Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Batch Uploading for specific Usergroup  (Read 4565 times)

0 Members and 1 Guest are viewing this topic.

grosseskino

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Batch Uploading for specific Usergroup
« on: August 20, 2007, 02:29:37 pm »

Hi!

I already read, that batch-uploading is only allowed for admin.
On my site, i have some friends helping me monitoring the site.

I want them to be able ftp-uploading and batching.
How is this possible?
Is there a way giving them co-admin rights?

And: Yes, I trust these friends
Logged

Hein Traag

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: nl
  • Offline Offline
  • Gender: Male
  • Posts: 2166
  • A, B, Cpg
    • Personal website - Spintires.nl
Re: Batch Uploading for specific Usergroup
« Reply #1 on: August 20, 2007, 03:39:09 pm »

If you really really really trust them you can always add them to the admin group. Not advised but it is possible.

Logged

grosseskino

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Re: Batch Uploading for specific Usergroup
« Reply #2 on: August 20, 2007, 09:27:39 pm »

actually,

I'd like to give them kind of a Supermoderater rang.
Is there any way to get my problem solved without admin'ing them...?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Batch Uploading for specific Usergroup
« Reply #3 on: August 21, 2007, 08:18:54 am »

No. Either you trust them entirely (and you better do so when giving them FTP-access) and make them admins or you don't. There's no such thing as a moderator built into coppermine. There are a couple of mods that add moderator status to users (in terms of comment moderation, upload approval etc.). None of those mods gives them access to batch-add, as giving users FTP-access is the worst thing you could possibly do in terms of security. Someone with FTP access can do anything to your site.
Logged

grosseskino

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Re: Batch Uploading for specific Usergroup
« Reply #4 on: August 23, 2007, 03:18:04 pm »

maybe someone can modify or create a mod for this?
i think i'm not the only one with this suggestion... ::)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Batch Uploading for specific Usergroup
« Reply #5 on: August 23, 2007, 05:07:18 pm »

maybe someone can modify or create a mod for this?
Seems like you haven't read or understood my reply: it would be extremely easy to grant others than the admin permission to access the batch-add page searchnew.php (in fact you'd just have to edit the security check and hard-code some user-IDs in), but that is not the point: for batch-add to work it is a pre-requisite that the files already reside on your publicly accessible web-space. The only way the files can get there is by FTP (all other methods would have the same drawbacks the existing http uploads form has). This would mean that you would have to grant those users FTP-access. But granting FTP access to others is the actual security risk. There would be no security risk to grant others the privilege to batch-add once files exist on your webserver (the only thing that could go wrong is some level or disorder in your gallery), but no breach of security.
As the security issues lies in granting FTP access to others and does not lie in allowing users to access searchnew.php, this is nothing that could be accomplished by modding coppermine.

i think i'm not the only one with this suggestion... ::)
No, you're not the first one to request this. All others who requested this got a similar reply to yours. I was just playing nicely and answered your question in detail instead of just posting "search the board, the answer has already been given". You have to understand that the fact that many newbies would find the feature helpfull doesn't mean that the goal can be achieved. I tried to explain why it can't be achieved. I definitely will not come up with code that will lead others to believe that it is a bright idea to give FTP privileges to your users and everything will be fine. So if you're not concerned at all about the security impact that granting FTP access to your users would have, go ahead and code the needed small changes in searchnew.php in (or hire someone to do this for you). I will definitely not come up with such a crappy piece of code, as I'm not keen on Coppermine getting a reputation similar to PHPnuke.

And: Yes, I trust these friends
So you gave them your access data to your mysql database, your car keys and your credit card? Do they sleep in your bed together with your girlfriend if you're away? If your answer to all those questions is "yes" as well, then go ahead and grant them FTP access.

Joachim
Logged

mc38

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Batch Uploading for specific Usergroup
« Reply #6 on: September 21, 2007, 07:43:08 pm »

Quote
it would be extremely easy to grant others than the admin permission to access the batch-add page searchnew.php   (in fact you'd just have to edit the security check and hard-code some user-IDs in)

Hi - I understand everything discussed here - but I do have a valid technical and commercial reason for allowing one existing registered user to use the batch upload.  Can you help out by pointing me in the right direction to allow access to searchnew.php?

thanks!
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Batch Uploading for specific Usergroup
« Reply #7 on: September 22, 2007, 11:16:28 am »

edit searchnew.php, find
Code: [Select]
if (!GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);and replace it with
Code: [Select]
if (!GALLERY_ADMIN_MODE) {
  // the user is not an admin. Let's test if he is the one non-admin who is allowed to use searchnew
  if (USER_ID != '1234567') {
    cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
  }
}
Change the string 1234567 to the ID of the user who is suppossed to have access. Don't complain if something goes wrong. You have been warned. FTP access is not meant for non-admins.
Logged

Impeerator

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 12
    • FH-Pics - Die Partybilder-Website
Re: Batch Uploading for specific Usergroup
« Reply #8 on: September 22, 2007, 06:03:02 pm »

That's exactly what I need, too!

What about giving FTP permission just for one folder in the "albums"-folder? So the user only can do something in this folder.
Logged

mc38

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Batch Uploading for specific Usergroup
« Reply #9 on: September 22, 2007, 06:05:10 pm »

GauGau - Thanks so much! I have been warned - I won't come crying!
Impeerator - that's exactly what I intend to do...
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Batch Uploading for specific Usergroup
« Reply #10 on: September 23, 2007, 08:25:17 am »

What about giving FTP permission just for one folder in the "albums"-folder? So the user only can do something in this folder.
Sure, great idea. What will keep them from uploading a malicious file into that particular folder and then running it in their browser?
Logged
Pages: [1]   Go Up
 

Page created in 0.058 seconds with 19 queries.