forum.coppermine-gallery.net
Dev Board => cpg1.4 Testing/Bugs => cpg1.4 Testing/Bugs: FIXED/CLOSED => Topic started by: Tranz on March 27, 2005, 01:29:24 pm
-
Not sure if this is intentional or not.
Nonadmin users are allowed to edit their own files uploaded to public albums. However, if they are in a group that does not grant them personal gallery permissions, they can't edit their individual files in the public albums because they are not seen as being in user admin mode.
-
Didn't we remove user admin mode ?
-
There's no explicit mode, but it is implicit that they are admin if they have personal galleries. However, if they can't have personal galleries, they can't be in admin mode. Thus, they can't edit individual files that they can upload to public albums because they are not in admin mode.
-
Didn't we remove user admin mode ?
we only removed the toggle, so the user stays in "admin mode" (when logged in) all the time - in fact we removed the "user user mode".
Joachim
-
Could we not just replace the first conditional with the same as the second, i.e., replace this;
if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
with this;
if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
-
I think that would allow an unlogged user to edit an anonymously uploaded pic, so check for that too.
-
*bump*
-
Isn't there a config option to allow a user to retain control of thier pics in public albums? how does it play into this situation?
-
under user settings there is in fact such an option. However, I believe the previous posters are making the point that if you set your gallery such that regular non-admin (but still logged in) users are not allowed to have their own galleries, that option has no bearing and they have no control over the pictures they've uploaded into public galleries. That's my take on the situation and I haven't tested it as of yet as I have allowed my users to have their own galleries.
-
Your understanding is correct.
I want to set up a showcase gallery where users can upload to public albums. I do not want them to have personal galleries. However, this means those users are unable to edit their files in the public albums.
I think if we can get this fixed, we can roll out that showcase gallery. :)
-
Does Casper's suggestion work ?
-
I didn't try it because of what you brought up afterward.
-
I tried Casper's suggestion. I got this error message:
You don't have permission to access this page.
File: C:\wamp\websites\cpg-dev\editOnePic.php - Line: 24
"Allow users to retain control over their pics in public galleries" is set to yes.
-
hmm... even when I allow the group to have personal galleries, the user cannot edit the file.
-
Nevermind. After I ran update.php, I was able to edit the file.
And it does not allow an anonymous user to edit the file.
-
It turned out that the fix worked for my unbridged installation. When I tested it at cpg-contrib, which is bridged with SMF, I got this error:
You don't have permission to access this page.
Could it be due to it being bridged? I set the permissions on the Registered group. But that group does not seem to exist in the forums.
-
I revisited this issue and a nonadmin with no public gallery privileges still cannot edit a file in a public album.
In editOnePic.php is:
if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
I might have had an error in my previous test.
-
Just comment out this line at the top of the file
if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
Any unauthorised access would get caught by other checks made once we determine ownership of the pic in question.
-
Woohoo! It worked.
user can edit if config allows control; cannot edit if not allowed control.
anonymous cannot edit regardless of above config
admin can edit
user can edit regardless if allowed to have personal galleries
Anything else to check for? Is it ok to commit?
-
I tested accessing the editing URL when not logged in and got this:
Template error
Failed to find block 'log_ecards'(#(<!-- BEGIN log_ecards -->)(.*?)(<!-- END log_ecards -->)#s) in :
<div align="center">
<table cellpadding="0" cellspacing="1">
<tr>
<td class="admin_menu"><a href="admin.php" title="{ADMIN_TITLE}">{ADMIN_LNK}</a></td>
<td class="admin_menu"><a href="catmgr.php" title="{CATEGORIES_TITLE}">{CATEGORIES_LNK}</a></td>
<td class="admin_menu"><a href="albmgr.php{CATL}" title="{ALBUMS_TITLE}">{ALBUMS_LNK}</a></td>
<td class="admin_menu"><a href="groupmgr.php" title="{GROUPS_TITLE}">{GROUPS_LNK}</a></td>
<td class="admin_menu"><a href="usermgr.php" title="{USERS_TITLE}">{USERS_LNK}</a></td>
<td class="admin_menu"><a href="banning.php" title="{BAN_TITLE}">{BAN_LNK}</a></td>
<td class="admin_menu"><a href="reviewcom.php" title="{COMMENTS_TITLE}">{COMMENTS_LNK}</a></td>
<td class="admin_menu"><a href="picmgr.php" title="{PICTURES_TITLE}">{PICTURES_LNK}</a></td>
<td class="admin_menu"><a href="searchnew.php" title="{SEARCHNEW_TITLE}">{SEARCHNEW_LNK}</a></td>
<td class="admin_menu"><a href="util.php" title="{UTIL_TITLE}">{UTIL_LNK}</a></td>
<td class="admin_menu"><a href="profile.php?op=edit_profile" title="{MY_PROF_TITLE}">{MY_PROF_LNK}</a></td>
<!-- BEGIN documentation -->
<td class="admin_menu"><a href="{DOCUMENTATION_HREF}" title="{DOCUMENTATION_TITLE}" target="cpg_documentation">{DOCUMENTATION_LNK}</a></td>
<!-- END documentation -->
<!-- BEGIN MiniCMS Config -->
<td class="admin_menu"><a href="index.php?file=minicms/cms_config" title="MiniCMS Config" >MiniCMS Config</a></td>
<!-- END MiniCMS Config -->
<!-- BEGIN MiniCMS Admin -->
<td class="admin_menu"><a href="index.php?file=minicms/cms_admin" title="MiniCMS Admin" >MiniCMS Admin</a></td>
<!-- END MiniCMS Admin -->
</tr>
</table>
</div>
If I try to access editOnePic.php without the file parameters, it shows the edit page but with no specific file to edit.
-
OK, change the permission checks to
if (!(GALLERY_ADMIN_MODE || $CURRENT_PIC['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $CURRENT_PIC['owner_id'] == USER_ID)) || !USER_ID) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
and move the pageheader($title) call down to just before here:
$thumb_url = get_pic_url($CURRENT_PIC, 'thumb');
That should sort it.
-
The problem with anonymous access has been resolved.
The non-admin user got this message after clicking the button to edit:
You don't have permission to access this page.
-
OK, can you test with v1.38 of editOnepic.php.
-
Donnoman updated the cpg-contrib gallery with the file and it worked fine as far as editing. Thanks. :)
But I am denied access as the user when trying the buttons for crop/rotate and delete.
-
Commited fixes for them too :)
-
Great! Thank you. :)