Since Version 5 PicApport has a built-in user management
General
The user management is divided into three sub-areas:
Permissions
This defines which functions a user is allowed to perform. Permissions are managed in PicApport via the membership to one or more groups.
If a user is in several groups, all permissions of these groups are added together.
Filter
In addition to the global user permissions, filters on the user groups can be used to limit certain editing functions to certain photos.
As with the permissions, the filters add up (logical OR) if a user is in multiple groups. A filter is always a valid PicApport query or
the input field remains empty, if no filter is needed for a group. How to formulate queries is described in detail in: Full text search of photos - Supported metadata
The filters are as follows:
- Metadata filter
Here you can limit which images a user is allowed to see (images that a user has uploaded himself are always visible for this user).
Example: not private (The user only sees images that do not contain the word "private" in title, directory etc.) - Metadata filter edit Metdata (since Version 10.1)
This filter is only relevant if the user is allowed to change metadata. A useful usage here is the @ operator (query all images that the user has uploaded himself). If @ is entered for this filter, the user may only edit metadata of files that he has uploaded himself. - Metadata filter delete files (since Version 10.1)
This filter is only relevant if the user is allowed to delete files. A useful usage here is again the @ operator. If @ is entered for this filter, the user may only delete files that he has uploaded himself.
Theming
Since version 10.1, a separate color scheme can be defined for each user account. A color scheme consists of a base color and a background mode (light or dark).
If no special color scheme is selected for a user, the default scheme (PicApport blue on light background) is used automatically.
This can of course be be changed in the server configuration to your own preferences. ( see client.theme.color and client.theme.darktheme in the PicApport-Server Guide)
Useraccount
In order to achieve compatibility with previous versions, PicApport is configured by default that an automatic logon via the user account PicApport is done.
If the password for this account (UserId=PicApport, password=picapport) is changed or the account is deleted or disabled each user must log on to the server with the user ID and password.
By default the data of the user account management is stored in the directory ./picapport/users. If this directory does not exist when PicApport starts, it will be created automatically
with the following default settings:
| User-ID | Name | Password | Member of group | Remarks |
|---|---|---|---|---|
| admin | System administrator | admin | System administration | We strongly recommend that you change the admin-password after the initial installation. |
| picapport | PicApport | picapport | Family | Before version 5 PicApport had no user management. For private networks this is simply more
|
| guest | Guest | guest | Guests | This is our proposal for a guest account with limited privileges |
Groups
All permissions a user has in PicApport, are achieved by a group membership . The following rules apply :
- A user is always a member of at least one group
- A user can be a member of multiple groups. He then receives the sum of all permissions of all groups (union)
By default the data of the group account management is stored in the directory ./picapport/users. If this directory does not exist when PicApport starts, it will be created automatically
with the following default settings:
| Group-ID | Name | remarks |
|---|---|---|
| admins | System administration | Upon delivery, members of this group have the following permissions:
|
| family | Family | Upon delivery, members of this group have the following permissions:
|
| guests | Guests | Upon delivery, members of this group have the following permissions:
|
Log in to the server (User Session)
When the PicApport web interface is launched in the browser, the following sequence applies to determine the user account for the current session:
- Check for shared link: If a valid sid is included in the request parameter, then the current tab is registered as a shared link.
- Check for AccessToken: If a valid atu is included in the request parameter, then the user with this AccessToken is logged in (see alsoThe PicApport URL's ).
(The AccessToken is generated via the user management web GUI from the user's context menu). - Check for IP-Adress: If a user account is linked for the current IP address, then this user account is logged in.
- Check for PicApport Account: If there is a user account PicApport with password picapport then this account will be logged in.
- If no valid user could be determined while working through the above points, the logon page is displayed.
