Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Giving admin rights for the gallery to Junior Admins  (Read 6206 times)

0 Members and 1 Guest are viewing this topic.

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Giving admin rights for the gallery to Junior Admins
« on: July 02, 2007, 03:29:50 pm »

I know this has been asked many times before and I've brought it up as well. I have a kind of junior-admin user class on my site but I would like to be able to grant this member admin access to the gallery to be able to create/modify public albums. Rather than simply promoting the member to full admin (which at this moment I don't want yet) is it possible to edit the permissions in Coppermine to allow just this junior admin (as well as full admins) to administrate the gallery?

My site has the bridge manager turned on so the gallery is connected to the rest of the site/forum. Which files would I have to edit within Coppermine and what would I have to do specifically?

I would be grateful for some help on this topic.

Thanks.
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: Giving admin rights for the gallery to Junior Admins
« Reply #1 on: July 02, 2007, 03:52:08 pm »

Have a look at the mods board (permissions) as there are already some mods/ hacks that offer some more possibilities.
http://forum.coppermine-gallery.net/index.php?board=78.0

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Re: Giving admin rights for the gallery to Junior Admins
« Reply #2 on: July 02, 2007, 04:19:55 pm »

Hmm.. I'm not sure if there is anything in that section that is directly applicable. I've actually had a look through there quite a bit before. I would like for this Junior Admin to also be able to batch add files once a number have been uploaded to the server rather than adding only a few at a time. So really, I want to grant the junior admin the same rights as an admin for Coppermine, but without making the junior admin a full admin for the rest of the site.

And yes, I realise that there are threads warning people to be careful of granting certain rights to people, but the junior admin has used Coppermine before as a standalone so would know what he is doing.

Which files would I have to edit and what should I edit it to? I have a User Class mod added to my board by the way which creates this extra Junior Admin class. Would it be helpful if I posted a link to it at all?

Thanks
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: Giving admin rights for the gallery to Junior Admins
« Reply #3 on: July 02, 2007, 04:32:12 pm »

If you give your 'junior' FTP access, then you basically can give him server admin rights. Restricting CPG rights hasn't much effect then.

If you want to make the 'junior admin' a full CPG admin, then I do not understand the question, then just add him to the CPG admin group. What settings you make on the forum... you decide.

Quote
Which files would I have to edit and what should I edit it to? I have a User Class mod added to my board by the way which creates this extra Junior Admin class. Would it be helpful if I posted a link to it at all?

I still do not know what you're up to. So how could I tell you what to edit. And if one of the supporters knows 'what to edit', then he posts on the mods/ hacks board. If you do not find the right mod/ plugin for you, then it most probably hasn't been written yet and therefore no one knows what to edit.
So you ask us to do some coding so that your forum mods work together with coppermine??? If so, it's better to ask on the freelancers board cause the task isn't trivial and not coded in a few mins.

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Re: Giving admin rights for the gallery to Junior Admins
« Reply #4 on: July 02, 2007, 07:01:59 pm »

If you give your 'junior' FTP access, then you basically can give him server admin rights. Restricting CPG rights hasn't much effect then.

If you want to make the 'junior admin' a full CPG admin, then I do not understand the question, then just add him to the CPG admin group. What settings you make on the forum... you decide.

Well how exactly do I do this? The usergroups seem to be set in the forum ACP. Are you suggesting there is some separate Coppermine usergroup function where you can add someone to a CPG admin group? Where is this exactly? As mentioned above, I said that the bridge manager between the gallery and the forum has been applied so the two are interdependent on one another. How would I make a user an admin for Coppermine alone and not the forum, by the method you suggest?

Quote
I still do not know what you're up to. So how could I tell you what to edit. And if one of the supporters knows 'what to edit', then he posts on the mods/ hacks board. If you do not find the right mod/ plugin for you, then it most probably hasn't been written yet and therefore no one knows what to edit.
So you ask us to do some coding so that your forum mods work together with coppermine??? If so, it's better to ask on the freelancers board cause the task isn't trivial and not coded in a few mins.

Well, if you know the files within Coppermine (which I would imagine people on this board ought to be familiar with) then they would know which one relates to granting admins authority to administrate Coppermine. That being the case, wouldn't it be reasonable to think that perhaps someone here might know how to grant admin authority either to another class of user or even to a specific user id (eg user id=7)?

Any help appreciated. Thanks
Logged

Nibbler

  • Guest
Re: Giving admin rights for the gallery to Junior Admins
« Reply #5 on: July 02, 2007, 09:22:10 pm »

Either search the bridging board for discussions about admin rights when bridged or hack include/init.inc.php (look for where GALLERY_ADMIN_MODE is defined).
Logged

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Re: Giving admin rights for the gallery to Junior Admins
« Reply #6 on: July 09, 2007, 09:52:15 pm »

Either search the bridging board for discussions about admin rights when bridged or hack include/init.inc.php (look for where GALLERY_ADMIN_MODE is defined).

I've looked up the include/init.inc.php but I'm not entirely sure how to add the code for a junior admin.

Quote
// Retrieve the "private" album set
if (!GALLERY_ADMIN_MODE && $CONFIG['allow_private_albums']) get_private_album_set();

if (!USER_IS_ADMIN && $CONFIG['offline'] && !strstr($_SERVER["SCRIPT_NAME"],'login')) {
    pageheader($lang_errors['offline_title']);
    msg_box($lang_errors['offline_title'], $lang_errors['offline_text']);
    pagefooter();
    exit;
}

// kick user into user_admin_mode (needed to fix "removed user mode for users" when upgrading)
if (USER_ID && !USER_IS_ADMIN && !$USER['am']) { // user is logged in, but is not gallery admin and not in admin mode
    $USER['am'] = 1;
    pageheader($lang_info, "<META http-equiv=\"refresh\" content=\"1;url=$referer\">");
    msg_box($lang_info, 'Sending you to admin mode', $lang_continue, $referer);
    pagefooter();
    ob_end_flush();
    die();
}

The junior admin class is designated in the following way throughout the coding:

"JUNIOR_ADMIN", and I think the user level for the Junior Admin = 3 (with user being 0, Admin =1 and mod = 2).

