Routing misinterprets and album named movies as a request to display movie item

[tnalmdal]

If you create a album called movies (I discovered this when I was testing local changes to the local_import module with a sub-directory movies). The creation works fine and the children are created properly.

When you go to open the album to view the contents, the pretty url that was generated for the album is gallery3/index.php/movies. This url gets misinterpreted by the router and tries to load the index page of a movie item instead of the album called movie

[tnalmdal]

I was also able to recreate it by trying to use the options to add a new album called photos or albums.

[bharat]

This is expected behavior, that we discussed a while back. Relevant threads:

http://www.nabble.com/Future-of-Gallery-(continued)-td19312304.html

Search for "Require modules to prefix their urls" for a discussion of possible solutions, also see my "road ahead" Google doc.

[andy_st]

Bharat refers to this Google doc:
http://docs.google.com/Doc?id=dfjxt593_183ppzdchcq&hl=en

[bharat]

No solution yet.

[bharat]

Ideas:
1) Use a prefix like /_/ before non-view urls. Eg: http://example.com/gallery3/index.php/_/rss/feed/comment/newest -- prefix can vary.

2) Ignore it and hope it goes away. Head -> sand.

3) Implement some kind of "url conflict detection" that you can run as a maintenance task

4) Detect when the user is about to create/move/edit an item to generate a conflict w/ a controller and don't let 'em do it.

5) Always expect that a url will be an item and then fall back to trying controllers if you can't find it (or aren't allowed to view it).

[andy_st]

Proposed solution, primarily based on ckdake's proposal of "assume its an album, then if its not found, try a controller":

- No namespaces, no reserved prefix.
- On each request, assume it's an album / photo request and if there's no item matching the path, try other controllers.
- No checks / warnings when creating a top level album (since we'd have to check and warn in too many places, e.g. add from X, add from Y, add album, edit album, alternative "add album" controller, when installing modules). So let's not do that, no warnings at that time.
- When logged in as admin, show warning about conflicts. Probably show such warnings only in the admin area.
- Basically, adding a top level "slideshow" album will hide all slideshow module views. We'd suggest to rename the album to "Slideshow" (capital S), "slideshows" or anything else that fits.

Challenge:
What about "admin"? A malicious user can create an "admin" album and thus prevent admins from going into the admin area.
Is it sufficient that an admin can rename / delete such an album anyway?
If there's no warning displayed, an admin might not realize what's going on and how to fix it.
-> Probably need an exception in the URL routing to give the "admin" controller precedence over the other controllers.

Discussion:
http://tools.gallery2.org/gallerylogs/20090804.log
(ckdake's proposal starts @ 22:54)

[floridave]

Creating an album called 'admin' is an issue as well. Although 'Admin' works.

[nivekiam]

same for "albums" or "photos"...

https://sourceforge.net/apps/trac/gallery/ticket/791

[nivekiam]

and same for "users"
http://gallery.menalto.com/gallery_3.0_feedback?page=1#comment-360551

[bharat]

I "fixed" this in aac18ef8339054e134fa3e52788a80e6907dfba5 by disallowing creation of top level albums that have the same name as any controller. This doesn't deal with the case where you create an album with that name lower down and then move it up, but I think it covers the 80% case.