SMF / CPG bridge - groups SMF / CPG bridge - groups
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

SMF / CPG bridge - groups

Started by londonhogfan, October 10, 2005, 08:28:45 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

londonhogfan

HI, just bridged coppermind gallery with SMF.  Seems to be working great.

I am just having a small problem.  does a user have to be an "admin" on the SMF server to have access to batch add files in CPG?

I have tried everything I can to allow this, but nothing is working...

The user in question has full access to the photo archive, but limited in the forum.  How can I make this work?

He is a global mod in SMF BTW...
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Joachim Müller

Quote from: londonhogfan on October 10, 2005, 08:28:45 AM
does a user have to be an "admin" on the SMF server to have access to batch add files in CPG?
Yes, batch-add is an admin-only feature (bridged or non-bridged), as it requires FTP access anyway, which only an admin should have. Allowing a user who you don't trust fully to have FTP access is a stupid thing: having FTP access means that a user can take over your site and have full control over it. Please read the docs that come with coppermine.

londonhogfan

Quote from: GauGau on October 10, 2005, 09:10:51 AM
Quote from: londonhogfan on October 10, 2005, 08:28:45 AM
does a user have to be an "admin" on the SMF server to have access to batch add files in CPG?
Yes, batch-add is an admin-only feature (bridged or non-bridged), as it requires FTP access anyway, which only an admin should have. Allowing a user who you don't trust fully to have FTP access is a stupid thing: having FTP access means that a user can take over your site and have full control over it. Please read the docs that come with coppermine.

it was working before I made the switch.... He was an admin on CPG but now because he is a mod in the forum he cant do it.  He only has access to the cpg_album folder through ftp so its not like he has had complete control through ftp.  He does mostly the photos and I like to have complete control over the forum is why he is not "admin" in SMF.. he is just a mod with extra permissions - Everything except deleting posts.  Thought someone might know an easy way around it.  Thanks...

I love this tool.  Its a great feature with Coppermine.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Nibbler

If he has write access to any folder in FTP then he has complete control over your site. Only give such access to people you trust completely. You can find the permission checks in the batch add process and modify them to allow access from a certain group also. If you wish to go down this road I will move this thread to a more appropriate place. Otherwise you can give him full coppermine access by modifying the bridge file, search the board for details.

Tranz

Nibbler, you know how our webhost allows people to create separate ftp accounts with access to specific folders... are you saying that it's possible for people to access all folders? If that's the case, isn't that a huge security flaw, or at least something that requires a warning?

londonhogfan

Quote from: TranzNDance on October 10, 2005, 04:13:54 PM
Nibbler, you know how our webhost allows people to create separate ftp accounts with access to specific folders... are you saying that it's possible for people to access all folders? If that's the case, isn't that a huge security flaw, or at least something that requires a warning?

this is the same thing I am using on my host.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

londonhogfan

Quote from: Nibbler on October 10, 2005, 04:01:12 PM
Otherwise you can give him full coppermine access by modifying the bridge file, search the board for details.

I have searched for this, but havn't found what Im looking for.  I just need to add complete access to global moderators as well as admins.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Nibbler

Try changing this line in the bridge file from

$USER_DATA['has_admin_access'] = $user_info['is_admin'];

to

$USER_DATA['has_admin_access'] = $user_info['is_admin'] || in_array(SMF_GMOD_GROUP,$user_info['groups']);

londonhogfan

Quote from: Nibbler on October 10, 2005, 05:29:08 PM
Try changing this line in the bridge file from

$USER_DATA['has_admin_access'] = $user_info['is_admin'];

to

$USER_DATA['has_admin_access'] = $user_info['is_admin'] || in_array(SMF_GMOD_GROUP,$user_info['groups']);

didn't seem to work... here is what I have now.


        // Retrieve group information
                $USER_DATA = cpgGetUserData($cm_group_id, $user_info['groups'], SMF_GUEST_GROUP);
                $USER_DATA['has_admin_access'] = $user_info['is_admin'] || in_array(SMF_GMOD_GROUP,$user_info['groups']);
        $USER_DATA['can_see_all_albums']=$USER_DATA['has_admin_access'] | in_array(SMF_GMOD_GROUP,$user_info['groups']);


this is how my groups are setup in SMF

Regular groups
Name ------------------ Stars -- Members -- Modify
ADMINISTRATOR  ------------ 1 ------------ Modify
History Admin  ----------------- 2 ------------ Modify

everything else is a post count based group.  Im wanting to give the History Admin admin access on CPG.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Nibbler

In the code I posted replace SMF_GMOD_GROUP with the id number of the history admin group.

londonhogfan

Quote from: Nibbler on October 10, 2005, 06:26:36 PM
In the code I posted replace SMF_GMOD_GROUP with the id number of the history admin group.

thank you for being so patient with me... help like this is what makes these types of utilities so great.

