Registered users to create albums in categories other than User galleries Registered users to create albums in categories other than User galleries
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Registered users to create albums in categories other than User galleries

Started by pvsujith, December 09, 2005, 07:54:55 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

pvsujith

December 09, 2005, 07:54:55 AM
Hi,
Is there a way to allow registered users to create albums in any of the available categories? By default, albums created by registered users are under User galleries.

I use:
CPG 1.4.2 stand alone installation
OS - RHL 9
Apache 2.0.40
PHP 4.2.2
MySQL 3.23.54

Regards

Joachim Müller

#1
December 09, 2005, 09:51:22 AM
no, regular users can't create albums inside public categories - no hack available.

janus

#2
December 20, 2005, 09:07:00 AM Last Edit: December 20, 2005, 09:13:50 AM by janus
Hm...
Yesterday I've spend about two hours to investigate this issue and have made the following fix.
Please have a look into attached files.

Unfortunatelly I have not commented the changes, so you should call the diff command.

It seems to run on my server.

Joachim Müller

#4
December 26, 2005, 11:55:01 PM
yes: I looked into your submission - it just disables all security on gallery core files, making every user an admin who can then edit the whole gallery at will, leaving the gallery just as vulnerable as if you published your admin account on your own home page. Using your hack is not recommended at all, I strongly suggest you remove it from your site asap. Bypassing security by adding user_admin to the check is not all it takes to securely allow users to create public albums. If things were that easy, we would have added it to coppermine's core long ago ;)

janus

#5
December 27, 2005, 12:34:21 PM
Quote from: GauGau on December 26, 2005, 11:55:01 PM
yes: I looked into your submission - it just disables all security on gallery core files, making every user an admin who can then edit the whole gallery at will, leaving the gallery just as vulnerable as if you published your admin account on your own home page. Using your hack is not recommended at all, I strongly suggest you remove it from your site asap. Bypassing security by adding user_admin to the check is not all it takes to securely allow users to create public albums. If things were that easy, we would have added it to coppermine's core long ago ;)
Yes, that's correct. But I thought, I've changed only the ifs/elses, where it deals with album creation only. And exactly in this issue I'd like to give my users admin rights.
Print
Go Up Pages1
User actions