[Fixed]: Error when registerd users try to edit (crop/rotate) private pictures. [Fixed]: Error when registerd users try to edit (crop/rotate) private pictures.
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Fixed]: Error when registerd users try to edit (crop/rotate) private pictures.

Started by Joep28, August 29, 2009, 05:47:20 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Joep28

Hello,
I have a problem with a fresh coppermine install.
I installed Coppermine Photo Gallery 1.4.25 (stable). When i login with admin rights, i can edit my private and public pictures. For example, i can crop and rotate them.
Works perfect.
However, if i disable the admin privileges for the same user, then i get an error when i try to edit my private pictures.
The edit button is there, but when i click on it, a pop-up appears with the message: You are not allowed to visit this page.
The error message says: File: /var/www/coppermine/picEditor.php - line: 82  
The same occurs with every other regular users in the administrators or registered group.All the groups allow the use of personal groups.


I'm a little lost after spending the whole afternoon reading manuals, forum posts and googling around. Found nothing that could help me solve this.
Hope you guys have any ideas about this?
Thanks.
Joep

Joachim Müller

Yes: do as suggested per board rules (you agreed to respect them when  signing up) and post a link to your gallery for a start. As you claim that this happens for a non-admin, you should post a non-admin test user account.
You probably have been looking at the cached copy of the crop/rotate page, so you should clear your cache first after removing privileges from the user's account.

Joep28

Thanks for the reply.
I'm currently unable to let you access the photo gallery. Its on a private lan.
The suggestion that it would have something to do with the cache also crossed my mind. So i already cleared the cache, and even tried it on a different computer with another user. Same thing.
I also tried switching from firefox to ie, but also no difference here.

Joep28

What rights do the files in the /var/www/coppermine directory need?
I didn't changed anything, except for the albums subdir. (chmod 777)

Nibbler

Looks like a bug to me. The permission check to display the button is:


  if ((USER_ADMIN_MODE && $CURRENT_ALBUM_DATA['category'] == FIRST_USER_CAT + USER_ID) || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC_DATA['owner_id'] == USER_ID && USER_ID != 0) || GALLERY_ADMIN_MODE) {
    $picmenu .= <<<EOT
     <a href="javascript:;" onclick="return MM_openBrWindow('picEditor.php?id={$CURRENT_PIC_DATA['pid']}','Crop_Picture','scrollbars=yes,toolbar=no,status=yes,resizable=yes')" class="admin_menu" >{$lang_display_image_php['crop_pic']}</a> <a href="editOnePic.php?id={$CURRENT_PIC_DATA['pid']}&amp;what=picture"  class="admin_menu">{$lang_display_image_php['edit_pic']}</a> <a href="delete.php?id={$CURRENT_PIC_DATA['pid']}&amp;what=picture"  class="admin_menu" onclick="return confirm('{$lang_display_image_php['confirm_del']}'); return false; ">{$lang_display_image_php['del_pic']}</a>
EOT;
  }


The permission check in picEditor.php itself are


if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}


Those should match.


Nibbler

Fixed in 6538. To fix manually edit picEditor.php find


if (isset($_GET['id'])) {
        $pid = (int)$_GET['id'];
} elseif (isset($_POST['id'])) {
        $pid = (int)$_POST['id'];
} else {
        $pid = -1;
        cpg_die(ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);
}

// Initialize the array
$CURRENT_PIC = array();

if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}

if ($pid > 0){

        $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} WHERE pid = '$pid'");
        $CURRENT_PIC = mysql_fetch_array($result);
        mysql_free_result($result);
        $pic_url = get_pic_url($CURRENT_PIC,'fullsize');
}


Change to


if (isset($_GET['id'])) {
    $pid = (int) $_GET['id'];
} elseif (isset($_POST['id'])) {
    $pid = (int) $_POST['id'];
} else {
    cpg_die(ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);
}

if ($pid > 0) {

    $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} WHERE pid = '$pid'");
    $CURRENT_PIC = mysql_fetch_assoc($result);
    mysql_free_result($result);

    $result = cpg_db_query("SELECT category FROM {$CONFIG['TABLE_ALBUMS']} WHERE aid = '{$CURRENT_PIC['aid']}'");
    $CURRENT_ALBUM = mysql_fetch_assoc($result);
    mysql_free_result($result);
       
} else {
    cpg_die(ERROR, $lang_errors['non_exist_ap'], __FILE__, __LINE__);
}

if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID) || ($CURRENT_ALBUM['category'] == FIRST_USER_CAT + USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}

Joep28

Good work guys, it solved my problem    ;D
Thanks for looking into it.

Joep

joeyhavlock

Thats for fixing this....the code worked fine and allows my users to now use the crop/rotate features....BUT

When they use it it turns their pictures to complete black, any idea why?

Thanks
Joey

joeyhavlock

Quote from: joeyhavlock on September 20, 2009, 06:08:21 PM
Thats for fixing this....the code worked fine and allows my users to now use the crop/rotate features....BUT

When they use it it turns their pictures to complete black, any idea why?

Thanks
Joey

This only appears to happen when the image is rotated plus or minus 90 degrees, if it is rotated 180, then it seems to work fine.