Thursday 01 October 2009 9:24:12 am
The 'standard' way to secure images would be to have them accessible only via content/download, as for other binary attributes. That would unfortunately put a huge load on the webserver, and make the whole website feel slower, as the standard index.php controller file takes too much memory and time to execute. For particular use cases, you can build a lightweight controller file, similar to the one used for serving images in cluster configurations, that servers images after checking if the user has a valid session cookie and if in his sessions data there is enough information present to identify him as having 'enough access rights' without having to load any eZP classes. Unfortunately the way php serializes session data + the way eZP stores profile information makes it a bit tricky for complex authorization configurations. You can of course build a new datatype that stores the original image in a different folder from its variations, but sites often require different types of access to the different variations (eg. did the user buy the hi-res version?)
Principal Consultant International Business
Member of the Community Project Board
|