Here's a test scenario (cpg 1.3.2):
First I created a "Family" user group.
Then created two users: One is member of the Registered group and other user is member of the Family group.
Then set Registred and Family users to have permission to upload.
I created some Private albums (under admin) to be ment for the "Family" group only and some other albums for public use.
One Private album has "Visitors can upload files" set to "Yes" and rest of the Private albums no uploads - the.
So, since some albums are "private" I did not want users to upload files to those albums - BUT:
Logging in as a Registered user and uploading a file revealed the Private album with the upload permission in the Album dropdown box on the upload form.
That's odd I thought, so I looked at the code in Upload.php - did not see any check for a user being a member of a certain group with upload permissions for albums within that group.
Now I may be missing something here (a lot, as a matter are fact) and have not completely grasped the entire overview of this great Gallery Code or PHP but here's my initial quick fix:
In Upload.php (around line 825) I changed the SQL query for the Public Albums from this:
$public_albums = mysql_query("SELECT aid, title FROM {$CONFIG['TABLE_ALBUMS']} WHERE category < " . FIRST_USER_CAT . " AND uploads='YES' AND ORDER BY title");
to this:
$public_albums = mysql_query("SELECT aid, title FROM {$CONFIG['TABLE_ALBUMS']} WHERE category < " . FIRST_USER_CAT . " AND uploads='YES' AND (visibility = {$USER_DATA['group_id']} OR visibility = 0) ORDER BY title");
Thus adding the check to see if a user is actually a member of the group the album belongs to or a public album.
So, for a sanity check - WhattaYallThink?