Hacking the permission system Hacking the permission system
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Hacking the permission system

Started by etienne, December 30, 2003, 03:30:20 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

etienne

In current versions, if a user belongs to several groups, it inherit rights (admin access, send e-card, rate pictures, comment pictures, upload pictures, create albums) only from its 'primary' group.

Here is a hack for inheriting rights from all groups (for example if, at least one of the group the user is associated to, allows comenting pictures then the user will have the right to comment pictures).

In include/init.inc.php, locate:

    $sql = "SELECT * " . "FROM {$CONFIG['TABLE_USERS']}, {$CONFIG['TABLE_USERGROUPS']} " . "WHERE user_group = group_id " . "AND user_id='$cookie_uid'" . "AND user_active = 'YES' " . "AND user_password != '' " . "AND BINARY MD5(user_password) = '$cookie_pass'";
    $results = db_query($sql);

    if (mysql_num_rows($results)) {
        $USER_DATA = mysql_fetch_array($results);
        unset($USER_DATA['user_password']);


and insert after (line 183):

        if ($USER_DATA['user_lang'] != '') {
            $sql2 = "SELECT * " . "FROM {$CONFIG['TABLE_USERGROUPS']} " . "WHERE group_id IN (" . $USER_DATA['user_lang'] . ");";
            $results2 = db_query($sql2);
            if (mysql_num_rows($results2)) {
                $USER_DATA2 = mysql_fetch_array($results2);
                if ((int)$USER_DATA2['has_admin_access']) $USER_DATA['has_admin_access']=$USER_DATA2['has_admin_access'];
                if ((int)$USER_DATA2['can_send_ecards']) $USER_DATA['can_send_ecards']=$USER_DATA2['can_send_ecards'];
                if ((int)$USER_DATA2['can_rate_pictures']) $USER_DATA['can_rate_pictures']=$USER_DATA2['can_rate_pictures'];
                if ((int)$USER_DATA2['can_post_comments']) $USER_DATA['can_post_comments']=$USER_DATA2['can_post_comments'];
                if ((int)$USER_DATA2['can_upload_pictures']) $USER_DATA['can_upload_pictures']=$USER_DATA2['can_upload_pictures'];
                if ((int)$USER_DATA2['can_create_albums']) $USER_DATA['can_create_albums']=$USER_DATA2['can_create_albums'];
                mysql_free_result($results2);
            }
        }



What's missing?
Modifying the way access to albums are granted in the same way (today it is granted from the primary group only and not from all the groups a user is associated to)

bigtiger

I just tried. Might be the first try-er. But it does not change anything. :o

etienne

Here was the situation:
- I created a group 'Familly'
- I created a 'Christmas party' album that can only be accessed by Familly members
- As a site admin, I've no way to both access the album and have admin privileges:
   * if my primary group is admin and Familly a secondary group, then I've admin privileges but no access to the Christmas party album
   * if my primary group is Familly and admin a secondary group, then I can access the Christmas party album but have no admin privileges

Now with the hack, if my primary group is Familly and admin a secondary group, then I can both access the Christmas party album but have admin privileges :)

Casper

Admin does already have both access and admin privileges to all groups and all albums.
You set the 'show private icon to unlogged user' in config to YES, and then admin sees all the albums.  Private albums have the private icon at the front page, but when you go to the category page, you will see the admin boxes, and when you go to the album, you will see the pics as normal.

I think it is done this way so admin can see easily which are private galleries.

however, I do think it strange that admin cannot see them when the show icon setting is set to no.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

etienne

QuoteYou set the 'show private icon to unlogged user' in config to YES, and then admin sees all the albums. Private albums have the private icon at the front page, but when you go to the category page, you will see the admin boxes, and when you go to the album, you will see the pics as normal.

That's the setting I have... but what i can't do is to enter an album which access is restricted to a group of users. (I can edit/delete the album but not enter and browse the pictures).

Casper

Quote from: "etienne"That's the setting I have... but what i can't do is to enter an album which access is restricted to a group of users. (I can edit/delete the album but not enter and browse the pictures).

I find that strange.  I have set a group I call 'superusers', and when in admin mode I can edit and browse their albums, even those set to be viewed only by 'superusers'. .  :?

And I have just gone back and re-tested to confirm.  It works for me.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here