PicApport - Usermanagement

Since Version 5 PicApport has a built-in user management

General

User

In order to achieve compatibility with previous versions, PicApport is configured by default that an automatic logon via the user account PicApport is done.
If the password for this account (UserId=PicApport, password=picapport) is changed or the account is deleted or disabled each user must log on to the server with the user ID and password.

By default the data of the user account management is stored in the directory ./picapport/usersIf this directory does not exist when PicApport starts, it will be created automatically
with the following default settings
:

User-ID
Name
Password
Member
of group
Remarks
adminSystem administratoradminSystem administration

We strongly recommend that you change the admin-password after the initial installation.
Upon delivery, only the Admin user is authorised to allow additional users.

To login as an administrator, go to the main page  of PicApport, click on the hamburger menu
on the top and select logoff. Now you can login with the Admin account and manage users
and permissions.

picapportPicApportpicapportFamily

Before version 5 PicApport had no user management. For private networks this is simply more
convenient
To have this feature also for new versionswe deliver PicApport with a standard
user
 PicApportIf you access the PicApport-Server with a browser the user PicApport will
be automatically logged in if the following applies:

  • A user account PicApport with password picapport exists and is active
guestGuestguestGuests This is our proposal for a guest account with limited privileges

Groups

All permission a user has in PicApport, are achieved by a group membership The following rules apply :

  • A user is always a member of at least one group
  • A user can be a member of  multiple groupsHe then receives the sum of all permissions of all groups  (union)

By default the data of the group account management is stored in the directory ./picapport/usersIf this directory does not exist when PicApport starts, it will be created automatically
with the following default settings
:

Group-ID
Name
remarks
adminsSystem administration
 Upon delivery, members of this group have the following permissions:
  • All permissions except
    • Permission to remove photos (Must be explicitly activated)
    • Permission for server administration via the Web GUI
familyFamily
 Upon delivery, members of this group have the following permissions:
  • All permissions except:
    • Permission to create, update or delete a user
    • Permission to add a user to own user-group(s)
    • Permission to create, update or delete a user-group
    • Permission to set geolocations (geotagging).
    • Permission to edit photo metadata. (Title, description, date, etc.)
    • Permission to remove photos
guestsGuests
 Upon delivery, members of this group have the following permissions:
  • Permission for full-text searches (Visibility: global search)
  • Permission to set search options (Visibility: search options)
  • Permission to view ‚dynamic collections‘ (Visibility: ‚dynamic collections‘)

Log in to the server (User Session)

When the PicApport web interface is launched in the browser, the following sequence applies to determine the user account for the current session:

  1. Check for shared link: If a valid sid is included in the request parameter, then the current tab is registered as a shared link.
  2. Check for AccessToken: If a valid atu is included in the request parameter, then the user with this AccessToken is logged in (see alsoThe PicApport URL’s ).
    (The AccessToken is generated via the user management web GUI from the user’s context menu).
  3. Check for IP-Adress: If a user account is linked for the current IP address, then this user account is logged in.
  4. Check for PicApport Account: If there is a user account PicApport with password picapport then this account will be logged in.
  5. If no valid user could be determined while working through the above points, the logon page is displayed.

Permissions

ID of permissionSinceDescription
Permission group Administration
pap:admin:user Permission to create, update or delete a user
pap:admin:user:local Permission to add a user to own user-group(s)
pap:admin:group Permission to create, update or delete a user-group
pap:admin:changeownpassword Permission to change own password
pap:admin:assignipadress Permission to assign an IP-Address to own account
pap:admin:shares6.2Permission to manage shared photos (links)
pap:admin:useroptions6.2

Permission to set user options by entering commands in the search field
see: User Options

pap:admin:server7.6Permission for server administration via the Web GUI.
pap:admin:addon:config9.0

Permission to set configuration parameters of add-ons.
It is up to the respective add-on whether and how this permission is used.

