Ability of registered users to create shared albums Ability of registered users to create shared albums
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Ability of registered users to create shared albums

Started by gbothwell, September 15, 2010, 01:55:37 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

gbothwell

What I would like to have for our project is this:
1. The public can:
- View all albums at the intermediate resolution (not full resolution)
- Leave comments in all albums.
- But they CANNOT upload or edit images.
2. Registered members of the Group can:
- Have the same privileges as public users, plus the following:
- View images in all albums at full resolution.
- Upload images to any album.
- Edit images and comments that they have uploaded.
3. Ideally, registered members of the Group should also be able to:
- Create an album that has all of the permissions listed above for 1 and 2.

I have implemented items 1 and 2 successfully with Coppermine v1.5.8. I have attempted item 3, but it does not appear to be fully feasible. That is, I can allow registered Group users to create an album, and the public can view it, but other members of the Group are unable to upload images to it. From what I can see, the ability of a Group member to create an album is associated with the Personal Gallery feature, which is a little different from item 3 above.

Have I interpreted this correctly, or is there a way to achieve item 3? Are there any plans to provide a feature like that?

The alternative (my backup plan) is to have albums created only by the administrator, although that will mean a certain level of inconvenience for the Group.

So that you can see what we are doing:
Here is a page that describes our project: http://cnps-sgm.org/lilyspring
Here is where you can see what we have implemented so far: http://cnps-sgm.org/cpg

You can log in as a registered member of the Group:
Username: SgMTesteR
Password: 4EriG21eroN

There is an album called Trial Album within the Field Work 2010 category that was created by one of the other members of the Group, and therefore exhibits the problem, i.e. you can view the album, but cannot upload to it. All other albums in the gallery were created by the administrator, and therefore meet requirement items 1 and 2 above.

Thank you for any advice re this.

Graham

Jeff Bailey

There isn't a way to do that right now AFAIK. There was a feature for album moderation that was disabled because of poor documentation listed under known issues in the docs. Not sure if that enables the feature you are looking for.
Thinking is the hardest work there is, which is probably the reason why so few engage in it. - Henry Ford

Αndré

Quote from: Jeff Bailey on September 15, 2010, 03:06:41 AM
There isn't a way to do that
Correct. Needs core code modification (or new plugin hooks).


You need to add a check if the current user is in the group that is allowed to edit album upload permissions to these 2 code snippets:
Code (modifyalb.php) Select
   if ($name == 'uploads' && USER_ADMIN_MODE) {
       echo "        <input type=\"hidden\" name=\"$name\" value=\"{$ALBUM_DATA['uploads']}\" />";
       return;
   }

Code (db_input.php) Select
   if (GALLERY_ADMIN_MODE) {
       /* TODO: re-enable and test feature when it's clear how it should work (see http://forum.coppermine-gallery.net/index.php/topic,64408.0.html)
       $moderator_group = $superCage->post->getInt('moderator_group');
       $query .= ", moderator_group = '$moderator_group'";
       */
       $query .= ", uploads = '$uploads'";
   }

gbothwell

Thanks André and Jeff. I tried modifying those two code snippets, but the issue persists, i.e. cannot upload to an album created by another registered user.

The following is what I did. Is this the correct approach? You'll see I tried two alternatives, one checking the group name, the other checking the group id.
Code: (modifyalb.php)
Quote/***SGM: Modified by GB for shared albums created by other registered users. ***/
    if ($name == 'uploads' && (USER_ADMIN_MODE || $USER_DATA["group_name"] == 'Lily Spring Team')) {
    /*if ($name == 'uploads' && (USER_ADMIN_MODE || $USER_DATA["group_id"] == 4)) {    <<< An alternative */       
    /*if ($name == 'uploads' && USER_ADMIN_MODE) {        <<< original code*/
        echo "        <input type=\"hidden\" name=\"$name\" value=\"{$ALBUM_DATA['uploads']}\" />";
        return;
    }
Code: (db_input.php)
Quote/***SGM: Modified by GB for shared albums created by other registered users. ***/
    if (GALLERY_ADMIN_MODE || $USER_DATA["group_name"] == 'Lily Spring Team') {
    /*if (GALLERY_ADMIN_MODE || $USER_DATA["group_id"] == 4) {         <<< an alternative*/
    /*if (GALLERY_ADMIN_MODE) {                <<< original code*/
   
        /* TODO: re-enable and test feature when it's clear how it should work (see http://forum.coppermine-gallery.net/index.php/topic,64408.0.html)
        $moderator_group = $superCage->post->getInt('moderator_group');
        $query .= ", moderator_group = '$moderator_group'";
        */
        $query .= ", uploads = '$uploads'";
    }

Thanks
Graham

Αndré

Firstly check if the $USER_DATA array is populated at both places.

