non-admin user, not in admin mode without personal gallery

Tranz · March 27, 2005, 01:29:24 PM

Not sure if this is intentional or not.

Nonadmin users are allowed to edit their own files uploaded to public albums. However, if they are in a group that does not grant them personal gallery permissions, they can't edit their individual files in the public albums because they are not seen as being in user admin mode.

Nibbler · March 27, 2005, 01:36:15 PM

Didn't we remove user admin mode ?

Tranz · March 27, 2005, 01:43:53 PM

There's no explicit mode, but it is implicit that they are admin if they have personal galleries. However, if they can't have personal galleries, they can't be in admin mode. Thus, they can't edit individual files that they can upload to public albums because they are not in admin mode.

Joachim Müller · March 27, 2005, 03:47:58 PM

Quote from: Nibbler on March 27, 2005, 01:36:15 PM
Didn't we remove user admin mode ?

we only removed the toggle, so the user stays in "admin mode" (when logged in) all the time - in fact we removed the "user user mode".

Joachim

Casper · March 27, 2005, 11:11:24 PM

Could we not just replace the first conditional with the same as the second, i.e., replace this;

Code Select

if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

with this;

Code Select

if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

Nibbler · March 27, 2005, 11:49:16 PM

I think that would allow an unlogged user to edit an anonymously uploaded pic, so check for that too.

Joachim Müller · April 09, 2005, 01:34:13 PM

*bump*

donnoman · April 10, 2005, 07:36:14 PM

Isn't there a config option to allow a user to retain control of thier pics in public albums? how does it play into this situation?

cryogenic · April 15, 2005, 03:30:13 AM

under user settings there is in fact such an option. However, I believe the previous posters are making the point that if you set your gallery such that regular non-admin (but still logged in) users are not allowed to have their own galleries, that option has no bearing and they have no control over the pictures they've uploaded into public galleries. That's my take on the situation and I haven't tested it as of yet as I have allowed my users to have their own galleries.

Tranz · April 15, 2005, 03:37:46 AM

Your understanding is correct.

I want to set up a showcase gallery where users can upload to public albums. I do not want them to have personal galleries. However, this means those users are unable to edit their files in the public albums.

I think if we can get this fixed, we can roll out that showcase gallery.

Nibbler · April 15, 2005, 12:14:21 PM

Does Casper's suggestion work ?

Tranz · April 16, 2005, 12:16:26 AM

I didn't try it because of what you brought up afterward.

Tranz · May 01, 2005, 09:21:22 AM

I tried Casper's suggestion. I got this error message:

QuoteYou don't have permission to access this page.

File: C:\wamp\websites\cpg-dev\editOnePic.php - Line: 24

"Allow users to retain control over their pics in public galleries" is set to yes.

Tranz · May 01, 2005, 09:33:33 AM

hmm... even when I allow the group to have personal galleries, the user cannot edit the file.

Tranz · May 01, 2005, 09:53:42 AM

Nevermind. After I ran update.php, I was able to edit the file.

And it does not allow an anonymous user to edit the file.

Tranz · May 07, 2005, 08:16:36 PM

It turned out that the fix worked for my unbridged installation. When I tested it at cpg-contrib, which is bridged with SMF, I got this error:
You don't have permission to access this page.

Could it be due to it being bridged? I set the permissions on the Registered group. But that group does not seem to exist in the forums.

Tranz · June 26, 2005, 08:08:50 PM

I revisited this issue and a nonadmin with no public gallery privileges still cannot edit a file in a public album.

In editOnePic.php is:

Code Select

if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

I might have had an error in my previous test.

Nibbler · June 27, 2005, 02:28:23 PM

Just comment out this line at the top of the file

Code Select

if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

Any unauthorised access would get caught by other checks made once we determine ownership of the pic in question.

Tranz · June 27, 2005, 04:15:49 PM

Woohoo! It worked.

user can edit if config allows control; cannot edit if not allowed control.
anonymous cannot edit regardless of above config
admin can edit
user can edit regardless if allowed to have personal galleries

Anything else to check for? Is it ok to commit?

Tranz · June 27, 2005, 04:26:35 PM

I tested accessing the editing URL when not logged in and got this:

QuoteTemplate error
Failed to find block 'log_ecards'(#()(.*?)()#s) in :

<div align="center">
<table cellpadding="0" cellspacing="1">
<tr>

<td class="admin_menu"><a href="admin.php" title="{ADMIN_TITLE}">{ADMIN_LNK}</a></td>
<td class="admin_menu"><a href="catmgr.php" title="{CATEGORIES_TITLE}">{CATEGORIES_LNK}</a></td>
<td class="admin_menu"><a href="albmgr.php{CATL}" title="{ALBUMS_TITLE}">{ALBUMS_LNK}</a></td>
<td class="admin_menu"><a href="groupmgr.php" title="{GROUPS_TITLE}">{GROUPS_LNK}</a></td>
<td class="admin_menu"><a href="usermgr.php" title="{USERS_TITLE}">{USERS_LNK}</a></td>
<td class="admin_menu"><a href="banning.php" title="{BAN_TITLE}">{BAN_LNK}</a></td>
<td class="admin_menu"><a href="reviewcom.php" title="{COMMENTS_TITLE}">{COMMENTS_LNK}</a></td>

<td class="admin_menu"><a href="picmgr.php" title="{PICTURES_TITLE}">{PICTURES_LNK}</a></td>
<td class="admin_menu"><a href="searchnew.php" title="{SEARCHNEW_TITLE}">{SEARCHNEW_LNK}</a></td>
<td class="admin_menu"><a href="util.php" title="{UTIL_TITLE}">{UTIL_LNK}</a></td>
<td class="admin_menu"><a href="profile.php?op=edit_profile" title="{MY_PROF_TITLE}">{MY_PROF_LNK}</a></td>

<td class="admin_menu"><a href="{DOCUMENTATION_HREF}" title="{DOCUMENTATION_TITLE}" target="cpg_documentation">{DOCUMENTATION_LNK}</a></td>


<td class="admin_menu"><a href="index.php?file=minicms/cms_config" title="MiniCMS Config" >MiniCMS Config</a></td>



<td class="admin_menu"><a href="index.php?file=minicms/cms_admin" title="MiniCMS Admin" >MiniCMS Admin</a></td>


</tr>
</table>
</div>

If I try to access editOnePic.php without the file parameters, it shows the edit page but with no specific file to edit.

coppermine-gallery.com/forum

News:

non-admin user, not in admin mode without personal gallery

Tranz

Nibbler

Tranz

Joachim Müller

Casper

Nibbler

Joachim Müller

donnoman

cryogenic

Tranz

Nibbler

Tranz

Tranz

Tranz

Tranz

Tranz

Tranz

Nibbler

Tranz

Tranz