4
DonXoop,
Thanks for the reply. Yes, you're absolutely right. I am trying to disallow/avoid direct file calls. I have made no changes to the module (and it must be a module problem, because I tried to access private images on websites using the same module, and had no problem, even without logging in).
Dropping the index.html file that you mentions has no effect because I have already disabled directory browsing, so all they'll see then is an access denied message. The problem is; if you know the filename and folder of the image file, simply inputing that path in the URL bar will show the image regardless of wether you are logged in or not. I did report this on the forum for the myAlbum-p module that I am using, but so far has no replies. I am sure there must be something I am missing, because I can't see how this can't be left so open. All the other modules I currently use doesn't have security mechanisms that can be so easily circumvented.
Let me ask this; what's the best way for an image module to store images so that they can't be accessed. I tried to .htaccess protect the photos directory, but then I get that pesky little password box even if the user is logged in.
Elevator.