How to give reg. users access to the batch upload function How to give reg. users access to the batch upload function
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

How to give reg. users access to the batch upload function

Started by _dopehead_, March 14, 2004, 05:46:23 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

_dopehead_

March 14, 2004, 05:46:23 PM
I have been searching for this and did not find any answers. How do i enable access to the batch upload function in coppermine for my registered users ? i don't wan't them to be admins, but they should have access to batch uploading the pics that they have ftp'ed to my server.

Jan

Joachim Müller

#1
March 14, 2004, 11:11:04 PM
batch-add is an admin-only function, as it would require your users to have ftp access, which they could easily use to take over your whole server. In other words: this can't be done!

GauGau

goebelmeier

#2
July 13, 2004, 03:46:43 PM
Why can't this be done? I'm webmaster of a website with 5 different photographers (dict.leo.org, german -> english :)), each have his own ftp-directory in a chroot which is named /albums/<name>/. Since now, all 5 have admin-rights, to use batch-add. In future I would like them only to add albums and use batch-add. I don't see any security-risk in implementing such a feature.

Wow, bad english, but I hope, you will understand :)

Joachim Müller

#3
July 13, 2004, 06:50:59 PM
OK, we decided to let only admins have batch-add, because if we didn't, there'd be a lot of newbie webmaster who gave away ftp-upload permissions to their users without any restriction. The restriction must be that the ftp-uploads must either not be accessible by http or php-parsing must be disabled or uploads must be server-sided restricted to certain file types that can't be harmfull. The reason why an un-secured ftp access would be disastrous for security is easy to see: a "bad guy" might upload a script file (php, perl or whatever) and execute it in the brwoser - this way, he could gain access to the whole website and take it over.
I'm sure that the pro's out there know how to secure their ftp-uploads, but "regular" webhosted "wannabe-admins" won't. This is why there's no batch-add for "regular" users - just to not lead "newbies" into temptation. Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

GauGau

goebelmeier

#4
July 13, 2004, 08:40:48 PM
Quote from: GauGau on July 13, 2004, 06:50:59 PM
Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

Thanks... Very good hint. I haven't looked at the source yet.
Print
Go Up Pages1
User actions