PicApport - Usermanagement
Since Version 5 PicApport has a built-in user management
General
User
In order to achieve compatibility with previous versions, PicApport is configured by default that an automatic logon via the user account PicApport is done.
If the password for this account (UserId=PicApport, password=picapport) is changed or the account is deleted or disabled each user must log on to the server with the user ID and password.
By default the data of the user account management is stored in the directory ./picapport/users. If this directory does not exist when PicApport starts, it will be created automatically
with the following default settings:
User-ID | Name | Password | Member of group | Remarks |
---|---|---|---|---|
admin | System administrator | admin | System administration | We strongly recommend that you change the admin-password after the initial installation. |
picapport | PicApport | picapport | Family | Before version 5 PicApport had no user management. For private networks this is simply more
|
guest | Guest | guest | Guests | This is our proposal for a guest account with limited privileges |
Groups
All permission a user has in PicApport, are achieved by a group membership . The following rules apply :
- A user is always a member of at least one group
- A user can be a member of multiple groups. He then receives the sum of all permissions of all groups (union)
By default the data of the group account management is stored in the directory ./picapport/users. If this directory does not exist when PicApport starts, it will be created automatically
with the following default settings:
Group-ID | Name | remarks |
---|---|---|
admins | System administration | Upon delivery, members of this group have the following permissions:
|
family | Family | Upon delivery, members of this group have the following permissions:
|
guests | Guests | Upon delivery, members of this group have the following permissions:
|
Log in to the server (User Session)
When the PicApport web interface is launched in the browser, the following sequence applies to determine the user account for the current session:
- Check for shared link: If a valid sid is included in the request parameter, then the current tab is registered as a shared link.
- Check for AccessToken: If a valid atu is included in the request parameter, then the user with this AccessToken is logged in (see alsoThe PicApport URL’s ).
(The AccessToken is generated via the user management web GUI from the user’s context menu). - Check for IP-Adress: If a user account is linked for the current IP address, then this user account is logged in.
- Check for PicApport Account: If there is a user account PicApport with password picapport then this account will be logged in.
- If no valid user could be determined while working through the above points, the logon page is displayed.
Permissions
ID of permission | Since | Description |
---|---|---|
Permission group Administration | ||
pap:admin:user | Permission to create, update or delete a user | |
pap:admin:user:local | Permission to add a user to own user-group(s) | |
pap:admin:group | Permission to create, update or delete a user-group | |
pap:admin:changeownpassword | Permission to change own password | |
pap:admin:assignipadress | Permission to assign an IP-Address to own account | |
pap:admin:shares | 6.2 | Permission to manage shared photos (links) |
pap:admin:useroptions | 6.2 | Permission to set user options by entering commands in the search field |
pap:admin:server | 7.6 | Permission for server administration via the Web GUI. |
pap:admin:addon:config | 9.0 | Permission to set configuration parameters of add-ons. |
Permission group photo access | ||
pap:access:uploads | Permission to upload files | |
pap:access:ownuploadsvisible | Uploaded photos from a user are always visible to that user independent from filter settings. | |
pap:access:downloads | Permission to download files (photos in original size) | |
pap:access:metadata | Permission to view photo metadata | |
pap:access:share | 6.2 | Permission to share photos (create link) |
pap:access:removephotos | 7.6 | Permission to remove photos. |
Permission group program functions | ||
pap:feature:search | Permission for full-text searches (Visibility: global search) | |
pap:feature:options | Permission to set search options (Visibility: search options) | |
pap:feature:timeline | 8.1 | Permission to use the Timeline. (Visibility: Timeline) |
pap:feature:dyncol:view | Permission to view ‚dynamic collections‘ (Visibility: ‚dynamic collections‘) | |
pap:feature:dyncol:edit:glob | Create, update or delete of global ‚dynamic collections‘ | |
