To post a new support question, click the Post New Topic button below.
Current Version: 4.9.1 | Sytist Manual | Common  Issues | Feature Requests

Please log in or Create an account to post or reply to topics.
You will still receive notifications of replies to topics you are part of even if you do not subscribe to new topic emails.

Security Hole With Favourites

← Back to Sytist forum
493 posts
Sun Oct 14, 18 8:39 PM CST
If someone has access to a gallery and adds photos to their "Favourites", the images remain in their Favourites collection even if their access to the gallery is removed.

They can no longer see the full gallery (unless they re-enter the password) but they can still see the photos they favourited. This means I can't fully remove someone's access to the photos without completely removing the gallery.
Michael Leenheer   || My Sytist: https://subphoto.ca/client_galleries/demo01/
16,207 posts (admin)
Mon Oct 15, 18 8:35 AM CST
I wouldn't consider that a security hole. If you want to delete someone's favorites, view their account in the admin, in the Actions tab log in as them and then delete their favorites. Or you can deactivate their account in the Actions tab.
Tim Grissett, DIA - PicturesPro.com
My Email Address: info@picturespro.com
493 posts
Mon Oct 15, 18 12:52 PM CST
It's a security hole if the person in the photos didn't want the other person to be able to see or order the pictures.

This is definitely a rare weird situation but it happened. Thanks for the tip - I will get the favourites cleared from the other account immediately.
Michael Leenheer   || My Sytist: https://subphoto.ca/client_galleries/demo01/
M
296 posts
Tue Oct 16, 18 6:32 AM CST
If you originally gave/allowed permission so they could add to favourites and then removed it, the issue lies with your permission granting and not the gallery system, so I would not see as a security hole.

Mike
493 posts
Tue Oct 16, 18 10:15 AM CST
I don't want to belabour the topic; in this case, the gallery code was shared with someone by a family member, who the original client did not want to have access. The client asked for that person to be removed and to reset the gallery code.

We did all that, but then learned that the person could still place an order through their favourites even though we had reset the access code and removed them from the link. I tested it and sure enough, you can still see and order any photos that are favourited (although the direct access to the rest of the gallery is removed).

Perhaps this is a "Privacy" hole, not so much a "Security" hole. I'm not sure, they kinda feel the same to me in this situation. As I said, it's an unusual situation and hopefully not something that happens again. At least now I also know to check the person's account and see if they've saved the photos as a favourite, and then we can fully remove their access.
Edited Tue Oct 16, 18 10:17 AM by Michael Leenheer
Michael Leenheer   || My Sytist: https://subphoto.ca/client_galleries/demo01/
5 total messages
Please log in or Create an account to post or reply to topics.
This post has been viewed 638 times
Category: Other
← Back to Sytist forum
 
Loading more pages
Loading more pages

Sign up for email promotions.

Your information is safe with us and won't be shared.

no thanks

Thank you for signing up!

Close
 
©2003 - 2021 Grissett, LLC. All Rights Reserved.

By continuing to browse or by clicking Accept Cookies, you agree to the storing of cookies on your device necessary to provide you with the services available through our website.

    Accept   Privacy & Cookie Policy
Loading More Photos
Scroll To Top
Close Window
Loading
Close