Then try to replace
if ($name == 'uploads' && (USER_ADMIN_MODE || $USER_DATA["group_name"] == 'Lily Spring Team')) {
with
if ($name == 'uploads' && USER_ADMIN_MODE && $USER_DATA["group_name"] != 'Lily Spring Team') {

If everything works fine you now should change the 'Visitors can upload files' option in the album properties. If that toggle appears modifyalb.php is working fine. If it doesn't store the setting we need to adjust db_input.php further.

gbothwell

The $USER_DATA array does NOT appear to be getting to that code in modifyalb.php.

I'm not sure how to make that test with db_input.php.

My test is this: At the pertinent point in the code, I save a few of the $USER_DATA values as global variables, then print them in the footer of the Coppermine template. You can see this at the bottom of http://cnps-sgm/cpg where Signal 1 and Signal 2 are the $USER_DATA values from the two respective routines. This works well with modifyalb.php, but not with db_input.php, even when I know db_input.php is executed, such as when entering a comment. Is there a better way to test it?

Thanks
Graham

Αndré

Quote from: gbothwell on September 15, 2010, 10:45:41 PM
Is there a better way to test it?
I personally use somethine like
print_r($USER_DATA);
die();

just before I try to access some data (in this case the array $USER_DATA).

gbothwell

Using the die() technique, I confirmed that the $USER_DATA array is NOT populated at the relevant point within modifyalb.php.  Actually, the die() doesn't actually stop coppermine from continuing, it just seems to abort the particular routine (so that part of the Permissions in missing from the album properties page.) That is to say, the print_r doesn't display anything, but a message could be generated in the message area of the coppermine page using this:
$sgm_message2 = 'User data values: ' . $USER_DATA["group_id"] . '. ' . $USER_DATA["group_name"];
die($sgm_message2);

That message left the $USER_DATA values blank.

However, once again no success with db_input.php. There it's as if the die() is ignored, - or to be more precise, buried. Looks like it's the way that coppermine functions.

Thanks
Graham


Αndré

I just had a look at the code and recognized that the first code snippet is embedded in a function and we need to use global $USER_DATA;. So here is the final solution:


In modifyalb.php, find
    if ($name == 'uploads' && USER_ADMIN_MODE) {
        echo "        <input type=\"hidden\" name=\"$name\" value=\"{$ALBUM_DATA['uploads']}\" />";
        return;
    }

and replace with
    global $USER_DATA;
    if ($name == 'uploads' && USER_ADMIN_MODE && $USER_DATA['group_id'] != 4) {
        echo "        <input type=\"hidden\" name=\"$name\" value=\"{$ALBUM_DATA['uploads']}\" />";
        return;
    }



In db_input.php, find
    if (GALLERY_ADMIN_MODE) {
        /* TODO: re-enable and test feature when it's clear how it should work (see http://forum.coppermine-gallery.net/index.php/topic,64408.0.html)
        $moderator_group = $superCage->post->getInt('moderator_group');
        $query .= ", moderator_group = '$moderator_group'";
        */
        $query .= ", uploads = '$uploads'";
    }

and replace with
    if (GALLERY_ADMIN_MODE || $USER_DATA['group_id'] == 4) {
        /* TODO: re-enable and test feature when it's clear how it should work (see http://forum.coppermine-gallery.net/index.php/topic,64408.0.html)
        $moderator_group = $superCage->post->getInt('moderator_group');
        $query .= ", moderator_group = '$moderator_group'";
        */
        $query .= ", uploads = '$uploads'";
    }



Please confirm.

gbothwell

That did the job, André. Thank you very much indeed!

One minor thing to note: If a registered group user selects My Profile | Modify My Albums, and if they have not yet created any albums, they receive an error message that says. "You don't have permission to access this page." Obviously there is no actual error, and the user can proceed on their way. But is there a simply way to prevent the occurrence of the message?

This clearly is something we can live with, so I'm not expecting a lengthy resolution of the issue like we've just been through. It's possibly just an artifact of putting in a kluge to obtain the desired non-standard functionality. You can see the error at:
URL: http://cnps-sgm.org/cpg
Login: sgmtester
Password: 4EriG21eroN

Your help with the issue just resolved is much appreciated.
Graham

Αndré

Quote from: gbothwell on September 16, 2010, 08:56:51 PM
If a registered group user selects My Profile | Modify My Albums, and if they have not yet created any albums, they receive an error message that says. "You don't have permission to access this page."
Board rules / Forum policies: One Question per Thread
Apart from this that's just a cosmetic issue. We don't have a better error message in our language files, but maybe we can remove that button if there are no albums.

gbothwell

OK, that's fine. Thanks for your assistance.  The original problem is neatly resolved.

Graham