How exactly would I add that user class into the coding above? I'm not sure how to write it.

Should it be something like:

[quote[if (USER_ID && !USER_IS_ADMIN && JUNIOR_ADMIN !$USER['am']) { // user is logged in, but is not gallery admin and not in admin mode
    $USER['am'] = 1;
$USER['am'] = 3;[/quote]

Or something else? If someone could just help me with the correct coding that would be much appreciated.

Thanks in advance.
Logged

Nibbler

  • Guest
Re: Giving admin rights for the gallery to Junior Admins
« Reply #7 on: July 09, 2007, 10:00:45 pm »

GALLERY_ADMIN_MODE is defined here

Code: [Select]
define('GALLERY_ADMIN_MODE', USER_IS_ADMIN && $USER['am']);
If the junior admin group is 3 and is the primary group of the user, then try

Code: [Select]
define('GALLERY_ADMIN_MODE', (USER_IS_ADMIN || USER_GROUP == 3) && $USER['am']);
If it is not the primary then you need to check if 3 appears in the $USER_DATA['groups'] array.

I'd just like to point out again that this will give them access to your webserver. Coppermine does not secure itself against admins.
Logged

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Re: Giving admin rights for the gallery to Junior Admins
« Reply #8 on: July 09, 2007, 10:23:25 pm »

GALLERY_ADMIN_MODE is defined here

Code: [Select]
define('GALLERY_ADMIN_MODE', USER_IS_ADMIN && $USER['am']);
If the junior admin group is 3 and is the primary group of the user, then try

Code: [Select]
define('GALLERY_ADMIN_MODE', (USER_IS_ADMIN || USER_GROUP == 3) && $USER['am']);
If it is not the primary then you need to check if 3 appears in the $USER_DATA['groups'] array.

I'd just like to point out again that this will give them access to your webserver. Coppermine does not secure itself against admins.

Where exactly is this $USER_DATA['groups'] array? Where would I look to check this?

And do you mean user groups in the above in the same sense as in user groups that you can easily create and place ordinary members into (ie the normal sense of the word "usergroups"), or do you mean "user level" as I mentioned above (of which there are only at most 2 or 3 levels of authority)? Would that change the code at all in the light of that?

Also, would it be easier at all to write the code for a particular user id instead of a user level? So if I wanted to include the member whose user id = 7 as having admin rights, how would that be done?

Thanks again.

 
Logged

Nibbler

  • Guest
Re: Giving admin rights for the gallery to Junior Admins
« Reply #9 on: July 09, 2007, 10:36:37 pm »

Easily; just use USER_ID where I put USER_GROUP and 7 instead of 3.
Logged

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Re: Giving admin rights for the gallery to Junior Admins
« Reply #10 on: July 09, 2007, 11:09:07 pm »

Ok thanks a lot! That worked!  ;D  That's great!

BTW when you say they'll have access to the server, that's only to batch add files isn't it? They can't actually access all the rest of the FTP folders/files on there unless they have the password to get on there - only the files in the Coppermine folder right?
Logged

Sami

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 3686
  • BMossavari
    • My Project
Re: Giving admin rights for the gallery to Junior Admins
« Reply #11 on: July 09, 2007, 11:15:14 pm »

No,Actually they can put a shell script on your FTP and then .... ::)
Logged
‍I don't answer to PM with support question
Please post your issue to related board

WC

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 22
Re: Giving admin rights for the gallery to Junior Admins
« Reply #12 on: July 09, 2007, 11:20:40 pm »

No,Actually they can put a shell script on your FTP and then .... ::)

I'm not sure exactly what that is. Is that something malicious? And would the junior admin have to be doing this deliberately? Or could he do it accidentally when uploading photos in the normal way via batch add? If accidentally, then couldn't any admin (eg myself) accidentally upload one of those?

I don't think my junior admin would even know what a shell script is as he knows less than me and just wants to be able to help out with uploading photos/ creating galleries etc.

 
Logged

Sami

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 3686
  • BMossavari
    • My Project
Re: Giving admin rights for the gallery to Junior Admins
« Reply #13 on: July 09, 2007, 11:31:36 pm »

They should be trusted bodies and you should be careful to give FTP info to people
By uploading a shell script they can even run mysql queries on your db , copy/delete files , etc etc
Googling for php shell will give you more info
Logged
‍I don't answer to PM with support question
Please post your issue to related board

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Giving admin rights for the gallery to Junior Admins
« Reply #14 on: July 10, 2007, 10:04:04 am »

Bottom line: if you don't trust them fully to be an admin on your forum, then don't trust them to be an admin on Coppermine. Being an admin in one of those two applications can give malevolent or beginner admins access to fully take over control over your server. As Sami suggested: granting FTP access to anybody will give them full control over the server: therefor, only give that privilege only to people who you fully trust. Imo there's no such thing as a "junior admin": you either are an admin who knows his way around or you are not. As you appear not to know much about security issues on webservers I strongly suggest not to perform any modifications in the core code at all: chances are high that you unintendedly open a backdoor or security whole that malevolent users could use to ruin your entire site.
Logged
Pages: [1]   Go Up
 

Page created in 0.025 seconds with 20 queries.