Print

[Nerd3D]

I think this is a security hole, A user can view any gallery or image. just edit the URL in the browser to a differet gallery number. Shouldn't thumbnails.php and displayimage.php check permissions?

[Casper]

CPG does check permissions, and unlogged users cannot normally view the pics by following the steps you detailed.
How exactly are you experiencing this.

[Nerd3D]

http://www.whatever.com/gallery/thumbnails.php?album=3

Just change the album number to see any album. Verified broken in IE and MOZ. I can even view the album with cookies completely diasbled. From there I can click any picture to view it unhindered, log in or not ,cookies or not.

[Casper]

Your link is broken (edit DOH, I was tired lol).  Have you modified any files.

[omniscientdeveloper]

You should post a link to your site. I'm not experiencing what you stated on mine. Something's most likely wrong with your install. I'd try downloading a new copy of displayimage.php and thumbnails.php from the CVS.

[Nerd3D]

I changed the dot.com because the gallery we are running is (supposed to be) private.

The only but is that we are running the YaBB bridge. And I applied the mod to allow admins to see "Registered User Only" galleries. Bit that mod only effects Index.php this is in thunbnails.php I can also just enter an album and image number in displayimage.php to get the same result.

If the implementors would like I can email somebody the real URL.

[omniscientdeveloper]

From my understanding, when you bridge coppermine with another application like YABB and PHPBB, it uses the users from those apps. If this is correct, then there is something wrong with your user setup in YABB.

[Nerd3D]

The YaBB install is completely stock and if the user is logged out it doesn't let them in. Just like it shouldn't

[Nerd3D]

If the logged out user goes to the index page they only see the albums that are public, which is correct (Of course the album count if for all the albums which is wrong but that's a different bug.)

[omniscientdeveloper]

Try downloading a new copy of CPG first. I can't look at your site.

[Nerd3D]

I already tried re-downloading and installing everything. I got the new displayimage and thumbnail from CVS.

Try the link I sent to you via IM.

[Nerd3D]

I just clean installed it again (no bridge), added a couple of albums and then hit the search tool. It shows images from every album reguardless of permission clicking on the image takes me right to a picture in a "Registerd User" gallery. BIG HOLE

I've dug through thumbnails.php I'm no PHP wiz, but I can't see where it's actually checking to see what group the user is in. Some place I should be seeing something like...

Code: [Select]

if ($alb_thumb['visibility'] == 0 || $alb_thumb['visibility'] == $USER_DATA['group_id'] ) {

The Goods
} else {
Get lost message || just nothing at all.
}


Right?

[Nerd3D]

This is caused by setting " Users can have private albums" to "no" if it's set to yes it works right. I don't even know where to start lookin for that one. I didn't try it without the bridge like this, but the fact that changing the setting in config turns the bug on and off absolves the bridge settings.

[Tarique Sani]

This is caused by setting " Users can have private albums" to "no" if it's set to yes it works right.

The above is plain english -
Q: Users can have private albums?
A: no

OK there are are no private albums in this gallery because the Admin dictates that there cannot be any - End of arguement

P.S. I have added a warning in english.php to the effect

[omniscientdeveloper]

Ok.

I see what you're talking about now, and after some discussion with established members, I've found out that this isn't a bug. The word "users", in that sentence, is all inclusive, so setting that field to "no" has a global effect, making all your private albums public.

[Nerd3D]

Oh, so this means that "User's albums can't be private" not "Users can't have private albums" and "private" means hidden not personal.

When I read help page I wasn't thinking of non-registered visitors as "users". I suppose I should have caught on when I saw the Anonymous users group. You might mention in the help page that turning this off will make all images available to everybody, even if the album is hidden.

This brings up a question, why can the album be hidden from certain groups but not the pictures in it?


P.S. Sorry to be a bother about this.