Registered User Uploads Registered User Uploads
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Registered User Uploads

Started by nr1dane, December 23, 2004, 11:48:13 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

nr1dane

Here's a test scenario (cpg 1.3.2):

First I created a "Family" user group.

Then created two users: One is member of the Registered group and other user is member of the Family group.

Then set Registred and Family users to have permission to upload.

I created some Private albums (under admin) to be ment for the "Family" group only and some other albums for public use.

One Private album has "Visitors can upload files" set to "Yes" and rest of the Private albums no uploads - the.

So, since some albums are "private" I did not want users to upload files to those albums - BUT:

Logging in as a Registered user and uploading a file revealed the Private album with the upload permission in the Album dropdown box on the upload form.

That's odd I thought, so I looked at the code in Upload.php - did not see any check for a user being a member of a certain group with upload permissions for albums within that group.

Now I may be missing something here (a lot, as a matter are fact) and have not completely grasped the entire overview of this great Gallery Code or PHP but here's my initial quick fix:

In Upload.php (around line 825) I changed the SQL query for the Public Albums from this:
$public_albums = mysql_query("SELECT aid, title FROM {$CONFIG['TABLE_ALBUMS']} WHERE category < " . FIRST_USER_CAT . " AND uploads='YES' AND ORDER BY title");

to this:

$public_albums = mysql_query("SELECT aid, title FROM {$CONFIG['TABLE_ALBUMS']} WHERE category < " . FIRST_USER_CAT . " AND uploads='YES' AND (visibility = {$USER_DATA['group_id']} OR visibility = 0) ORDER BY title");

Thus adding the check to see if a user is actually a member of the group the album belongs to or a public album.

So, for a sanity check - WhattaYallThink?

wolf8769

Wish this was a helpful reply. Actually, I'm just surprised nobody has commented on your post. I'd like to see what those with more experience or the developers have to say.  Seems an obvious oversight.  Sounds like you a bit further along with CPG than me, so let me ask you.  I want my family members to be able to create top-level categories albums.  This does not appear to be an option without making all family members admins which I do not want to do simply because I don't want them messing with the main configuration page.  In fact, there is not an option to allow non-admins to upload into top-level, pre-created albums.  I find this odd.  But this system cannot be everything to everyone.  I"m probably just not visualizing the way most people use CPG.  It's a good app.

kegobeer

@wolf: Only the admin can create public albums and all categories.  Categories contain albums, which contain files.  If users can have private albums, they can create albums within their private user category.  Public albums can be configured to allow users to upload into them - a group must have upload rights, and then the album must be configured to allow a particular group to upload into it.

@nr1dane: In the album's properties, did you select the group you wanted to all uploading ability?
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

nr1dane

I do appreciate the replies,

I did root through the forums here to see if I could find something simliar - but it more or less came down to "not possible" in this version.

What I did end up doing was create an entire family album - invisible to everyone but the "family" group when logged in.
This was another change I had to do to in the code (not shown in the above modification), but for now just a hardcoded quick-fix and not very pretty as you can see. Within those albums I can then allow family members upload-rights or not.

I'm working on a simple expansion of this to allow admin to control this and the mod shown above instead of me hardcoding a user-group setup like this everytime it may be needed.

I may have something out here soon to post.

Cheers!

nr1dane

kegobeer,

In the album properties I set the "Album can be viewed by" to the group I want, and "Visitors can upload..." to "yes" in order for that group to upload.
The selected group setup as upload rights set in the Groups setup of course.

The bug here was that regular "Registered" users NOT belonging to the particular "Family" group would see the "Family" album in the drop down list when uploading a pic to a "public" album. - which should not be allowed.

Hope this answers your question.

Cheers!