Coming up for SPU, Drupal Publisher, and the Imgblog module is support for galleries, as implemented by the Image Gallery module. This will make use of the blogid parameter in spu.newImage (it’s not just there to look pretty in the specs). Currently, I’m working out just how to handle it. I know how it should work on the server-side, that isn’t a problem. The trick is whether or not to require user authentication before returning a list of potential galleries.

The thing is, while Image Gallery just provides a vocabulary which is used for galleries, and therefore anyone who can upload pictures can put them into any gallery, what’s to say that at some later date the module might implement some form of access control per gallery? Or, perhaps Imgblog will support an alternate module for galleries, which does have this access control? Just taking the user name for an account and returning a list of valid galleries could be a security hole (while an attacker wouldn’t be able to upload images, he could still get a list of galleries for a particular user). Likewise, no authentication at all would mean returning all galleries, or just those publicly accessible.

It would be strange to need to authenticate just to pull up the main form for Drupal Publisher. While writing this post, another possibility came to mind: Why not allow for user authentication if a username and password are provided, but if both are blank, return a list of “publicly” uploadable galleries? Drupal Publisher will do a user-free pass when preparing the form, and a link for refreshing galleries can do an authenticated pass to get the final list, if and when the user wants.

Actually, that seems perfect. Now, comes the work of actually implementing it and adding a new function to the SPU interface.