Albumer Manual

back to Albumer homepage

Configuration

Albumer supports a number of configuration options. Currently all options are set by editing PHP files, hopefully future versions will support a web interface accessible to a super-user.

The server_settings.php file
The following are variables that can be modified
$root_url - Sets the http URL used by albumer's homepage (i.e. http://www.yourdomain.com/albumer). This is currently not critical because it is used infrequently, but future Albumer versions are planned to depend on it more.

$public_server - Set to true or false. This will allow or disallow people to create new user accounts. By default this is set to true.

$max_file_size - This controls the maximum size of an image being uploaded is allowed to be.

$allow_user_module_uploads - Set to true or false. This will allow or disallow users to upload modules. Allowing users to upload modules is a HUGE security problem. It is highly recommended this option is set to false unless all users are trusted completely or Albumer is set up for a single user. By default this is set to false.

$allow_user_skin_uploads - Set to true or false. This will allow or disallow users to upload skins. Skins are XML documents are not executed like modules. Therefore the security concerns allowing these are much less. By default this is set to true.

Securing Albumer
Security is a major concern of any web application, this section will give a few tips for making Albumer more safe to run.

1 - Albumer does not require PHP to set register_globals to On. It is highly recommended this option be set to Off in your php.ini file.

2 - Sessions are used by albumer to remember user info. It is conceivable these can be modified (i.e. by another php page on the server or even by a module) allowing an account to be hijacked. It would be a good idea to change the session variable names located in server_globals.php. By default the variables are called session_user, session_level, session_ip.

3 - It would be wise to change the passwords used to access the MySQL Albumer database. Two users are defined during setup, albumer and albumer_user who use the passwords gawd and peon, respectively. Albumer_user is used by modules to limit their privileges, but with the default password they could gain more access. It is highly recommended these are changed immediatly. To do so
a. If you haven't installed the database yet, change the passwords in albumer_tables.sql. Otherwise you will have to login to MySQL and run whatever command changes those users passwords.
b. Change the password used by albumer in server_global.php (look for the word gawd)
c. Change the password used by albumer_user in user_global.php (look for the word peon)