forum.coppermine-gallery.net

Support => cpg1.5.x Support => cpg1.5 plugins => Topic started by: macmiller on January 13, 2012, 02:41:41 am

Title: Error: New Plugin for Permission Control
Post by: macmiller on January 13, 2012, 02:41:41 am
Based on this plugin: plugin delete control (http://forum.coppermine-gallery.net/index.php/topic,72695.0.html) I created another simple plugin which removes some settings from the modify album page.  The plugin code is as follows:
Code: [Select]
<?php
/**************************************************
  Coppermine Plugin - Delete Control
  *************************************************
  Copyright (c) 2005 Paul Van Rompay
  *************************************************
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.
***************************************************/
//
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

// ------------------------------------------------------------------------------------------------
// Add filters - process search album and add to search results page
// ------------------------------------------------------------------------------------------------
$thisplugin->add_filter('page_html','permControl_filterpage');

// ------------------------------------------------------------------------------------------------
// Filter page_html to remove delete buttons
// ------------------------------------------------------------------------------------------------
//
  
function permControl_filterpage($html) {
  
if (defined('MODIFYALB_PHP') && !GALLERY_ADMIN_MODE) {
$html preg_replace('/(?U)(?s)(<tr>\s*<td class="tableh2" colspan="2">\s*<strong>Permissions for this album<\/strong>).*depending on groups settings.*\/td>.*\/tr>/','',$html);
  
}

return $html;
}

// ------------------------------------------------------------------------------------------------
// End of plugin code
// ------------------------------------------------------------------------------------------------

?>

This code simply removes 4 options from the update album screen (modifyalb.php) for non-admins:

Album can be viewed by     
Password protect this album (Tick for yes)     
Visitors can post comments *     Yes    No
Visitors can rate files *     Yes    No
[and a line which reads * depending on group settings]

The problem comes into play when the user goes to perform an update.    A database error is generated due to the fact that the visibility variable is not initialized.  see 'visibility = , alb_password = '',' part of the sql query. 

Code: [Select]
While executing query 'UPDATE cpg15x_albums SET title = 'test project', description = 'album description', category = 10084, thumb = 0, comments = 'NO', votes = 'NO', visibility = , alb_password = '', alb_password_hint = '', keyword = '' WHERE aid = 1' in db_input.php on line 433
My question is where should I add the initialization of the variable?  I am confused since the plugin is only removing the display from the screen so wouldn't expect it to break things, however it does work fine when the plugin is deactivated so it is definitely the plugin. ???


Title: Re: Error: New Plugin for Permission Control
Post by: Αndré on January 13, 2012, 11:15:35 am
If you don't submit those form values, they'll be empty hence causing that issue. As far as I can see it's not possible to achieve a secure solution as Coppermine always uses the submitted values:
Code: [Select]
    $aid = $superCage->post->getInt('aid');
    $title = $superCage->post->getEscaped('title');
    $category = $superCage->post->getInt('category');
    $description = $superCage->post->getEscaped('description');
    $keyword = $superCage->post->getEscaped('keyword');
    $thumb = $superCage->post->getInt('thumb');
    $visibility = $superCage->post->getInt('visibility');

    $uploads = $superCage->post->getAlpha('uploads') == 'YES' ? 'YES' : 'NO';
    $comments = $superCage->post->getAlpha('comments') == 'YES' ? 'YES' : 'NO';
    $votes = $superCage->post->getAlpha('votes') == 'YES' ? 'YES' : 'NO';

Of course you can replace the buttons with hidden fields (you'd need them to avoid that error message), but users who know their way around could still change that values. A real secure solution would need a check around the above mentioned code.
Title: Re: Error: New Plugin for Permission Control
Post by: macmiller on January 14, 2012, 05:39:10 pm
For the time being I hacked the db_input.php file adding this initialization code below the code mentioned above (where the variables are set from the form values).

Code: [Select]
    if (!GALLERY_ADMIN_MODE) {
       $visibility = '1';
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }

It is not a good solution as all the code should be in the plugin but it does work and eliminate the db access error. 
Title: Re: Error: New Plugin for Permission Control
Post by: macmiller on January 29, 2012, 10:17:59 am
Just to correct the hack code in case anyone is looking at this.  The visibility code should be set to 0 and not 1. 

Code: [Select]
    if (!GALLERY_ADMIN_MODE) {
       $visibility = '0'; //this should be set to 0 not 1
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }
Title: Re: Error: New Plugin for Permission Control
Post by: daveweb on December 22, 2012, 08:43:13 pm
I have installed the plugin and it appears to work ok, however when a user creates a new album it is setting the default method to Everybody (Public Album). Is there a way to make it default to Album owner only?
Any help would be appreciated
Title: Re: Error: New Plugin for Permission Control
Post by: daveweb on December 22, 2012, 09:39:39 pm
Sorry please ignore last request, only just realised that the gallery default is for Everybody (Public Album). Of which I have found the solution for changing in another thread.