This is what appears to be a major security issue regarding ALL versions of Coppermine Gallery, including the very latest version 1.5.18 - well it certainly is a major issue from my perspective.
I can go to any of your CPG galleries with "restricted, personal, valuable content", register an account which in most cases would give me access to that content, eg. full size pictures, copyrighted originals, images that are for sale, etc., and by right clicking on any full size image and selecting "Copy Image Location" from the drop down contextual menu I can now paste that URL on any blog, any website etc. or I can even post that URL to all my friends and ANYONE can now access those full size images WITHOUT even have to visit your CPG websites, much less loging in.
I bet I could clear out many of your CPG websites in just one day, I could even start up my own websites selling your full size supposedly "protected" content without even having to download anything at all and without ever visiting your CPG websites.
All I need to do is something like this - paste in any browser and increment the values - I'm sure I would get some very interesting results:
http://your-website/displayimage.php?album=2&pid=1#top_display_mediahttp://your-website/displayimage.php?album=2&pid=2#top_display_mediahttp://your-website/displayimage.php?album=2&pid=2#top_display_mediahttp://your-website/displayimage.php?album=3&pid=1#top_display_mediahttp://your-website/displayimage.php?album=3&pid=2#top_display_mediahttp://your-website/displayimage.php?album=3&pid=3#top_display_mediaThe same applies to all attempts to incorporate a shop into CPG... while one person might pay for access, he/she could simply post URL's to anyone and everyone who would then literally download for free, and this does apply to music and videos also.
Of course I am not interested in such activities which is why I am here warning about this, and the above, tested with Firefox V10.0.1, can be done both with and without cookies and probably with all browsers.
So in other words, limiting access to important content by User Groups defined in the User Configuration Settings just does not reaslly work except on a very superficial level.
Give it some thought people and bear in mind that what you might consider safe behind an account and password - ISN'T safe at all
Best Wishes To All