How to give reg. users access to the batch upload function How to give reg. users access to the batch upload function
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

How to give reg. users access to the batch upload function

Started by _dopehead_, March 14, 2004, 05:46:23 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

_dopehead_

March 14, 2004, 05:46:23 PM
I have been searching for this and did not find any answers. How do i enable access to the batch upload function in coppermine for my registered users ? i don't wan't them to be admins, but they should have access to batch uploading the pics that they have ftp'ed to my server.

Jan

Joachim Müller

#1
March 14, 2004, 11:11:04 PM
batch-add is an admin-only function, as it would require your users to have ftp access, which they could easily use to take over your whole server. In other words: this can't be done!

GauGau

goebelmeier

#2
July 13, 2004, 03:46:43 PM
Why can't this be done? I'm webmaster of a website with 5 different photographers (dict.leo.org, german -> english :)), each have his own ftp-directory in a chroot which is named /albums/<name>/. Since now, all 5 have admin-rights, to use batch-add. In future I would like them only to add albums and use batch-add. I don't see any security-risk in implementing such a feature.

Wow, bad english, but I hope, you will understand :)

Joachim Müller

#3
July 13, 2004, 06:50:59 PM
OK, we decided to let only admins have batch-add, because if we didn't, there'd be a lot of newbie webmaster who gave away ftp-upload permissions to their users without any restriction. The restriction must be that the ftp-uploads must either not be accessible by http or php-parsing must be disabled or uploads must be server-sided restricted to certain file types that can't be harmfull. The reason why an un-secured ftp access would be disastrous for security is easy to see: a "bad guy" might upload a script file (php, perl or whatever) and execute it in the brwoser - this way, he could gain access to the whole website and take it over.
I'm sure that the pro's out there know how to secure their ftp-uploads, but "regular" webhosted "wannabe-admins" won't. This is why there's no batch-add for "regular" users - just to not lead "newbies" into temptation. Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

GauGau

goebelmeier

#4
July 13, 2004, 08:40:48 PM
Quote from: GauGau on July 13, 2004, 06:50:59 PM
Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

Thanks... Very good hint. I haven't looked at the source yet.
Print
Go Up Pages1
User actions