I replaced SMF_GMOD_GROUP with 2 (the id number of the history admin group)

but it still didn't do anything... here is the code im now using.

// Retrieve group information
                $USER_DATA = cpgGetUserData($cm_group_id, $user_info['groups'], SMF_GUEST_GROUP);
                $USER_DATA['has_admin_access'] = $user_info['is_admin'] || in_array(2,$user_info['groups']);
        $USER_DATA['can_see_all_albums']=$USER_DATA['has_admin_access'] | in_array(SMF_GMOD_GROUP,$user_info['groups']);


sorry for being soo much trouble. :-\\
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Nibbler

Try changing

in_array(2,$user_info['groups']);

to

in_array(2,$USER_DATA['groups']);

londonhogfan

sorry, still getting "You don't have permission to access this page. " when I try to go to batch add files.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Nibbler

OK, just after that code, add

var_dump($USER_DATA['groups'])

and post what that says.

londonhogfan

Quote from: Nibbler on October 10, 2005, 07:52:19 PM
OK, just after that code, add

var_dump($USER_DATA['groups'])

and post what that says.

array(2) {
  • => string(1) "2" [1]=> string(1) "4" }

    just to make sure I did it right... the code is now:

            // Retrieve group information
                    $USER_DATA = cpgGetUserData($cm_group_id, $user_info['groups'], SMF_GUEST_GROUP);
                    $USER_DATA['has_admin_access'] = $user_info['is_admin'] || in_array(2,$USER_DATA['groups']); var_dump($USER_DATA['groups']);
            $USER_DATA['can_see_all_albums']=$USER_DATA['has_admin_access'] | in_array(SMF_GMOD_GROUP,$user_info['groups']);
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

Joachim Müller

Quote from: TranzNDance on October 10, 2005, 04:13:54 PM
Nibbler, you know how our webhost allows people to create separate ftp accounts with access to specific folders... are you saying that it's possible for people to access all folders? If that's the case, isn't that a huge security flaw, or at least something that requires a warning?
It's possible on some webhosts to limit ftp access to certain folders, however that's only half of the road: you have to make sure that the user can not upload potentially harmfull files (like php files), and that he can not rename them. Although this is indeed possible, it's quite some configuration effort for the webhost - most webhosts won't do this for you.

@londonhogfan: I stronlgy recommend not do do what you're up to unless you really, really know your way around in server setup. If you don't trust a person to be an admin, don't trust him at all when it comes to server issues.

Nibbler

This should do it, look for:

        // Retrieve group information


and put on the line beneath

$user_info['is_admin'] = in_array(2,$user_info['groups']) ? 1 : $user_info['is_admin'];

Disregard the previous changes.

londonhogfan

Quote from: GauGau on October 10, 2005, 08:33:50 PM
Quote from: TranzNDance on October 10, 2005, 04:13:54 PM
Nibbler, you know how our webhost allows people to create separate ftp accounts with access to specific folders... are you saying that it's possible for people to access all folders? If that's the case, isn't that a huge security flaw, or at least something that requires a warning?
It's possible on some webhosts to limit ftp access to certain folders, however that's only half of the road: you have to make sure that the user can not upload potentially harmfull files (like php files), and that he can not rename them. Although this is indeed possible, it's quite some configuration effort for the webhost - most webhosts won't do this for you.

@londonhogfan: I stronlgy recommend not do do what you're up to unless you really, really know your way around in server setup. If you don't trust a person to be an admin, don't trust him at all when it comes to server issues.


Thanks for the advise.  I'm not worried about this guy.  Its not that I don't trust him to have complete access to the forum... I just like to do it all myself.

Quote from: Nibbler on October 10, 2005, 08:38:39 PM
This should do it, look for:

// Retrieve group information


and put on the line beneath

$user_info['is_admin'] = in_array(2,$user_info['groups']) ? 1 : $user_info['is_admin'];

Disregard the previous changes.

Thanks, I will let you know how it works out.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)

londonhogfan

Thanks, It worked perfect.  You guys are they best.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.razorbacklegacy.com%2Fhog_archive%2Fpic.jpg&hash=3d1b2bbde092be74414169a519ae11559f8adf22)