pap:feature:dyncol:edit:group | Create, update or delete of ‚dynamic collections‘ for own user-groups | |
pap:feature:dyncol:edit:user | Create, update or delete of ‚dynamic collections‘ for own user-account | |
pap:feature:offcol | Permission to create ‚local collections‘ | |
pap:feature:dirbrowser | Permission to start directory-browser. (Visibility: directories/folder) | |
pap:feature:msg:newfotos | Info about new photos. If set, user gets notified on landing page when new photos are available. | |
pap:feature:msg:queryresult | If set, the query and number of photos found will be displayed in the thumbnail view. | |
pap:feature:map | 5.3 | Permission to use the integrated map module. |
pap:feature:mapedit | 7.6 | Permission to edit markers on map. |
pap:feature:designs:select | 6.0.3 | Permission to select a design. |
pap:feature:designs:changedefault | 6.0.3 | Permission to set the default design. |
pap:feature:thumbs:canselect | 6.0.3 | Permission to select photos in the thumbnail view. (Planned for Version 7) |
pap:feature:sharescreen:send | 7.2.0 | Permission to share own screen. |
pap:feature:sharescreen:receive | 7.2.0 | Permission to access remote screen. |
pap:feature:sharescreen:autorecieve | 7.2.0 | Permission to access remote screen automatically during slideshow. (e.g. for picture frame). |
Permission group edit metadata | ||
pap:editmeta:mytags:like | 7.0 | Permission to like a photo. |
pap:editmeta:mytags:tags | 7.0 | Permission to manage usertags (MyTags). |
pap:editmeta:geo:location | 7.0 | Permission to set geolocations (geotagging). |
pap:editmeta:photo | 7.0 | Permission to edit photo metadata. (Title, description, date, etc.) |
Properties
Key | Default | Typ | Seit Version | Beschreibung |
---|---|---|---|---|
user.encryption.iterations | 1701 | int | V5.0.0 | SHA-512-Iterations for password hashes |
user.password.min | 1 | int | V5.0.0 | Minimum password length |
user.password.max | 75 | int | V5.0.0 | Maximum password length |
user.log.access | false | boolean | V5.0.0 | extended logging on server for user access |
Technical infos
XML-Persistence
User-XML
XML-Path | Attribute | Example value | Description |
---|---|---|---|
userdefinition:user | id | testuser@test.net | Unique ID of a Users |
name | Max Mustermann | Display name of a user | |
description | the quick brown fox jumps over the lazy dog | description | |
active | true | Flag if user is active | |
created | 149370075385 | Creation date of account in milliseconds since 1.1.1970 | |
lastupdate | 149370825561 | Last update of account in milliseconds since 1.1.1970 | |
lastlogin | 149370325561 | Last login of user in milliseconds since 1.1.1970 | |
userdefinition:user:security: password | hashed-value | x3ASj9ahC93 … 8IH23XgcP+Dh8 | Password hashed value |
unhashed-value | klartextpasswort | Password in clear text. (You can use this to manually set a password) On Startup PicApport will automatically create a hashed-value from this | |
userdefiniton:user:ip-addresses:ip-address | value | 10.66.77.1 | IP-Address for automatic login |
userdefinition:user:attributes:attribute | name | street | Attribute-name |
value | Mainstreet 2 | Attribute-value |
Roles / Groups-XML
XML-Path | Attribute | Example value | Description |
---|---|---|---|
XML-Path | Attribute | Example value | Description |
roledefinition:role | id | guests | Unique ID of this role / group |
name | Gäste | Display name of role / group | |
description | the quick brown fox jumps over the lazy dog | Description | |
active | true | Flag if group is active | |
roledefinition:role:members:member | id | testuser@test.net | Member of this role / group |
roledefinition:role: permissions: permission | value | pap:access:downloads | All permissions of this role / group |
roledefiniton:role:attributes:attribute | name | street | Attribute-name |
value | Mainstreet 2 | Attribute-value |
Encryption / hashing
PicApport uses two different encryption methods.
- To store passwords on the server they will be hashed(SHA–512) with a salt and a fixed number of iterations.
- To transfer passwords from the client to the server an asymmetric crypt-system (RSA) is used.
Storing passwords on the server
The number of iterations can be set in the server configuration.
Algorithm | Salt-size | Iterations | Usage |
---|---|---|---|
SHA-512 | 17 Bytes | 1701 (can be configured) | Storing passwords on the server |
Encryption Client-Server-Communication
Algorithm | Public key size | usage |
---|---|---|
RSA | 1024 bit | Creation of public keys for the web-clients to encrypt passwords. For each session PicApport will generate a new keypair. |