Permission group photo access
pap:access:uploads Permission to upload files
pap:access:ownuploadsvisible Uploaded photos from a user are always visible to that user independent from filter settings.
pap:access:downloads Permission to download files (photos in original size)
pap:access:metadata Permission to view photo metadata
pap:access:share6.2Permission to share photos (create link)
pap:access:removephotos7.6Permission to remove photos.
Permission group program functions
pap:feature:search Permission for full-text searches (Visibility: global search)
pap:feature:options Permission to set search options (Visibility: search options)
pap:feature:timeline8.1Permission to use the Timeline. (Visibility: Timeline)
pap:feature:dyncol:view Permission to view ‚dynamic collections‘ (Visibility: ‚dynamic collections‘)
pap:feature:dyncol:edit:glob Create, update or delete of global ‚dynamic collections‘
pap:feature:dyncol:edit:group Create, update or delete of ‚dynamic collections‘ for own user-groups
pap:feature:dyncol:edit:user Create, update or delete of ‚dynamic collections‘ for own user-account
pap:feature:offcol Permission to create ‚local collections‘
pap:feature:dirbrowser Permission to start directory-browser. (Visibility: directories/folder)
pap:feature:msg:newfotos Info about new photos. If set, user gets notified on landing page when new photos are available.
pap:feature:msg:queryresult If set, the query and number of photos found will be displayed in the thumbnail view.
pap:feature:map5.3Permission to use the integrated map module.
pap:feature:mapedit7.6Permission to edit markers on map.
pap:feature:designs:select6.0.3Permission to select a design.
pap:feature:designs:changedefault6.0.3Permission to set the default design.
pap:feature:thumbs:canselect6.0.3Permission to select photos in the thumbnail view. (Planned for Version 7)
pap:feature:sharescreen:send7.2.0Permission to share own screen.
pap:feature:sharescreen:receive7.2.0Permission to access remote screen.
pap:feature:sharescreen:autorecieve7.2.0Permission to access remote screen automatically during slideshow. (e.g. for picture frame).

Permission group edit metadata

pap:editmeta:mytags:like7.0Permission to like a photo.
pap:editmeta:mytags:tags7.0Permission to manage usertags (MyTags).
pap:editmeta:geo:location7.0Permission to set geolocations (geotagging).
pap:editmeta:photo7.0Permission to edit photo metadata. (Title, description, date, etc.)

Properties

Key
Default
Typ
Seit Version
Beschreibung
user.encryption.iterations1701intV5.0.0SHA-512-Iterations for password hashes
user.password.min1intV5.0.0Minimum password length
user.password.max75

int

V5.0.0Maximum password length
user.log.accessfalsebooleanV5.0.0extended logging on server for user access

Technical infos

XML-Persistence

User-XML

XML-Path
Attribute
Example value
Description
userdefinition:useridtestuser@test.net

Unique ID of a Users

 nameMax MustermannDisplay name of a user
 descriptionthe quick brown fox jumps over the lazy dogdescription
 activetrueFlag if user is active
 created149370075385Creation date of account in milliseconds since 1.1.1970
 lastupdate149370825561Last update of account in milliseconds since 1.1.1970
 lastlogin149370325561Last login of user in milliseconds since 1.1.1970
userdefinition:user:security: passwordhashed-valuex3ASj9ahC93 … 8IH23XgcP+Dh8Password hashed value
 unhashed-valueklartextpasswort

Password in clear text. (You can use this to manually set a password)

On Startup PicApport will automatically create a  hashed-value from this
attribute and then remove the unhashed-value.

userdefiniton:user:ip-addresses:ip-addressvalue10.66.77.1IP-Address for automatic login
userdefinition:user:attributes:attributenamestreetAttribute-name
 valueMainstreet 2Attribute-value

Roles / Groups-XML

XML-Path
Attribute
Example value
Description
XML-Path
Attribute
Example value
Description
roledefinition:roleidguests

Unique ID of this role / group

 nameGästeDisplay name of role / group
 descriptionthe quick brown fox jumps over the lazy dogDescription
 activetrueFlag if group is active
roledefinition:role:members:memberidtestuser@test.netMember of this role / group
roledefinition:role: permissions: permissionvaluepap:access:downloadsAll permissions of this role / group
roledefiniton:role:attributes:attributenamestreetAttribute-name
 valueMainstreet 2

Attribute-value

Encryption / hashing

PicApport uses two different encryption methods.

  • To store passwords on the server they will be hashed(SHA512)  with a salt and a fixed number of iterations.
  • To transfer passwords from the client to the server an asymmetric crypt-system (RSA) is used.

Storing passwords on the server

The number of iterations can be set in the server configuration.

Algorithm
Salt-size
Iterations
Usage
SHA-51217 Bytes1701 (can be configured)Storing passwords on the server

Encryption Client-Server-Communication

Algorithm
Public key size
usage
RSA

1024 bit

Creation of public keys for the web-clients to encrypt passwords.

For each session PicApport will generate a new keypair.