Administrators not in Registered User group? Administrators not in Registered User group?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Administrators not in Registered User group?

Started by OPaul, October 19, 2003, 10:25:05 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

OPaul

I have two private albums that are set that only people in the Registered group can see however people in the Administrator group can't see them. Shouldn't Administrators be considered in the Registered group to? Otherwise administrators would need to have two accounts, one to edit and upload pics and one to view private ones.

OPaul

Is this by design? Is there an add-on or something to remedy the situation?

jasendorf

I see what you mean.  Additionally, once you have set it for "registered users," admin can't even edit the properties for the album because it is no longer displayed.  Hmmmm....
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Joachim Müller

at the moment, coppermine users can't be members of different groups. At the moment I'd recommend having only one admin for the gallery.
Afaik there's no patch for this at the moment - sorry.

GauGau

OPaul

Is it something simple I can change inside the code? For example changing some output method to (USER_GROUP == 1 || USER_GROUP == 2).

Joachim Müller

I'm afraid it's not this simple - if it where, I'd post a quick-and-dirty fix...

GauGau

Casper

I have the same problem.  I set an album to registered users only, and can no longer view, or edit.  I understand it is not possible to be a member of more than 1 group, but is there a fix to the code so that when set to registered only, this includes all groups except unregistered and banned.

And does this mean that if a newly registered member put up a gallery that I considered unsuitable, but they set it to registered only, I would be unable to remove it.   :?:
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Casper

OK, I found answer in other thread http://forum.coppermine-gallery.net/index.php?topic=579
Set 'show private album icon to unlogged user' to yes, then admin can edit the album.
 :)
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Adm.Spock

Quote from: "casper"OK, I found answer in other thread http://forum.coppermine-gallery.net/index.php?topic=579
Set 'show private album icon to unlogged user' to yes, then admin can edit the album.
 :)


I too struck this problem, and this is indeed the workaround.

It would be really nice to see this whole problem (including all related features) resolved in the next release or patch.

U-nas

another solution is to have one, just one album witch has the option: "Show only for adminmembers".
If you then want to change another album (one that admin cannot see or edit) you simply just klick "edit pics" for your "Show only for adminmembers" and in the right upper corner of the properties, you can now edit another album!

tom

Quote from: "gaugau"at the moment, coppermine users can't be members of different groups. At the moment I'd recommend having only one admin for the gallery.
Afaik there's no patch for this at the moment - sorry.

GauGau
@GauGau: I have been looking for hours at different post in the forum - one key problem for me and others seems to be that the admin-User is not in the registered group.

Could you pls. help me with some insight about the modify-user-form in the config area ?
There is a section "User-group" which has a dropdown-List where I can choose exactly one group - than there are boxes where I can select as many groups as I like ...

In the cpg_users-Table I can see that the first item goes to the user_group-field and the other items seem to go to the user_lang (?) field.

Where is this second set of group-data used by CPG ?

I personally find this issue to be too improtant to be moved into the "far" feature. CPG seems to be so well done in many areas and I am really impressed about many features it has - but that the admin cannot see albums which are made for other groups is really a bug and there is no other word than bug for that.

To fix this problem in a way that all users get to see this private-album-icon is not a nice way for good websites. Why should I show something to all users which they are not supposed to see ?

Tom

Casper

Tom

QuoteTo fix this problem in a way that all users get to see this private-album-icon is not a nice way for good websites. Why should I show something to all users which they are not supposed to see ?

I know what you are saying, and I also want this fixed, along with the 'users can have private albums', which if no turns off the admin ability to change viewing permissions.

But, this is a good workaround.  The unlogged/unregistered user only sees the icon, and when they click on it, see the 'no pictures' page, not the album itself or the pics, as the admin does.  They do not, and cannot, see the pics.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

frankae

I agree that this is an important feature.

Particularly considering that the "only allow registered user to view normal/full-size images" hacks posted on this board are ridiculous when it's security you have in mind.

As soon as a real thumbnail is shown, the folder structure of a gallery and sometimes even whole naming convention of picture files is obvious and any user can just call the image directly in his browser, in the size of his choice. Using the .htaccess hack also presented in this forum just adds referer authentication to the problem. Referers are client-side and thus easily faked.

Just to underline that I am really waiting for this problem to be solved...

Joachim Müller

Then, I guess, you'll have top re-invent the www :wink: ! There's no absolute security on the web - things that have to remain private under all circumstances mustn't be published on the internet. We had this discussion several times before on this board (and a million other boards on the internet used to discuss this as well).
Let's just say that the existing hacks will keep 90% of all users out, which is better than nothing...

Quote from: "frankae"Just to underline that I am really waiting for this problem to be solved...
Instead of waiting, why don't you do something about it, and start to work on a solution? :?

