[Fixed] Private shown 'users can have private album'=off - Page 2 [Fixed] Private shown 'users can have private album'=off - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Fixed] Private shown 'users can have private album'=off

Started by thekingster, December 09, 2003, 11:08:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

arbel

Thank you for the response.
The website URL is http://gallery.arbel.info.

There are three albums, all of which are accessible only by the "Family" group members. Nevertheless, an unregistered surfer can click the "Last Uploads" button and see all the pictures.

FYI, A family group login is family/coppermine.

Thank you.

Casper

This should not be happening.  It seems you have an error in your displayimage.php.

Unregistered visitors can see the thumbs, not just by the 'last up' link, but by the 'most viewed', and also by the album icon.

But they can only see the thumbs.  When a visitor clicks on the thumb, they get this error;

Fatal error: Call to undefined function: theme_get_album_category() in /hsphere/local/home/eranarbe/gallery.arbel.info/displayimage.php on line 594


Have you modified the code?  The displayimage.php that comes with the 1.2.0Final or 1.2.1 package does not go up to 594 lines, and does not contain this function 'theme_get_album_category'.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

arbel

Casper, you are correct. I did modify the code in displayimage.php, along with a theme. I've replaced the theme to one of the defaults, without resetting displayimage.php as well.

Anyway, now I've resetted the script back to default, and the gallery still misbehaves in terms of the backdoor.

Thank you.

Casper

Yes, I can now visit the pics, even though not logged in, or even a member.

When you created the group 'family', did you alter the group 'anonymous' in any way?
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

arbel

No, I don't think so.

Let me know if administrator access to the gallery and MySQL access to the database would be of any help.

Casper

to be honest, I'm no expert in php or mysql, so if you have set everything properly, I doubt if I will be much use.

You would be better helped by one of the dev team, such as gaugau, but I will give it a go if you want.  You can im me the details if you like, and I'll have a look.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Joachim Müller

@casper: dealing with such support questions will actually make you an expert on such issues, so I'm confident you'll be able to help. If you should really be stuck, please contact me by pm (this means only casper can pm me, not everyone! Please understand this...) or reply to this posting.

GauGau

Casper

@gaugau, thanks for the vote of confidence  :D

@arbel, ok, pm me an admin log on details, and MySql access details, and I'll have a look. If I can't help, I'll take up gaugau's offer.  :wink:
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

arbel

Guys, thank you for the support.

I have sent Casper all the login details.

Another intersting thing I noticed, is that once I create new albums, I can no longer see the controls that allow you to set the permissions for the album. I have a feeling that this might be related.

Casper

Hi Arbel,

I found this to be related to the fact that you had set 'users can have private albums' to NO.  For some reason, this removes the view permissions, and although the 'Private' icon is shown, the actual albums are visible.

@gaugau, this appears to be a bug.  I tested it on my own gallery, and the same thing happened.

@ Arbel, I looked at your settings, and found you do not allow registration, and the 'family and friends' group only has view permissions,and cannot upload, so the change I made to your config should not matter.

I did not go to your mysql database.  Hope this all helps.  You should now delete my accounts, particularly to your database.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

arbel

Casper, you are THE KING.

Thank you very much, and I'm happy that this bug was finally nailed down.

Cheers!

Joachim Müller


Tarique Sani

Had a closer look at the problem.

The actual bug is that a private Icon is shown even though 'users can have private albums' is set to NO

If 'users can have private albums' is set to NO it means that none of the users (even admin) can have a private album.

The way I am going to fix this is to show the correct Album Icon for private albums in case 'users can have private albums' is set to NO.

The second thing would be if 'users can have private albums' is set to NO the drop down to select Privacy modes should not appear in the modify album page
SANIsoft PHP applications for E Biz

Tarique Sani

Fixed and committed to CVS devel

Search for the two lines similar to
if ($visibility == '0' || $visibility == (FIRST_USER_CAT + USER_ID) || $visibility == $USER_DATA['group_id'] || $USER_DATA['group_id'] == 1) { // test for visibility

Change them to

if ($visibility == '0' || $visibility == (FIRST_USER_CAT + USER_ID) || $visibility == $USER_DATA['group_id'] || $USER_DATA['group_id'] == 1 || $CONFIG['allow_private_albums']==0 ) { // test for visibility

This will prevent the Private Icon being shown when 'users can have private albums' is set to NO
SANIsoft PHP applications for E Biz

Casper

Quote from: "tarique"Had a closer look at the problem.

The actual bug is that a private Icon is shown even though 'users can have private albums' is set to NO

If 'users can have private albums' is set to NO it means that none of the users (even admin) can have a private album.

The way I am going to fix this is to show the correct Album Icon for private albums in case 'users can have private albums' is set to NO.

The second thing would be if 'users can have private albums' is set to NO the drop down to select Privacy modes should not appear in the modify album page

The problem I see with this, is that when set to NO, there will be no way for admin to restrict who views the albums he makes, as the privacy modes box is not there.  Surely many admin users will want to both disallow private albums for users, but still restrict who can view.

As admin is the only one who can create albums with this setting, the privacy box should still be available for him.  At the moment, it is not.

But this also links with another problem.  When there is no Private icon showing, Admin cannot see restricted albums set for registered groups etc, and cannot edit them.  (if this has been fixed, sorry I missed it).

So my own view of what to do to fix.
as admin can set this in groups permissions anyway, remove the 'users can have private albums' from config altogether (why have it twice), but change the admin privacy settings to be always there when in admin mode (gallery admin only, not user admin).

Hope this all makes sense.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Tarique Sani

Hey I fixed a bug - you are asking for a feature ;)

BUT yes you are right...
SANIsoft PHP applications for E Biz

Joachim Müller

as a workaround you can enable "users can have private albums" and remove the upload and user_admin navigation elements from your theme (works for me). A user who doesn't have in-detail knowledge of coppermine structure won't see the difference...

GauGau

Casper

@tarique, sorry, it wasn't intended as critism, just trying to point out other problems associated with it. :wink: I realise you fixed the actual bug.

If what I suggested is a feature request, as opposed to a bug fix, which would make the setup more logical and admin friendly (and stop the host of requests 'why can't admin see private albums', and 'how do I prevent so & so from seeing my albums'), then I shall post it in the relevant forum.  :D

@gaugau, as I allow private albums, this doesn't affect me, but it seems to me that end users of the app should not have to fiddle with code as a workaround to something that you expect 'out of the box'.

The simple way round this is to leave the setting 'users can have private albums' and 'show private album icon to unlogged user' set to YES in config, and and use the group settings to disallow private albums.  Users in groups not allowed private albums, don't get an admin area do they.

This works, admin can still set view permissions, can still see and edit private albums (if allowed) that belong to other groups.

But the current situation does cause some confusion.  What is the pont of having this setting twice, in config and in groups.

As I said at the start, this isn't critism, I'm just trying to look at this from a logical view.  I still think this is a great app.  :wink:
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here