forum.coppermine-gallery.net

Support => Older/other versions => cpg1.2 Standalone Support => Topic started by: _dopehead_ on March 14, 2004, 05:46:23 pm

Title: How to give reg. users access to the batch upload function
Post by: _dopehead_ on March 14, 2004, 05:46:23 pm

I have been searching for this and did not find any answers. How do i enable access to the batch upload function in coppermine for my registered users ? i don't wan't them to be admins, but they should have access to batch uploading the pics that they have ftp'ed to my server.

Jan

Title: How to give reg. users access to the batch upload function
Post by: Joachim Müller on March 14, 2004, 11:11:04 pm

batch-add is an admin-only function, as it would require your users to have ftp access, which they could easily use to take over your whole server. In other words: this can't be done!

GauGau

Title: Re: How to give reg. users access to the batch upload function
Post by: goebelmeier on July 13, 2004, 03:46:43 pm

Why can't this be done? I'm webmaster of a website with 5 different photographers (dict.leo.org, german -> english :)), each have his own ftp-directory in a chroot which is named /albums/<name>/. Since now, all 5 have admin-rights, to use batch-add. In future I would like them only to add albums and use batch-add. I don't see any security-risk in implementing such a feature.

Wow, bad english, but I hope, you will understand :)

Title: Re: How to give reg. users access to the batch upload function
Post by: Joachim Müller on July 13, 2004, 06:50:59 pm

OK, we decided to let only admins have batch-add, because if we didn't, there'd be a lot of newbie webmaster who gave away ftp-upload permissions to their users without any restriction. The restriction must be that the ftp-uploads must either not be accessible by http or php-parsing must be disabled or uploads must be server-sided restricted to certain file types that can't be harmfull. The reason why an un-secured ftp access would be disastrous for security is easy to see: a "bad guy" might upload a script file (php, perl or whatever) and execute it in the brwoser - this way, he could gain access to the whole website and take it over.
I'm sure that the pro's out there know how to secure their ftp-uploads, but "regular" webhosted "wannabe-admins" won't. This is why there's no batch-add for "regular" users - just to not lead "newbies" into temptation. Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

GauGau

Title: Re: How to give reg. users access to the batch upload function
Post by: goebelmeier on July 13, 2004, 08:40:48 pm

Quote from: GauGau on July 13, 2004, 06:50:59 pm

Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

Thanks... Very good hint. I haven't looked at the source yet.