Error: New Plugin for Permission Control Error: New Plugin for Permission Control
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Error: New Plugin for Permission Control

Started by macmiller, January 13, 2012, 02:41:41 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

macmiller

Based on this plugin: plugin delete control I created another simple plugin which removes some settings from the modify album page.  The plugin code is as follows:
<?php
/**************************************************
  Coppermine Plugin - Delete Control
  *************************************************
  Copyright (c) 2005 Paul Van Rompay
  *************************************************
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.
***************************************************/
//
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

// ------------------------------------------------------------------------------------------------
// Add filters - process search album and add to search results page
// ------------------------------------------------------------------------------------------------
$thisplugin->add_filter('page_html','permControl_filterpage');

// ------------------------------------------------------------------------------------------------
// Filter page_html to remove delete buttons
// ------------------------------------------------------------------------------------------------
//
  
function permControl_filterpage($html) {
  
if (defined('MODIFYALB_PHP') && !GALLERY_ADMIN_MODE) {
$html preg_replace('/(?U)(?s)(<tr>\s*<td class="tableh2" colspan="2">\s*<strong>Permissions for this album<\/strong>).*depending on groups settings.*\/td>.*\/tr>/','',$html);
  
}

return $html;
}

// ------------------------------------------------------------------------------------------------
// End of plugin code
// ------------------------------------------------------------------------------------------------

?>


This code simply removes 4 options from the update album screen (modifyalb.php) for non-admins:

Album can be viewed by     
Password protect this album (Tick for yes)     
Visitors can post comments *     Yes    No
Visitors can rate files *     Yes    No
[and a line which reads * depending on group settings]

The problem comes into play when the user goes to perform an update.    A database error is generated due to the fact that the visibility variable is not initialized.  see 'visibility = , alb_password = '',' part of the sql query. 

While executing query 'UPDATE cpg15x_albums SET title = 'test project', description = 'album description', category = 10084, thumb = 0, comments = 'NO', votes = 'NO', visibility = , alb_password = '', alb_password_hint = '', keyword = '' WHERE aid = 1' in db_input.php on line 433

My question is where should I add the initialization of the variable?  I am confused since the plugin is only removing the display from the screen so wouldn't expect it to break things, however it does work fine when the plugin is deactivated so it is definitely the plugin. ???



Αndré

If you don't submit those form values, they'll be empty hence causing that issue. As far as I can see it's not possible to achieve a secure solution as Coppermine always uses the submitted values:
    $aid = $superCage->post->getInt('aid');
    $title = $superCage->post->getEscaped('title');
    $category = $superCage->post->getInt('category');
    $description = $superCage->post->getEscaped('description');
    $keyword = $superCage->post->getEscaped('keyword');
    $thumb = $superCage->post->getInt('thumb');
    $visibility = $superCage->post->getInt('visibility');

    $uploads = $superCage->post->getAlpha('uploads') == 'YES' ? 'YES' : 'NO';
    $comments = $superCage->post->getAlpha('comments') == 'YES' ? 'YES' : 'NO';
    $votes = $superCage->post->getAlpha('votes') == 'YES' ? 'YES' : 'NO';


Of course you can replace the buttons with hidden fields (you'd need them to avoid that error message), but users who know their way around could still change that values. A real secure solution would need a check around the above mentioned code.

macmiller

For the time being I hacked the db_input.php file adding this initialization code below the code mentioned above (where the variables are set from the form values).

    if (!GALLERY_ADMIN_MODE) {
       $visibility = '1';
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }


It is not a good solution as all the code should be in the plugin but it does work and eliminate the db access error. 

macmiller

Just to correct the hack code in case anyone is looking at this.  The visibility code should be set to 0 and not 1. 

    if (!GALLERY_ADMIN_MODE) {
       $visibility = '0'; //this should be set to 0 not 1
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }

daveweb

I have installed the plugin and it appears to work ok, however when a user creates a new album it is setting the default method to Everybody (Public Album). Is there a way to make it default to Album owner only?
Any help would be appreciated

daveweb

Sorry please ignore last request, only just realised that the gallery default is for Everybody (Public Album). Of which I have found the solution for changing in another thread.