Error: New Plugin for Permission Control

[macmiller]

Based on this plugin: plugin delete control I created another simple plugin which removes some settings from the modify album page.  The plugin code is as follows:

Code Select Expand

<?php
/**************************************************
  Coppermine Plugin - Delete Control
  *************************************************
  Copyright (c) 2005 Paul Van Rompay
  *************************************************
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.
***************************************************/
//
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

// ------------------------------------------------------------------------------------------------
// Add filters - process search album and add to search results page
// ------------------------------------------------------------------------------------------------
$thisplugin->add_filter('page_html','permControl_filterpage');

// ------------------------------------------------------------------------------------------------
// Filter page_html to remove delete buttons
// ------------------------------------------------------------------------------------------------
//
  function permControl_filterpage($html) {
   if (defined('MODIFYALB_PHP') && !GALLERY_ADMIN_MODE) {
$html = preg_replace('/(?U)(?s)(<tr>\s*<td class="tableh2" colspan="2">\s*<strong>Permissions for this album<\/strong>).*depending on groups settings.*\/td>.*\/tr>/','',$html);
   }

return $html;
}

// ------------------------------------------------------------------------------------------------
// End of plugin code
// ------------------------------------------------------------------------------------------------

?>

This code simply removes 4 options from the update album screen (modifyalb.php) for non-admins:

Album can be viewed by     
Password protect this album (Tick for yes)     
Visitors can post comments *     Yes    No
Visitors can rate files *     Yes    No
[and a line which reads * depending on group settings]

The problem comes into play when the user goes to perform an update.    A database error is generated due to the fact that the visibility variable is not initialized.  see 'visibility = , alb_password = '',' part of the sql query. 

Code Select Expand

While executing query 'UPDATE cpg15x_albums SET title = 'test project', description = 'album description', category = 10084, thumb = 0, comments = 'NO', votes = 'NO', visibility = , alb_password = '', alb_password_hint = '', keyword = '' WHERE aid = 1' in db_input.php on line 433

My question is where should I add the initialization of the variable?  I am confused since the plugin is only removing the display from the screen so wouldn't expect it to break things, however it does work fine when the plugin is deactivated so it is definitely the plugin.

[Αndré]

If you don't submit those form values, they'll be empty hence causing that issue. As far as I can see it's not possible to achieve a secure solution as Coppermine always uses the submitted values:

Code Select Expand

    $aid = $superCage->post->getInt('aid');
    $title = $superCage->post->getEscaped('title');
    $category = $superCage->post->getInt('category');
    $description = $superCage->post->getEscaped('description');
    $keyword = $superCage->post->getEscaped('keyword');
    $thumb = $superCage->post->getInt('thumb');
    $visibility = $superCage->post->getInt('visibility');

    $uploads = $superCage->post->getAlpha('uploads') == 'YES' ? 'YES' : 'NO';
    $comments = $superCage->post->getAlpha('comments') == 'YES' ? 'YES' : 'NO';
    $votes = $superCage->post->getAlpha('votes') == 'YES' ? 'YES' : 'NO';


Of course you can replace the buttons with hidden fields (you'd need them to avoid that error message), but users who know their way around could still change that values. A real secure solution would need a check around the above mentioned code.

[macmiller]

For the time being I hacked the db_input.php file adding this initialization code below the code mentioned above (where the variables are set from the form values).

Code Select Expand

    if (!GALLERY_ADMIN_MODE) {
       $visibility = '1';
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }

It is not a good solution as all the code should be in the plugin but it does work and eliminate the db access error. 

[macmiller]

Just to correct the hack code in case anyone is looking at this.  The visibility code should be set to 0 and not 1. 

Code Select Expand

    if (!GALLERY_ADMIN_MODE) {
       $visibility = '0'; //this should be set to 0 not 1
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }

[daveweb]

I have installed the plugin and it appears to work ok, however when a user creates a new album it is setting the default method to Everybody (Public Album). Is there a way to make it default to Album owner only?
Any help would be appreciated

[daveweb]

Sorry please ignore last request, only just realised that the gallery default is for Everybody (Public Album). Of which I have found the solution for changing in another thread.