I'm new to coppermine, and just installed. I've made it so that guests can basically post comments, or rate. I've posted a comment as a guest and it then gives me the option to edit or delete it. I figured "ok fine, I'll close my browser and go back" just in case it was that session only. Still allows me too. Is this normal behavior? How can I make them not edit or delete. Right now to me its a big security flaw..unless Im missing something in the config.
If you allow guest comments, how could this be a security flaw? If you only want to allow guest comments, but want to disallow them to edit or delete them, then search the board - a hack has been posted that does what you're up to.
I'll tell you how its a security hazard. Because any guest that comes on coppermine can edit or delete someone elses comment. At least from what my testing yields.
Guests can only edit their own comments. I'm guessing you didn't clear cookies between tests.
Quote from: chugger93 on March 03, 2008, 03:12:00 PM
I'll tell you how its a security hazard. Because any guest that comes on coppermine can edit or delete someone elses comment. At least from what my testing yields.
Even if this was the case you can hardly call this a security hazard, as no sensitive data (admin info etc) is being compromized. As Nibbler suggested: guests are being authentificated using cookies, so yes: if a user is clever enough, he can delete his cookies and then re-post a comment and thus circumvent comment flooding. If you're concerned about that, disallow anonymous comments.
If you're convinced that this is not the case and guest 1 can actually edit the comment of guest 2, post a link to your gallery for a start.