Batch-added pictures should belong to album owner?! Batch-added pictures should belong to album owner?!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Batch-added pictures should belong to album owner?!

Started by herzbube, September 19, 2004, 06:06:55 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

herzbube

Hi,

Imagine the scenario where the admin user batch-adds pictures to an album that belongs not to himself, but to a different, regular user. Now the regular user wants to edit these pictures' descriptions:

Situation 1: he changes several descriptions at once, via editpics.php script. This works.

Situation 2: he changes a single pictures' descriptions, via the editOnePic.php script. This does not work, the regular user is told he has no permission to do it.

This seems illogical. Either the regular user should always have the permission to edit the description, or never. Because the album belongs to the regular user, my point of view is that he should have the permission.

I have looked a bit further and found, in the MySQL table cpg132_pictures, that the batch-added files have the owner_id and owner_name attributes set to the admin user. I would like to suggest that batch-added files always get the owner_id and owner_name set to the album owner. This would solve the "edit description" permission problem described above. On the other hand, I don't know if coppermine needs to retain the information about who batch-added a file...

I use Coppermine 1.3.2 on a Debian system, with MySQL 4.0.18 and PHP 4.3.4.

Cheers
Patrick

herzbube

Sorry about posting the same message two times - when I tried to post the first time, the system told me that my session had timed out, so I logged out and logged in again, then posted the message again  :-[

Casper

It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Joachim Müller

in fact, you're not meant to batch-add to the user's album in the first place. It's expected behaviour that the pic is owned by the user who uploaded it.

Joachim

herzbube

OK, I can live with the premise that the uploader owns the pictures.

In this case, though, wouldn't it be sensible to offer to the user who is batch-adding only those albums that he owns as possible "targets"? Otherwise, you will invariably end up with the situation "picture owner != album owner", and right now either editpics.php or editOnePic.php definitely doesn't handle this situation correctly.

Of course, this is a very simple, but not a very good solution. It is not very good because cutting down on the user's ability to do something is not very good, at least most of the time. Therefore, let me make another suggestion, which to me seems somewhat better, but is also a bit more complicated:

As we have it now, it remains possible to batch-add to all albums, even those that the batch-adding user does not own. The reasoning: he belongs to the Administrators group (or he wouldn't be able to batch-add), therefore we trust that he will not abuse his privileges to, for example, batch-add a gazillion pictures :) to another user's album. But since even trusted/admin users can make a mistake, a check is introduced: is the owner of the target album the same as the batch-adding user? If this is the case, everything is OK and the batch-adding operation proceeds as usual. If the two users are not the same, a warning message explaining the situation is issued, and a question if he wants to continue or abort the batch-adding operation. If he aborts, of course, nothing happens. If he continues, however, all pictures will be given to the album owner.

The benefits of this solution are:
1) the premise is satisfied, that you are not meant to batch-add to another user's album
2) but you still can do it, if you need to, so Coppermine's flexibility is preserved
3) no need to change anything in either editpics.php or editOnePic.php

I see only one drawback: the batch-adding process might become more complicated if the unwary user is posed a question he did not expect.


What do you think? If the last solution seems attractive, and if the Coppermine team accepts contributions from outside, I would like to try to learn something about PHP and implement the feature...

Cheers
Patrick


Joachim Müller

like I said: DO NOT UPLOAD pics to another user's album, even in you're the admin and have the powers to do so - exclamation mark. The user albums just are what the name suggests: the place the individual user (he/she only) will upload pics to. You (as an admin) should upload to albums in public galleries only. Changing the process of batch-adding by adding another check would only make things even more complicated than they actually are for newbie coppermine admins for technical reasons - there's no point in doing so, just because you abuse the batch-add function with something it just isn't meant to be used for.

Joachim

herzbube

Thanks for the clarification. I will be quiet now, but not without pointing out that the docs should contain at least a hint of what batch-adding is not meant to be.

Patrick