Batch Uploading for specific Usergroup

[grosseskino]

Hi!

I already read, that batch-uploading is only allowed for admin.
On my site, i have some friends helping me monitoring the site.

I want them to be able ftp-uploading and batching.
How is this possible?
Is there a way giving them co-admin rights?

And: Yes, I trust these friends

[Hein Traag]

If you really really really trust them you can always add them to the admin group. Not advised but it is possible.

[grosseskino]

actually,

I'd like to give them kind of a Supermoderater rang.
Is there any way to get my problem solved without admin'ing them...?

[Joachim Müller]

No. Either you trust them entirely (and you better do so when giving them FTP-access) and make them admins or you don't. There's no such thing as a moderator built into coppermine. There are a couple of mods that add moderator status to users (in terms of comment moderation, upload approval etc.). None of those mods gives them access to batch-add, as giving users FTP-access is the worst thing you could possibly do in terms of security. Someone with FTP access can do anything to your site.

[grosseskino]

maybe someone can modify or create a mod for this?
i think i'm not the only one with this suggestion...

[Joachim Müller]

maybe someone can modify or create a mod for this?

Seems like you haven't read or understood my reply: it would be extremely easy to grant others than the admin permission to access the batch-add page searchnew.php (in fact you'd just have to edit the security check and hard-code some user-IDs in), but that is not the point: for batch-add to work it is a pre-requisite that the files already reside on your publicly accessible web-space. The only way the files can get there is by FTP (all other methods would have the same drawbacks the existing http uploads form has). This would mean that you would have to grant those users FTP-access. But granting FTP access to others is the actual security risk. There would be no security risk to grant others the privilege to batch-add once files exist on your webserver (the only thing that could go wrong is some level or disorder in your gallery), but no breach of security.
As the security issues lies in granting FTP access to others and does not lie in allowing users to access searchnew.php, this is nothing that could be accomplished by modding coppermine.

i think i'm not the only one with this suggestion...

No, you're not the first one to request this. All others who requested this got a similar reply to yours. I was just playing nicely and answered your question in detail instead of just posting "search the board, the answer has already been given". You have to understand that the fact that many newbies would find the feature helpfull doesn't mean that the goal can be achieved. I tried to explain why it can't be achieved. I definitely will not come up with code that will lead others to believe that it is a bright idea to give FTP privileges to your users and everything will be fine. So if you're not concerned at all about the security impact that granting FTP access to your users would have, go ahead and code the needed small changes in searchnew.php in (or hire someone to do this for you). I will definitely not come up with such a crappy piece of code, as I'm not keen on Coppermine getting a reputation similar to PHPnuke.

And: Yes, I trust these friends

So you gave them your access data to your mysql database, your car keys and your credit card? Do they sleep in your bed together with your girlfriend if you're away? If your answer to all those questions is "yes" as well, then go ahead and grant them FTP access.

Joachim

[mc38]

it would be extremely easy to grant others than the admin permission to access the batch-add page searchnew.php   (in fact you'd just have to edit the security check and hard-code some user-IDs in)

Hi - I understand everything discussed here - but I do have a valid technical and commercial reason for allowing one existing registered user to use the batch upload.  Can you help out by pointing me in the right direction to allow access to searchnew.php?

thanks!

[Joachim Müller]

edit searchnew.php, find

Code Select Expand

if (!GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);and replace it with

Code Select Expand

if (!GALLERY_ADMIN_MODE) {
  // the user is not an admin. Let's test if he is the one non-admin who is allowed to use searchnew
  if (USER_ID != '1234567') {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
  }
}Change the string 1234567 to the ID of the user who is suppossed to have access. Don't complain if something goes wrong. You have been warned. FTP access is not meant for non-admins.

[Impeerator]

That's exactly what I need, too!

What about giving FTP permission just for one folder in the "albums"-folder? So the user only can do something in this folder.

[mc38]

GauGau - Thanks so much! I have been warned - I won't come crying!
Impeerator - that's exactly what I intend to do...

[Joachim Müller]

What about giving FTP permission just for one folder in the "albums"-folder? So the user only can do something in this folder.

Sure, great idea. What will keep them from uploading a malicious file into that particular folder and then running it in their browser?