Forum OpenACS Q&A: how to avoid per-image queries while maintaining security

As I've mentioned, I'm working to allow users to upload images to my
site.  Often, many of these images will be displayed on a single
page; looking through the photodb code, an idea I'd like to keep is
preventing users from looking at the source and requesting images
they're not supposed to know about by trying different ids.

Like photodb, I'm storing my images in the filesystem where the
server process has read permission, but it's not on the html path;
instead, a script like photo.tcl serves up the file when it
determines that permissions are satisfied.  BUT I don't want my
script to have to query the database for images that I already know
(having selected them in the "main" page) are valid.

So, my question is, is there a way to "cheat" and only do the one
query?  I thought of using a global "let the user see everything
while I am true" variable that the main script could turn on and off,
but since the http requests to get the images will likely occur after
the main script has finished processing, that's not going to work.

If not, I guess I can work with page-level permissions rather than
per-photo, because query-per-photo is really too much for my poor old
server to handle.  Or, I could not require permissions to see
thumbnails but require them for the "big" version.  I'm hoping though
that there is a "thinking outside the box" solution I'm just not
seeing myself.

ad_page_contract in ACS4 has a filter 'verify'. It allows you to sign for example photo_id as you export it on the page that lists all the photos. You can then check within photo.tcl that serves the photos whether the photo_id has been altered.

Maybe you could port that feature.

ad_page_contract