People who want to share their media assets with the world through a website typically have one of two views:
- I want to fully manage my media files through the website, including adding and deleting media. That is, I want a Digital Asset Management System (DAMS).
- I already have a process for managing my files; I just want to expose a read only gallery on my website. That is, I want a Web Gallery.
Both of these are valid and supported in Gallery Server Pro. In this post I’ll focus on the second approach – exposing a collection of files in a read-only gallery.
Who would want to do this?
I would, for one. Like a lot of people, I have accumulated thousands of photos and videos over the years. My master collection of media files is stored on a desktop PC in my home. No matter how I acquire a media asset – whether it’s through my cell phone, tablet, video camera, or sent to me from someone else – they all end up on my PC. I want 24/7 availability to these files, but I don’t want to keep my PC running all the time nor do I want to run a web server from home. It would be great if I could copy these files to a web server and set that up as a read-only gallery.
Who else would want to do this?
- You run a business and have all your media files on a shared drive. You want to expose them internally or on a public website but want to guarantee no one can delete your assets through the website.
- You run a web server from your home and want to expose your media collection, but am worried about the security risks. You don’t want to trust that a web gallery is truly secure; you need to keep things locked down for your own peace of mind.
- You have a system in place for adding, editing and deleting your files. It works but you want to make it easier for those who just want to browse the files.
Setting up the read-only gallery
Configuring a gallery to be read-only is easy. It all takes place on the Media Objects – General page in the site admin area:
Select the option Media files are read-only and then save. That’s it. From now on, Gallery Server Pro won’t modify any of your original media files. It also won’t let users or even admins make any changes to files, as seen here in this screenshot of the Actions menu:
When a gallery is read-only, users cannot create albums or upload files, nor can they move, copy or delete albums and media objects. That is, they cannot perform any action that modifies the original media files. However, users can synchronize, download, sort, edit titles, captions and tags, and administrators can change settings in the Site admin area, including managing users and roles.
There are a few requirements that must be met before a gallery can be made read only:
- User albums must be disabled
- The directory for the thumbnail and compressed images must be different than the original media objects directory
- The option Synchronize directory names with album titles must be disabled
This should come as no surprise since these options have the potential to modify files, so they must be configured such that this isn’t possible. If any settings have the wrong value, your gallery will notify you when you try to enable the read-only option.
How do I manage files in a read-only gallery?
To add or remove media files to or from your gallery, use a tool like Windows Explorer or an FTP program to add or delete the files from the media file directory. Then run the synchronize function to have the gallery auto-detect the file changes. You can turn on the auto-sync function on the Albums – General page so you don’t have to manually run a sync.
In very large galleries, a sync can take a long time even when there aren’t any changes. That’s because the application has to iterate through every file in the gallery. If this becomes an issue, instead of auto-syncing you can create a script to periodically run a sync on one or more down-level albums. You’ll find this option below the auto-sync settings:
You can use Windows Task Scheduler to start a sync on any schedule you choose. Do a Google-Bing search on task scheduler http request for more info.
As mentioned earlier, management tasks that don’t affect the original media file as still available. That means you can still assign album thumbnails, sort albums, and edit titles, captions and tags.
One more piece for bullet-proof security
The previous steps will give you a read-only gallery, but one should acknowledge the security risks that are still present:
- If a hacker gets your administrator credentials, they can log in, turn off the read-only setting, and then proceed to wreak havoc in your gallery.
- A hacker can exploit an unpatched security hole in Gallery Server Pro to damage your gallery. (None are known at this time, however.)
You can eliminate these risks by configuring the IIS application pool identity to have read-only access to the media directory. When you do this, the OS’s file security system will prevent IIS and the gallery from making any changes to the file system, thus giving you an extra layer of protection.
Start by identifying the application pool identity your website is using. In IIS Manager, right click the web application and choose Manage Application – Advanced Settings. You’ll see the application pool identity in the dialog window:
Now figure out the identity the application pool is running under. Click the Application Pools node in the left pane of IIS Manager, find the app pool name in the center pane and notice the value in the Identity column. Here we see it’s running under ApplicationPoolIdentity:
This next part is confusing and trips up a lot of people, including me the first few times I did it. The term ApplicationPoolIdentity is not the actual name of the user account in Windows. Instead, it is telling you the identity is the name of the application pool concatenated to IIS APPPOOL. In our case, since the pool is named DefaultAppPool, the user account is IIS APPPOOL\DefaultAppPool.
If the identity was something other than ApplicationPoolIdentity, like LocalService, NetworkService, or an AD account, then you don’t need to do any of this dancing around. The identity is simply what it says.
Open Windows Explorer and navigate to the directory containing your media files. Right click the folder and choose Properties. Click the Security tab and choose Edit, then click Add on the Permissions window:
Type in the pool identity. In our case we enter IIS APPPOOL\DefaultAppPool:
Verify that the OS recognizes the name by clicking Check Names. When valid, the name becomes underlined. In our case Windows decides to drop the IIS APPPOOL prefix, although oddly it wouldn’t have worked to just type in DefaultAppPool:
Click OK and then assign read-only permission for the account:
Click OK a couple times to close all the windows. That should be it, although I should note a few things:
- Your system might already be giving the user account write or modify permission through one of the other permissions. If this is the case you’ll need to revoke those permissions or change them to read-only. A good way to test that you truly have read-only permission on your app pool is to disable the read-only option in your gallery and then try to make a change that modifies a file (uploading a file, rotation, or deletion). If it succeeds then you still have work to do with your permissions.
- Your app pool identity needs modify permission to the directories where your thumbnails and web-optimized images are stored. Adjust as needed.
- These screenshots were made on Win 8.1. Other OS’s may look slightly different.
- If using a hosting provider, you may not be able to adjust settings to the detail shown here. Poke around their control panel to find out what settings they expose.
When finished, you’ll have a bullet-proof gallery you can share with customers, friends and relatives. Cheers!