Access Control Settings

Any operation that involves creation, deletion, or modification of an object is allowed only for the object owner. This behavior cannot be overridden with access control settings. For example, only the owner of a photoset group can create sub-groups or galleries inside that group, or change its attributes such as group title or caption. Similarly, only the owner of a gallery can upload or delete photos in the gallery. Additionally, any changes to object's access control settings can be performed only by the object owner.

Access control settings govern who can view the object, which object information is disclosed (e.g., whether the creation date or number of visitors should be shown), whether photos can be added to collections of other users, and whether they can be printed to name just a few. Basically, access control settings answer two questions: who can access and what can be accessed.

To answer the first question, who can access, the Zenfolio API provides four different access types: Private, Public, UserList, and Password, which are all members of the AccessType enumeration. Objects marked as Private are only accessible to their owner, objects marked as Public can be accessed by anyone. Objects with the UserList type of access control are only accessible to those Zenfolio users who are included in the list of allowed viewers. Finally, objects with the Password type of access can only be viewed by those who know the password for this object.

There is a subtle difference between the Password and other access types. Private and UserList access types completely hide object existence from non-authorized users. For example, if Alice looked at a gallery owned by Bob, and some gallery photos were private, Alice would not even know that these photos existed. Password-protected objects, on the other hand, reveal their existence.

In the Zenfolio access control model, anyone who can discover object existence can read object's metadata, such as title, caption, the number of visitors, and so on (access to certain metadata items can be restricted with the access mask as discussed below). Therefore, keep in mind that the Password type of access protects object content but not its metadata.

The answer to the second question, what can be accessed, is given with the access mask assigned to the object. The access mask is a set of boolean flags that allow or deny access to certain image sizes, certain metadata attributes, and certain operations such as adding to collections and printing. For the complete list of available access mask flags, please see the AccessMask enumeration.

Access mask flags are applied only if access is granted based on the access type. In other words, the access mask can never extend the level of access granted by the access type, but it can further restrict it.

To summarize, access control settings of a Zenfolio object are:

  • Access type: Private, Public, UserList, or Password.
  • Access mask flags.
  • List of users who can view the object, used with the UserList access type.
  • Object password, used with the Password access type.