admin approval of registration only works when logged out admin approval of registration only works when logged out
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

admin approval of registration only works when logged out

Started by Tranz, March 06, 2005, 04:25:04 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Tranz

If I click the activation link while I am logged in (as admin or regular user), it says:
QuoteYou don't have permission to access this page.

it's due to this line:
if (!$CONFIG['allow_user_registration'] || USER_ID) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);


I changed this to
if (!$CONFIG['allow_user_registration'] || !GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

That caused other issues.

If the account is already active, it shows the header twice (including admin menu) when it shows the error message "Account is already active!".

Then if I try to register, it says I don't have permission. So that admin conditional needs to go elsewhere.

So current issue is the admin can't activate the registration while logged in. However, the link should require an admin being logged in for it to work. Maybe there needs to be another parameter in the URL to indicate that it is an admin activation.

Aditya Mooley

Quote from: TranzNDance on March 06, 2005, 04:25:04 AM
I changed this to
if (!$CONFIG['allow_user_registration'] || !GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);


By doing this we are denying new registrations. What if we remove the second condition?

Quote
If the account is already active, it shows the header twice (including admin menu) when it shows the error message "Account is already active!".

I suggest following code changes to avoid this:


if (isset($_GET['activate'])) {
                //$CONFIG['admin_activation'] = FALSE;
                //$CONFIG['admin_activation'] = TRUE;

    $act_key = addslashes(substr($_GET['activate'], 0 , 32));
    if (strlen($act_key) != 32) cpg_die(ERROR, $lang_register_php['acct_act_failed'], __FILE__, __LINE__);

    $sql = "SELECT user_active user_active, user_email, user_name, user_password " . "FROM {$CONFIG['TABLE_USERS']} " . "WHERE user_actkey = '$act_key' " . "LIMIT 1";
    $result = cpg_db_query($sql);
    if (!mysql_num_rows($result)) cpg_die(ERROR, $lang_register_php['acct_act_failed'], __FILE__, __LINE__);

    $row = mysql_fetch_array($result);
    mysql_free_result($result);

    if ($row['user_active'] == 'YES') cpg_die(ERROR, $lang_register_php['acct_already_act'], __FILE__, __LINE__);

    pageheader($lang_register_php['page_title']);
    $email = $row['user_email'];
    $user_name = $row['user_name'];
    $password = $row['user_password'];

    $sql = "UPDATE {$CONFIG['TABLE_USERS']} " . "SET user_active = 'YES' " . "WHERE user_actkey = '$act_key' " . "LIMIT 1";
    $result = cpg_db_query($sql);

                if ($CONFIG['admin_activation']==1) { //after admin approves, user receives email notification
                        msg_box($lang_register_php['information'], $lang_register_php['acct_active_admin_activation'], $lang_continue, 'index.php');
                        $site_link = $CONFIG['site_url'];
                        $template_vars = array(
                         '{SITE_LINK}' => $site_link,
                         '{USER_NAME}' => $user_name,
                         '{PASSWORD}' => $password,
                         '{SITE_NAME}' => $CONFIG['gallery_name'],
                                );
                        cpg_mail($email, sprintf($lang_register_php['notify_user_email_subject'], $CONFIG['gallery_name']), nl2br(strtr($lang_register_activated_email, $template_vars)));
                } else { //user self-activated, gets message box that account was activated
                        msg_box($lang_register_php['information'], $lang_register_php['acct_active'], $lang_continue, 'index.php');
                }
} else {
  pageheader($lang_register_php['page_title']);
  if (isset($_POST['agree'])) {
    input_user_info();
  } elseif (isset($_POST['submit'])) {
    $errors = '';
    if (!check_user_info($errors)) {
      input_user_info($errors);
    }
  } else {
    display_disclaimer();
  }
}
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Aditya Mooley

--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Tranz