Permissions
| ID of permission | Since | Description |
|---|---|---|
| Permission group Administration | ||
| pap:admin:user | Permission to create, update or delete a user | |
| pap:admin:user:local | Permission to add a user to own user-group(s) | |
| pap:admin:group | Permission to create, update or delete a user-group | |
| pap:admin:changeownpassword | Permission to change own password | |
| pap:admin:assignipadress | Permission to assign an IP-Address to own account | |
| pap:admin:shares | 6.2 | Permission to manage shared photos (links) |
| pap:admin:useroptions | 6.2 | Permission to set user options by entering commands in the search field |
| pap:admin:server | 7.6 | Permission for server administration via the Web GUI. |
| pap:admin:addon:config | 9.0 | Permission to set configuration parameters of add-ons. |
| Permission group photo access | ||
| pap:access:uploads | Permission to upload files | |
| pap:access:ownuploadsvisible | Uploaded photos from a user are always visible to that user independent from filter settings. | |
| pap:access:downloads | Permission to download files (photos in original size) | |
| pap:access:metadata | Permission to view photo metadata | |
| pap:access:share | 6.2 | Permission to share photos (create link) |
| pap:access:removephotos | 7.6 | Permission to remove photos. |
| Permission group program functions | ||
| pap:feature:search | Permission for full-text searches (Visibility: global search) | |
| pap:feature:options | Permission to set search options (Visibility: search options) | |
| pap:feature:timeline | 8.1 | Permission to use the Timeline. (Visibility: Timeline) |
| pap:feature:dyncol:view | Permission to view 'dynamic collections' (Visibility: 'dynamic collections') | |
| pap:feature:dyncol:edit:glob | Create, update or delete of global 'dynamic collections' | |
| pap:feature:dyncol:edit:group | Create, update or delete of 'dynamic collections' for own user-groups | |
| pap:feature:dyncol:edit:user | Create, update or delete of 'dynamic collections' for own user-account | |
| pap:feature:offcol | Permission to create 'local collections' | |
| pap:feature:dirbrowser | Permission to start directory-browser. (Visibility: directories/folder) | |
| pap:feature:msg:newfotos | Info about new photos. If set, user gets notified on landing page when new photos are available. | |
| pap:feature:msg:queryresult | If set, the query and number of photos found will be displayed in the thumbnail view. | |
| pap:feature:map | 5.3 | Permission to use the integrated map module. |
| pap:feature:mapedit | 7.6 | Permission to edit markers on map. |
| pap:feature:designs:select | 6.0.3 | Permission to select a design. |
| pap:feature:designs:changedefault | 6.0.3 | Permission to set the default design. |
| pap:feature:thumbs:canselect | 6.0.3 | Permission to select photos in the thumbnail view. (Planned for Version 7) |
| pap:feature:sharescreen:send | 7.2.0 | Permission to share own screen. |
| pap:feature:sharescreen:receive | 7.2.0 | Permission to access remote screen. |
| pap:feature:sharescreen:autorecieve | 7.2.0 | Permission to access remote screen automatically during slideshow. (e.g. for picture frame). |
Permission group edit metadata | ||
| pap:editmeta:mytags:like | 7.0 | Permission to like a photo. |
| pap:editmeta:mytags:tags | 7.0 | Permission to manage usertags (MyTags). |
| pap:editmeta:geo:location | 7.0 | Permission to set geolocations (geotagging). |
| pap:editmeta:photo | 7.0 | Permission to edit photo metadata. (Title, description, date, etc.) |
Properties
Key | Default | Typ | Seit Version | Beschreibung |
|---|---|---|---|---|
| user.encryption.iterations | 1701 | int | V5.0.0 | SHA-512-Iterations for password hashes |
| user.password.min | 1 | int | V5.0.0 | Minimum password length |
| user.password.max | 75 | int | V5.0.0 | Maximum password length |
| user.log.access | false | boolean | V5.0.0 | extended logging on server for user access |
Technical infos
XML-Persistence
User-XML
| XML-Path | Attribute | Example value | Description |
|---|---|---|---|
| userdefinition:user | id | testuser@test.net | Unique ID of a Users |
| name | Max Mustermann | Display name of a user | |
| description | the quick brown fox jumps over the lazy dog | description | |
| active | true | Flag if user is active | |
| created | 149370075385 | Creation date of account in milliseconds since 1.1.1970 | |
| lastupdate | 149370825561 | Last update of account in milliseconds since 1.1.1970 | |
| lastlogin | 149370325561 | Last login of user in milliseconds since 1.1.1970 | |
| userdefinition:user:security: password | hashed-value | x3ASj9ahC93 ... 8IH23XgcP+Dh8 | Password hashed value |
| unhashed-value | klartextpasswort | Password in clear text. (You can use this to manually set a password) On Startup PicApport will automatically create a hashed-value from this | |
| userdefiniton:user:ip-addresses:ip-address | value | 10.66.77.1 | IP-Address for automatic login |
| userdefinition:user:attributes:attribute | name | street | Attribute-name |
| value | Mainstreet 2 | Attribute-value |
Roles / Groups-XML
| XML-Path | Attribute | Example value | Description |
|---|---|---|---|
| roledefinition:role | id | guests | Unique ID of this role / group |
| name | Gäste | Display name of role / group | |
| description | the quick brown fox jumps over the lazy dog | Description | |
| active | true | Flag if group is active | |
| roledefinition:role:members:member | id | testuser@test.net | Member of this role / group |
| roledefinition:role: permissions: permission | value | pap:access:downloads | All permissions of this role / group |
| roledefiniton:role:attributes:attribute | name | street | Attribute-name |
| value | Mainstreet 2 | Attribute-value |
Encryption / hashing
PicApport uses two different encryption methods.
- To store passwords on the server they will be hashed(SHA-512) with a salt and a fixed number of iterations.
- To transfer passwords from the client to the server an asymmetric crypt-system (RSA) is used.
Storing passwords on the server
The number of iterations can be set in the server configuration.
| Algorithm | Salt-size | Iterations | Usage |
|---|---|---|---|
| SHA-512 | 17 Bytes | 1701 (can be configured) | Storing passwords on the server |
Encryption Client-Server-Communication
| Algorithm | Public key size | usage |
|---|---|---|
| RSA | 1024 bit | Creation of public keys for the web-clients to encrypt passwords. For each session PicApport will generate a new keypair. |