DSM 7.0 Guest users are able to see every shared Picture without the share link or login by opening .../:5001/photo/#/shared_space/folder/1

[el-berto]

I have some of my photo folders shared with different people to enable them to download the pictures of the specific folder that I shared with them.

For example:

I share a folder with wedding pictures via Link with a customer A.
I share another folder of family pictures via Link with customer B.

Every customer should only be able to access only the corresponding folder so I create a special share-link for everyone of them. Just like you would share a folder in dropbox or google drive. I have set the links to "Public - anyone with the link can download". In my opinion this should only include users who have the special link and not include anyone wo knows the generic link or edits the number in the share link to "1" https://<yourname>.synology.me:5001/photo/#/shared_space/folder/1

Everyone who opens this link can see every one of those shared folders (= folders from customer A AND customer B) without using a specific link or any kind of login. Is this normal?

I have deactivated "Allow guests to view photos and viedeos in the root folder of Shared Space" in Synology Photos settings if this has anything to do with it.
If this is normal behaviour Synology Photos is unusable for me as I have to make sure that only users who use a specific link can access the pictures and noone else.

Even when I protect the shared folders with passwords you are still able to see all the folders including the names and first thumbnails.

 

[Rusty]

Guessing you haven’t made a DSM account for each and limited access to the corresponding album for the corresponding account?

 

[el-berto]

No, I haven't. But why should I do so? Photo Station on DSM 6 worked like Dropbox or Google drive. The Share Link only granted access to users who had this specific link.
I have a lot of customers and a lot of folders to share and I don't want to create new DSM Users for them.
I just want it to work like Photo Station on DSM 6.

-- post merged: 14. Nov 2021 --

Even worse: I just noticed, that if anyone who uses the Share-Link can click on "All-Photos" on the top left side and get directly access to ALL shared folders!
This is in now way GDPR compliant and might get my business in serious trouble!

 

[jeyare]

First: you are owner of the photos and it is up to you how you will handle the security about them. It’s your own responsibility.
Same is your own responsibility to use DSM7 or the new Photos pckg.
Because Synology doesn’t care about your privacy, even privacy of your customers. Or do you have a contract signed by Synology, that they will care about it? No.

Second:
usage of generic links for sharing is dangerous, because anyone who knows your domain can use it to view all your content.
And your link is pretty generic:

https://<yourname>.synology.me:5001/photo/#/shared_space/folder/1

Nothing is for free in this world.

List of recommendations:
- you need more secure attitude (your link is an example of basic principle infringement)
- use RP (reverse proxy)
- use URL shortening
- use controlled connection to your data.

All the pills for such illnesses you can find in this forum.

This is not an excuse for Synology's behavior. I'm the last one. But it is not possible to be irresponsible and demand only benefits. The right to own a NAS does not make a person a security expert. Reason why you need to pay for cloud based services - where someone supports it.

 

[el-berto]

You're right. That's why I have two options now:

1. Find a way to share folders from my Synology NAS with my customers that works like Dropbox, Google Drive or even Photo Station on DSM 6. One link leads to only one folder with no access to any other folder.

2. Switch to another NAS or get a big space on Dropbox or Google Drive.

P. S.: The generic link isn't even the problem. As soon as you access Synology Photos via any kind of share link you can click on "All Photos" and get access to all shared folders, even without tempering with any kind of URL.

 

[Rusty]

Why not use a password protected shared via Photos? Each customer gets its own case closed.

 

[el-berto]

Even if a folder is password protected, you can still see the folder and its name. As I use Names like "Wedding Family Miller" this name contains personal information, even this information should not be visible to other people.

But I found a workaround: If you add a folder to an album, you can share the album and this just works like the old sharing in Photo Station: you get an cryptic link that only leads to this one album with no access to any other shared albums (at least as far as I tested). It would be great if sharing folders would work the same way, bit for now this is better than nothing.
It would be great if Synology would implement this for folders, too, in future updates. As creating an album is for my workflow an unnecessary step because it exactly contains just the one folder.

 

[Rusty]

I was referring to the albums but miss understood your initial post about shared folders. I use album links with password to share and you found out it works just fine.

Not sure Syno will implement same feature on the folder view. The philosophy has changed a bit in this regard compared to PhotoStation so best to not have any hope on that front.

 

[jeyare]

I don’t use DSM7 on each my NASes, because many reasons.

but:
‘Public - anyone with the link can download’ is absolutely no way for a sharing any data. Because you can also put there a label “Welcome here, feel free to use my data”.

Q:
do you need to show/preview them photos only, or the purpose is a way how to
download the photos? When you need just download, w/o initial preview, you can use FileStation/Share folder. You can also control all the Shared links, …

 

[el-berto]

but:
‘Public - anyone with the link can download’ is absolutely no way for a sharing any data. Because you can also put there a label “Welcome here, feel free to use my data”.

But what is the sharing folders function for, then? I can't even think of any scenario that I would like the whole world to be able to access my shared folders without a cryptic link or login.
In comparison to services like Dropbox or Google Drive: There is no link that enables everyone to see and access every of your shared folders.
Why are you able to share folders via Link in the first place when this results in the whole world beeing able to access them?
But I don't mind now, I just won't use sharing folders, I will just use sharing albums.

Q:
do you need to show/preview them photos only, or the purpose is a way how to
download the photos? When you need just download, w/o initial preview, you can use FileStation/Share folder. You can also control all the Shared links, …

I used Phot Station for two purposes:

• At first give a preview of the pictures and let the customer make the selection via rating. The customer can use the rating function to select the pictures he likes to get edited and leaves a comment what to edit exactly. Therefore I used to share a folder in Photo Station without download permission.
• When the pictures are finalized I put them in a second folder and send the customer a link with download permission, so he can download the final pictures in full resolution from there.

I've just seen that the new Synology Photos update brings back the rating function, but still the ability to make comments seems to be missing. Sadly the update isn't already online in my country, but I think it will be available in the next days or weeks or maybe I will do the update manually.

 

[jeyare]

you can use Piwigo

Piwigo - Open source photo management software

Manage your photo library with Piwigo! Free and open source software to organize and share your photos and digital media on the web.

piwigo.org

I don't like it, but it is possible:

Plugin to enable simple sharing of private albums.
For any private album, you can generate a unique URL that you can share with the users you trust in enough to browse an album. No user nor password is required by default for visitors of this trusted link.

incl. comments:

incl EXIF:

in docker container:

much better is when it is running out of the Docker

and you can definitely forget for the Syno Photo environment, as me year ago

 

[holo3]

Been going through the same issue. Now sharing photos to clients using Synology Drive and it works!

 

[Gerard]

When I share thru photos I’m not seeing the same result of what’s claimed here (sharing a folder thru a shared link they can access all photos.) a screenshot of what screen your doing it from will help, something is being done a different way it seems