non-admin user, not in admin mode without personal gallery non-admin user, not in admin mode without personal gallery
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

non-admin user, not in admin mode without personal gallery

Started by Tranz, March 27, 2005, 01:29:24 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Tranz

Not sure if this is intentional or not.

Nonadmin users are allowed to edit their own files uploaded to public albums. However, if they are in a group that does not grant them personal gallery permissions, they can't edit their individual files in the public albums because they are not seen as being in user admin mode.

Nibbler


Tranz

There's no explicit mode, but it is implicit that they are admin if they have personal galleries. However, if they can't have personal galleries, they can't be in admin mode. Thus, they can't edit individual files that they can upload to public albums because they are not in admin mode.

Joachim Müller

Quote from: Nibbler on March 27, 2005, 01:36:15 PM
Didn't we remove user admin mode ?

we only removed the toggle, so the user stays in "admin mode" (when logged in) all the time - in fact we removed the "user user mode".

Joachim

Casper

Could we not just replace the first conditional with the same as the second, i.e., replace this;

if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

with this;

if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Nibbler

I think that would allow an unlogged user to edit an anonymously uploaded pic, so check for that too.

Joachim Müller


donnoman

Isn't there a config option to allow a user to retain control of thier pics in public albums? how does it play into this situation?

cryogenic

under user settings there is in fact such an option. However, I believe the previous posters are making the point that if you set your gallery such that regular non-admin (but still logged in) users are not allowed to have their own galleries, that option has no bearing and they have no control over the pictures they've uploaded into public galleries. That's my take on the situation and I haven't tested it as of yet as I have allowed my users to have their own galleries.

Tranz

Your understanding is correct.

I want to set up a showcase gallery where users can upload to public albums. I do not want them to have personal galleries. However, this means those users are unable to edit their files in the public albums.

I think if we can get this fixed, we can roll out that showcase gallery. :)

Nibbler


Tranz

I didn't try it because of what you brought up afterward.

Tranz

I tried Casper's suggestion. I got this error message:

QuoteYou don't have permission to access this page.

File: C:\wamp\websites\cpg-dev\editOnePic.php - Line: 24

"Allow users to retain control over their pics in public galleries" is set to yes.

Tranz

hmm... even when I allow the group to have personal galleries, the user cannot edit the file.

Tranz

Nevermind. After I ran update.php, I was able to edit the file.

And it does not allow an anonymous user to edit the file.

Tranz

It turned out that the fix worked for my unbridged installation. When I tested it at cpg-contrib, which is bridged with SMF, I got this error:
You don't have permission to access this page.

Could it be due to it being bridged? I set the permissions on the Registered group. But that group does not seem to exist in the forums.

Tranz

I revisited this issue and a nonadmin with no public gallery privileges still cannot edit a file in a public album.

In editOnePic.php is:
if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);


I might have had an error in my previous test.

Nibbler

Just comment out this line at the top of the file

if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);


Any unauthorised access would get caught by other checks made once we determine ownership of the pic in question.

Tranz

Woohoo! It worked.

user can edit if config allows control; cannot edit if not allowed control.
anonymous cannot edit regardless of above config
admin can edit
user can edit regardless if allowed to have personal galleries

Anything else to check for? Is it ok to commit?

Tranz

I tested accessing the editing URL when not logged in and got this:
QuoteTemplate error
Failed to find block 'log_ecards'(#(<!-- BEGIN log_ecards -->)(.*?)(<!-- END log_ecards -->)#s) in :


                <div align="center">
                <table cellpadding="0" cellspacing="1">
                        <tr>

                                <td class="admin_menu"><a href="admin.php" title="{ADMIN_TITLE}">{ADMIN_LNK}</a></td>
                                <td class="admin_menu"><a href="catmgr.php" title="{CATEGORIES_TITLE}">{CATEGORIES_LNK}</a></td>
                                <td class="admin_menu"><a href="albmgr.php{CATL}" title="{ALBUMS_TITLE}">{ALBUMS_LNK}</a></td>
                                <td class="admin_menu"><a href="groupmgr.php" title="{GROUPS_TITLE}">{GROUPS_LNK}</a></td>
                                <td class="admin_menu"><a href="usermgr.php" title="{USERS_TITLE}">{USERS_LNK}</a></td>
                                <td class="admin_menu"><a href="banning.php" title="{BAN_TITLE}">{BAN_LNK}</a></td>
                                <td class="admin_menu"><a href="reviewcom.php" title="{COMMENTS_TITLE}">{COMMENTS_LNK}</a></td>

                                <td class="admin_menu"><a href="picmgr.php" title="{PICTURES_TITLE}">{PICTURES_LNK}</a></td>
                                <td class="admin_menu"><a href="searchnew.php" title="{SEARCHNEW_TITLE}">{SEARCHNEW_LNK}</a></td>
                                <td class="admin_menu"><a href="util.php" title="{UTIL_TITLE}">{UTIL_LNK}</a></td>
                                <td class="admin_menu"><a href="profile.php?op=edit_profile" title="{MY_PROF_TITLE}">{MY_PROF_LNK}</a></td>
<!-- BEGIN documentation -->
                                <td class="admin_menu"><a href="{DOCUMENTATION_HREF}" title="{DOCUMENTATION_TITLE}" target="cpg_documentation">{DOCUMENTATION_LNK}</a></td>
<!-- END documentation -->
<!-- BEGIN MiniCMS Config -->
                                <td class="admin_menu"><a href="index.php?file=minicms/cms_config" title="MiniCMS Config" >MiniCMS Config</a></td>
<!-- END MiniCMS Config -->

<!-- BEGIN MiniCMS Admin -->
                                <td class="admin_menu"><a href="index.php?file=minicms/cms_admin" title="MiniCMS Admin" >MiniCMS Admin</a></td>
<!-- END MiniCMS Admin -->

                        </tr>
                </table>
                </div>

If I try to access editOnePic.php without the file parameters, it shows the edit page but with no specific file to edit.