[Fixed]: Error when registerd users try to edit (crop/rotate) private pictures.

[Joep28]

Hello,
I have a problem with a fresh coppermine install.
I installed Coppermine Photo Gallery 1.4.25 (stable). When i login with admin rights, i can edit my private and public pictures. For example, i can crop and rotate them.
Works perfect.
However, if i disable the admin privileges for the same user, then i get an error when i try to edit my private pictures.
The edit button is there, but when i click on it, a pop-up appears with the message: You are not allowed to visit this page.
The error message says: File: /var/www/coppermine/picEditor.php - line: 82  
The same occurs with every other regular users in the administrators or registered group.All the groups allow the use of personal groups.


I'm a little lost after spending the whole afternoon reading manuals, forum posts and googling around. Found nothing that could help me solve this.
Hope you guys have any ideas about this?
Thanks.
Joep

[Joachim Müller]

Yes: do as suggested per board rules (you agreed to respect them when  signing up) and post a link to your gallery for a start. As you claim that this happens for a non-admin, you should post a non-admin test user account.
You probably have been looking at the cached copy of the crop/rotate page, so you should clear your cache first after removing privileges from the user's account.

[Joep28]

Thanks for the reply.
I'm currently unable to let you access the photo gallery. Its on a private lan.
The suggestion that it would have something to do with the cache also crossed my mind. So i already cleared the cache, and even tried it on a different computer with another user. Same thing.
I also tried switching from firefox to ie, but also no difference here.

[Joep28]

What rights do the files in the /var/www/coppermine directory need?
I didn't changed anything, except for the albums subdir. (chmod 777)

[Nibbler]

Looks like a bug to me. The permission check to display the button is:

Code Select Expand


  if ((USER_ADMIN_MODE && $CURRENT_ALBUM_DATA['category'] == FIRST_USER_CAT + USER_ID) || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC_DATA['owner_id'] == USER_ID && USER_ID != 0) || GALLERY_ADMIN_MODE) {
    $picmenu .= <<<EOT
     <a href="javascript:;" onclick="return MM_openBrWindow('picEditor.php?id={$CURRENT_PIC_DATA['pid']}','Crop_Picture','scrollbars=yes,toolbar=no,status=yes,resizable=yes')" class="admin_menu" >{$lang_display_image_php['crop_pic']}</a> <a href="editOnePic.php?id={$CURRENT_PIC_DATA['pid']}&amp;what=picture"  class="admin_menu">{$lang_display_image_php['edit_pic']}</a> <a href="delete.php?id={$CURRENT_PIC_DATA['pid']}&amp;what=picture"  class="admin_menu" onclick="return confirm('{$lang_display_image_php['confirm_del']}'); return false; ">{$lang_display_image_php['del_pic']}</a>
EOT;
  }


The permission check in picEditor.php itself are

Code Select Expand


if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}


Those should match.

[Nibbler]

Looks like the change made for http://forum.coppermine-gallery.net/index.php/topic,54414.0.html made it even more broken.

[Nibbler]

Fixed in 6538. To fix manually edit picEditor.php find

Code Select Expand


if (isset($_GET['id'])) {
        $pid = (int)$_GET['id'];
} elseif (isset($_POST['id'])) {
        $pid = (int)$_POST['id'];
} else {
        $pid = -1;
        cpg_die(ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);
}

// Initialize the array
$CURRENT_PIC = array();

if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}

if ($pid > 0){

        $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} WHERE pid = '$pid'");
        $CURRENT_PIC = mysql_fetch_array($result);
        mysql_free_result($result);
        $pic_url = get_pic_url($CURRENT_PIC,'fullsize');
}


Change to

Code Select Expand


if (isset($_GET['id'])) {
    $pid = (int) $_GET['id'];
} elseif (isset($_POST['id'])) {
    $pid = (int) $_POST['id'];
} else {
    cpg_die(ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);
}

if ($pid > 0) {

    $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} WHERE pid = '$pid'");
    $CURRENT_PIC = mysql_fetch_assoc($result);
    mysql_free_result($result);

    $result = cpg_db_query("SELECT category FROM {$CONFIG['TABLE_ALBUMS']} WHERE aid = '{$CURRENT_PIC['aid']}'");
    $CURRENT_ALBUM = mysql_fetch_assoc($result);
    mysql_free_result($result);
       
} else {
    cpg_die(ERROR, $lang_errors['non_exist_ap'], __FILE__, __LINE__);
}

if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID) || ($CURRENT_ALBUM['category'] == FIRST_USER_CAT + USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}


[Joep28]

Good work guys, it solved my problem   
Thanks for looking into it.

Joep

[joeyhavlock]

Thats for fixing this....the code worked fine and allows my users to now use the crop/rotate features....BUT

When they use it it turns their pictures to complete black, any idea why?

Thanks
Joey

[joeyhavlock]

Thats for fixing this....the code worked fine and allows my users to now use the crop/rotate features....BUT

When they use it it turns their pictures to complete black, any idea why?

Thanks
Joey

This only appears to happen when the image is rotated plus or minus 90 degrees, if it is rotated 180, then it seems to work fine.