We’re happy to announce the immediate availability of Gallery Server 4.1. It includes built in support for Active Directory Groups, a new blacklist option for the auto-logon feature, several workflow enhancements, and more than a dozen bug fixes. Applying it to your 4.0 installation is easy — just copy the files from the upgrade package over your existing installation. There are no web.config changes to merge and you don’t have to worry about the version_key.txt file or your license information. Get the upgrade package from your downloads page. If you are upgrading from an earlier version, follow the instructions in the Admin Guide.
Active Directory Groups integration
The biggest enhancement in 4.1 is the ability to use Active Directory groups as roles in your gallery. We’re excited about this feature because it’s been on a lot of people’s wish list for a long time. Until recently, Gallery Server required an administrator to manually manage the role membership of AD accounts. For example, when a new employee was added to your organization, you needed to find that user in Gallery Server and add them to the appropriate roles.
Things improved in 4.0, when we introduced support for specifying one or more roles that users are always a member of. By default, all users are now members of a new Authenticated Users role. You can configure this role to give read-only access to all items in the gallery (or any other permission you want). Then, when a new employee is added, she has immediate access to the gallery without requiring admin intervention.
While this is helpful, it’s an all or nothing approach. Either all users are members of a role or they are not. For example, there wasn’t a way to automatically give employees in the Engineering group edit access to the Engineering album and your Marketing employees edit access to the Marketing album. Sure, you can create roles named Engineering and Marketing and manually add users to each role, but that duplicates effort, introduces the possibility of errors, and wastes time.
Gallery Server 4.1 solves this by including a new role provider called the Active Directory Role Provider. When configured, the roles shown on the Roles page are actually the AD groups in your organization, and the list of users in each group are pulled from AD. When you add a user to an AD group through your normal Active Directory workflow, that membership is discovered and enforced by Gallery Server. No more adding users to roles in Gallery Server!
Enabling it is easy. Add the new role provider to the roleManager section of your web.config file:
This configuration tells Gallery Server to pay attention to only two groups: Gallery Server Admins and Gallery Server Users. Edit as needed for your requirements. We recommend this whitelist approach for best performance, usability, and reliability. The provider also supports a blacklist mode where all groups are recognized except for those explicitly specified. See the Admin Guide for full documentation.
The Active Directory Role Provider is supported in Gallery Server Enterprise and higher editions.
Auto-logon blacklist option
Version 4.0 introduced a new URL-based automatic logon feature. For example, you can construct an URL to your gallery with a username specified, like this: http://site.com/?user=Vino. Gallery Server recognizes the user and automatically logs that user in. No password required.
There are a number of scenarios where this is useful:
Share access to your gallery – or a subset of your gallery such as a single album – with a convenient link. For example, create a user named EuropeanVacation and give it read access to your album of vacation photos. Then give your friends the link http://site.com/?user=EuropeanVacation. All they will see are the media assets that user has access to.
You want to give users access to a task that requires them to be logged on but you don’t want to give them a username and password. For example, say you have a public website that asks users to submit photos for a contest. Gallery Server requires users to be logged on to access the upload page, so you create an account named PhotoContestSubmitter and put it in a role with upload permissions to a particular album. Then, on your website, you create a link to the upload page like this: http://site.com/?user=PhotoContestSubmitter. Users will be able to upload photos without going through a logon page.
Show various, filtered views of your gallery. For example, say you have a website containing a gallery of thousands of clock photos and you want to make it easy for your users to browse different categories. You can create a user to represent each category and give it access to the albums in that category. Your website can present each category as a custom link. See clockdoc.org for an example of a website that does this.
Obviously, there are some security concerns here. You wouldn’t want any user to just add “?user=Admin” to your gallery to get in as an administrator. To prevent this, you have to explicitly specify the users that can log in in the web.config file:
In this example, only the users Vino and Mateo can be auto-logged on. We refer to this as a whitelist approach, since only users explicitly listed can log on.
We heard from some of you that a blacklist approach would provide more flexibility and be easier to manage in certain circumstances. So we added blacklist support in 4.1. It looks like this:
<add key=”GalleryServerAutoLogonUsers” value=”*,-Admin,-Manager” />
Use the asterisk to specify that all users are allowed, then enter a comma-separated list of usernames with a preceding hyphen (-). In the above example, all users can be auto-logged on except for Admin and Manager.
Other improvements
There are a handful of other improvements. For more details, view the enhancements report on the release history page.
Don’t look for locked users when custom membership provider is being used
Improve search workflow on Users page
Delete pane width preferences when user deletes profile settings
Improve messaging when admin notification of new accounts is enabled
Disable previous UI template when activating another one against all albums
Support captions as a media template replacement parameter
Bug fixes
A more detailed bug report is also on the release history page.
Cannot enable original anonymous access when downloading is disabled
E-mail event notifications not properly formatted in Gmail
Can’t read node text of tree when hovering over selected node
InvalidAlbumException may occur when rendering album tree
Tag/people tree and cloud may have incorrect counts
User may incorrectly receive message “some media assets were not added”
Prevent user from activating 3.X UI templates
Auto-generated UI template name not being corrected calculated
Private album copied to a public album becomes public
Copied media assets don’t inherit privacy setting of destination album
Move/copy buttons may perform opposite function in certain conditions
User album container may be empty after updating user settings
Tags containing apostrophes can cause invalid URLs