forum.coppermine-gallery.net

No Support => Feature requests => Topic started by: LrgrThnLf on February 16, 2009, 09:43:18 pm

Title: [Valid]phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login
Post by: LrgrThnLf on February 16, 2009, 09:43:18 pm
After posting in the integration forum, I'm advised this is a "missing feature" so I'm posting a feature request.

When one is not signed into CPG or phpBB, and the two are integrated, one is redirected (correctly) to the phpBB log in page.

When one has logged in, however, one is returned to the top level of CPG and not to the specifically requested page which triggered the login. I understand that this has some security implications (a requested redirect URL should not perform any data manipulation operations without being confirmed) but it seems counter intuitive otherwise to expect a user to request a page, log in, then go back to the originally requested link and reload it.
Title: Re: phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login
Post by: Joachim Müller on February 17, 2009, 09:24:20 am
I'm not a bridging expert nor a phpBB expert, but it's likely that this is a missing feature of phpBB and not a missing feature of Coppermine, so it's very likely that your request might simply not apply.
Title: Re: phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login
Post by: LrgrThnLf on February 17, 2009, 06:07:31 pm
phpBB3 allows the specification of a redirection URL during login via the redirect parameter.

Are you saying that a "registered users only" gallery in CPG1.4.20 will redirect someone back to the specific page they were requesting if a user is not logged in?
If it does, do other bridged messageboards also achieve this also?

Current situation - from CPG bridged:

phpBB3's own behaviour:

In the phpBB3.x bridge file, phpbb3.inc.php, there's a section of code:
Code: [Select]
function login_page()
{
global $CONFIG;

$redirect = urlencode($CONFIG['site_url']);
$this->redirect("/ucp.php?mode=login&redirect=$redirect");
}
In the SMF2.x bridge file, there's the code:
Code: [Select]
        function login_page()
        {
                global $CONFIG;

                // silly workaround for SMF's redirect check...
                $_SESSION['old_url'] = $CONFIG['site_url'] . '?board=redirect';
                $this->redirect('/index.php?action=login');
        }
Doing a quick grep suggests that "site_url" is derived from database's "_config" table, specifically the "ecards_more_pic_target" tuple. This appears to be the fully qualified location of the gallery.

QED The Coppermine bridge, not phpBB or SMF, seems to be redirecting people back to the top level page.

You may ask why I'm lodging this as a feature request rather than doing it myself - I'm a sysadmin by profession, not a programmer. So I'm good at tracking down things - but I'm sure there's people far more qualified than I to edit the code, and if they do edit the code, know the consequences of doing so.

Ie. There is a potential issue where a person requests a page that performs an administrative/data-altering function that shouldn't be performed without a specific confirmation (As per discussion in blog here http://www.phpbb.com/blog/2009/01/14/fighting-csrf/ )
Title: Re: phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login
Post by: Joachim Müller on February 18, 2009, 07:30:57 am
Current situation - from CPG bridged:
  • I'm not logged in
  • I ask for URL http://www.example.com/cpg/index.php?cat=19851
  • I then get sent to http://www.example.com/phpbb3/ucp.php?mode=login&redirect=http%3A%2F%2Fwww.example.com%2Fcpg%2F
  • I sign in, and get redirected back to the top level cpg page
Thanks for the summary. Taking into account what you said above, this is what we need to do then: populate the redirect var with the full location instead of the gallery root. This is comparatively easy, but (there's always a "but"): we need to find a way to sanitize the data contained in the redirect variable. If we don't, made-up links could be created that redirect people to malevolent pages. This is easier said than done: sanitizing the path information and the parameters in a URL is quite hard, as coppermine doesn't have a structure similar to SMF when it comes to URL parameters: we have an awful load of URL parameters with a lot of potential values to sanitize against.
This being said: I can see your point and I will flag your thread as "valid", but your request will not go into cpg1.5.x, as we already have a feature freeze stage for that version.
Title: Re: [Valid]phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login
Post by: terrano on October 06, 2011, 10:40:26 pm
Well done on the auto resizing in the latest version  :)

By chance was the request in this topic included in the latest release ?

Requiring the same, if user is surfing the gallery un-logged and wants to make a comment on a photo and hits the login link they are directed back to the photo they wish to comment on instead of the index and trolling back through multiple page links to find the required photo.