Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Fixed]: Error when registerd users try to edit (crop/rotate) private pictures.  (Read 12548 times)

0 Members and 1 Guest are viewing this topic.

Joep28

  • Coppermine newbie
  • Offline Offline
  • Posts: 7

Hello,
I have a problem with a fresh coppermine install.
I installed Coppermine Photo Gallery 1.4.25 (stable). When i login with admin rights, i can edit my private and public pictures. For example, i can crop and rotate them.
Works perfect.
However, if i disable the admin privileges for the same user, then i get an error when i try to edit my private pictures.
The edit button is there, but when i click on it, a pop-up appears with the message: You are not allowed to visit this page.
The error message says: File: /var/www/coppermine/picEditor.php - line: 82  
The same occurs with every other regular users in the administrators or registered group.All the groups allow the use of personal groups.


I'm a little lost after spending the whole afternoon reading manuals, forum posts and googling around. Found nothing that could help me solve this.
Hope you guys have any ideas about this?
Thanks.
Joep
« Last Edit: September 01, 2009, 12:03:25 pm by Nibbler »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #1 on: August 30, 2009, 01:17:17 pm »

Yes: do as suggested per board rules (you agreed to respect them when  signing up) and post a link to your gallery for a start. As you claim that this happens for a non-admin, you should post a non-admin test user account.
You probably have been looking at the cached copy of the crop/rotate page, so you should clear your cache first after removing privileges from the user's account.
Logged

Joep28

  • Coppermine newbie
  • Offline Offline
  • Posts: 7
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #2 on: August 30, 2009, 02:46:42 pm »

Thanks for the reply.
I'm currently unable to let you access the photo gallery. Its on a private lan.
The suggestion that it would have something to do with the cache also crossed my mind. So i already cleared the cache, and even tried it on a different computer with another user. Same thing.
I also tried switching from firefox to ie, but also no difference here.
Logged

Joep28

  • Coppermine newbie
  • Offline Offline
  • Posts: 7
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #3 on: August 31, 2009, 05:53:52 pm »

What rights do the files in the /var/www/coppermine directory need?
I didn't changed anything, except for the albums subdir. (chmod 777)
Logged

Nibbler

  • Guest
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #4 on: August 31, 2009, 09:01:37 pm »

Looks like a bug to me. The permission check to display the button is:

Code: [Select]
  if ((USER_ADMIN_MODE && $CURRENT_ALBUM_DATA['category'] == FIRST_USER_CAT + USER_ID) || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC_DATA['owner_id'] == USER_ID && USER_ID != 0) || GALLERY_ADMIN_MODE) {
    $picmenu .= <<<EOT
     <a href="javascript:;" onclick="return MM_openBrWindow('picEditor.php?id={$CURRENT_PIC_DATA['pid']}','Crop_Picture','scrollbars=yes,toolbar=no,status=yes,resizable=yes')" class="admin_menu" >{$lang_display_image_php['crop_pic']}</a> <a href="editOnePic.php?id={$CURRENT_PIC_DATA['pid']}&amp;what=picture"  class="admin_menu">{$lang_display_image_php['edit_pic']}</a> <a href="delete.php?id={$CURRENT_PIC_DATA['pid']}&amp;what=picture"  class="admin_menu" onclick="return confirm('{$lang_display_image_php['confirm_del']}'); return false; ">{$lang_display_image_php['del_pic']}</a>
EOT;
  }

The permission check in picEditor.php itself are

Code: [Select]
if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}

Those should match.
Logged

Nibbler

  • Guest
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #5 on: August 31, 2009, 09:17:48 pm »

Looks like the change made for http://forum.coppermine-gallery.net/index.php/topic,54414.0.html made it even more broken.
Logged

Nibbler

  • Guest
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #6 on: August 31, 2009, 09:44:44 pm »

Fixed in 6538. To fix manually edit picEditor.php find

Code: [Select]
if (isset($_GET['id'])) {
        $pid = (int)$_GET['id'];
} elseif (isset($_POST['id'])) {
        $pid = (int)$_POST['id'];
} else {
        $pid = -1;
        cpg_die(ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);
}

// Initialize the array
$CURRENT_PIC = array();

if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}

if ($pid > 0){

        $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} WHERE pid = '$pid'");
        $CURRENT_PIC = mysql_fetch_array($result);
        mysql_free_result($result);
        $pic_url = get_pic_url($CURRENT_PIC,'fullsize');
}

Change to

Code: [Select]
if (isset($_GET['id'])) {
    $pid = (int) $_GET['id'];
} elseif (isset($_POST['id'])) {
    $pid = (int) $_POST['id'];
} else {
    cpg_die(ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);
}

if ($pid > 0) {

    $result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']} WHERE pid = '$pid'");
    $CURRENT_PIC = mysql_fetch_assoc($result);
    mysql_free_result($result);

    $result = cpg_db_query("SELECT category FROM {$CONFIG['TABLE_ALBUMS']} WHERE aid = '{$CURRENT_PIC['aid']}'");
    $CURRENT_ALBUM = mysql_fetch_assoc($result);
    mysql_free_result($result);
       
} else {
    cpg_die(ERROR, $lang_errors['non_exist_ap'], __FILE__, __LINE__);
}

if (!(GALLERY_ADMIN_MODE || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID) || ($CURRENT_ALBUM['category'] == FIRST_USER_CAT + USER_ID)) || !USER_ID) {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
}
Logged

Joep28

  • Coppermine newbie
  • Offline Offline
  • Posts: 7
Re: Error when registerd users try to edit (crop/rotate) private pictures.
« Reply #7 on: September 01, 2009, 09:54:32 am »

Good work guys, it solved my problem    ;D
Thanks for looking into it.

Joep
Logged

joeyhavlock

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 27

Thats for fixing this....the code worked fine and allows my users to now use the crop/rotate features....BUT

When they use it it turns their pictures to complete black, any idea why?

Thanks
Joey
Logged

joeyhavlock

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 27

Thats for fixing this....the code worked fine and allows my users to now use the crop/rotate features....BUT

When they use it it turns their pictures to complete black, any idea why?

Thanks
Joey

This only appears to happen when the image is rotated plus or minus 90 degrees, if it is rotated 180, then it seems to work fine.
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 21 queries.