GauGau

frankae

I am sorry, I didn't mean to cause an emotional reaction. I just meant to say that it would make sense if cpg had the same level of security for accessing images as it has for commenting rights, for example. And that if this cannot be achieved for technical reasons, that it be made clear to the user.

If some professional hacker can analyse your source for a day to finally find an attack to elevate user privileges - fine. I have no problem with that at all. I even kindly propose a link to the source so he doesn't have to guess what gallery I am running.

But if it takes ME 30 seconds to bypass a restriction setting explained in your official FAQ, I feel concerned. And this is far off any unrealistic discussion on absolute security on the Web.

Joachim Müller

although I don't know to what section of the faq you're actually referring to, I'd like to know what you propose as an option. Delete the faq?

My posting hasn't been emotional (those who have been around on this board for a while can tell how I spell "feeding frenzy" :wink: ).
Let us not become this a flame thread....

What I was asking for: do you have any proposal what to fix? We have to rely on user input; just nagging doesn't help the project. Of course coppermine is pretty secure! How do I know? Because there haven't been reports of hacks. Is Coppermine absolutely secure? Of course not, no software is. Sooner or later coppermine might become "big" (well known) enough for the script kiddies to start developing an appetite.

Stuff going on on the server (like db lookups inside mySQL tables) just isn't the same thing as "browser magic". Security of comments just is not related to security of pics - the one thing happens on the server, the other one inside the user's browser.

Right now we're way off the topic of this thread - please post some last comments if you feel like it; I'll lock this thread later...

GauGau

tom

Quote from: "frankae"...But if it takes ME 30 seconds to bypass a restriction setting explained in your official FAQ, I feel concerned. And this is far off any unrealistic discussion on absolute security on the Web.
I don't want to pour oil on the fire - but I totally agree with Frankae. This is not an far off issue but rather one of the key issues to be solved in one of the next versions of CPG.

Tom

Joachim Müller

same answer as I have already given to frankae: please share your ideas with us on how to solve this "issue", not just some "this had better be solved" posting...

GauGau

frankae

We're not that far off the thread topic I think. The administrator is not in the registered users group was the beginning of it. Because this is so, people have started asking for hacks for restricting access to this and that, because they couldn't use the feature originally intended for the purpose, because it didn't work properly.

I only pointed out that the hacks proposed on the board (http://forum.coppermine-gallery.net/index.php?topic=2357) and FAQ (the one that was in the downloaded install for coppermine I called 'official') to remedy the problem do not live up to the security standards present everywhere else in cpg, and that this is not made obvious. One user in the thread above thinks the workaround 'works like a charm'. I pointed this out so as to corroborate other posters on this thread in order to further convince the developers that this is a high priority issue.

My proposition regarding the FAQ is to include a notice that the workaround presented can only be considered an emergency solution, and that users should not forget to upgrade to the next release when this issue is being dealt with properly.

You call for not turning to flaming... Yet exagerrations and generalizations ("reinvent the WWW", "absolute security") and suggesting I would suggest something completely silly ("delete the FAQ") are common ways to disrespect another's intelligence to the point of where flaming will start. All I said that apparently offended you is that these two particular hacks on this board are ridiculous in terms of security, which they are, in comparison to the way security is handled everywhere else in this outstanding app.

btw. it's not the script kiddies who come up with hacks, they only reproduce them, going by (someone else's) "script". That's the idea of the term, they're supposed to be lame, etc.

What do you mean by security of comments? A serious hacker who's after your pictures would try to find out what web app you're using for your gallery so as to have a look at the (PHP!) source and learn your likely folder structure and possible ways you could have set it up wrong, etc. This task is greatly facilitated if the app puts its name and version in an html comment on every page, as does cpg. That's how the comments relate to the security of your pictures.

But anyway,

peace, oK :)

malc

I don't know why GauGau thinks the solution is not that simple, 'cos here's a quick Mod to do what you want.  It involves changing exactly three lines!

In index.php, lines 360, 451, and 472 (version 1.2.1 final/standalone) change the part of the line (it's an if statement) that reads:

if ($visibility == '0' || $visibility == (FIRST_USER_CAT + USER_ID) || $visibility == $USER_DATA['group_id']) {


to read:

if ($visibility == '0' || $visibility == (FIRST_USER_CAT + USER_ID) || $visibility == $USER_DATA['group_id'] || $USER_DATA['group_name'] == 'Administrators') {


(For other versions, search for USER_DATA and you'll find the three "if" statements that are concerned with visibility!)

What this does is simply treat the case where the album is private *and* the user is an administrator exactly as if the user was a member of the authorized group.

Enjoy...

[ And feel free to move this over to the "Mod" section if appropriate! ]
Malc.