature. When checked, a create account link appears in the top right of each page that takes the user to a registration wizard:
Gallery Server Pro 2.3 Administrator’s Guide Page 125 of 238 When disabled, the Create account link is not shown and the only way to create a user is on the Manage Users page in the Site admin area.
Require e-mail validation to activate account
This option sends an e-mail to the user with a validation link that must be clicked before the user can log on. Enable this feature to guarantee a valid e-mail address for each account.
The e-mail sent to the user looks similar to this: Welcome to the gallery.
Before you can use your new account you must activate it - this ensures the e-mail address you used is valid and belongs to you.
To activate your account, click the link below or copy and paste it into your browser's location bar:
Gallery Server Pro 2.3 Administrator’s Guide Page 126 of 238
http://site.com/default.aspx?g=createaccount&verify=HFXEL%2BCR5OY%3D
Once you successfully activated your account, you can throw away this e-mail. Thanks for joining.
-- Gallery Server Pro Administrator
The text of this e-mail can be changed by editing the appropriate text file in the directory \gs\templates\ of the web application.
Note: Be sure e-mail functionality is configured. This is done on the E-mail page in the Site admin area.
Note: When both e-mail validation and administrator approval are enabled, the user is first sent the verification e-mail. After the user clicks the verification link, the administrator is sent an e-mail that the user is waiting for approval.
Require administrator approval to activate account
When enabled, newly created users cannot log on until an administrator approves the account. To receive e-mail notification when an account needs approval, specify one or more administrators in the User accounts section on the User Settings page, as seen here:
To receive an e-mail, the administrator must have a valid e-mail address and e-mail functionality must be configured.
Only administrators have permission to approve users, so in most cases it makes sense to only choose from the administrators in a gallery. However, one can check the option to show all users if you want to notify a non-administrator that a user is created.
Gallery Server Pro 2.3 Administrator’s Guide Page 127 of 238
Use e-mail address for user name
The default is to allow a user to specify both a username and e-mail address, but you may want to require everyone to use an e-mail address as their account name. This can simplify things for users and administrators:
Users need only remember one piece of information rather than two, and remembering their e-mail address is often easier than remembering a username, especially if their first choice in usernames is already taken.
Users can have their password e-mailed to them. This is not possible when an e-mail address is optional.
When this option is enabled, the registration screen no longer requests a username:
An e-mail address that conforms to the expected format must be entered. For example, if a user enters "Billy Joe", the message Not a valid e-mail appears. But the e-mail address "[email protected]" is allowed. To force users to enter a valid e-mail address, enable the e-mail validation option discussed above.
Gallery Server Pro 2.3 Administrator’s Guide Page 128 of 238
Default roles
Visitors who register their own accounts can be added to one or more roles when the account is created. For example, you might add them to a role that removes the watermark, gives them read-only access to the entire site, or permission to upload items to a particular album.
Note: If user albums are enabled, the user is automatically given full permission to his or her personal album, even if no roles are specified here.
This setting applies ONLY to self-registered users. That is, when an administrator manually creates an account, these roles are not assigned to the user.
To assign one or more roles to new users, choose them from the drop down list:
In this screen shot, new users are added to two roles - No Watermark (has the "Do not show watermark" permission) and Read Only All Albums (gives view permission to the entire gallery).
The drop down box initially hides roles that were automatically created by the system for user albums and album owners. Typically you will never need to interact with them, but if you want to take a peek select the checkbox Show roles that support the album ownership and user album features.