Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: admin approval of registration only works when logged out  (Read 3694 times)

0 Members and 1 Guest are viewing this topic.

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
admin approval of registration only works when logged out
« on: March 06, 2005, 04:25:04 am »

If I click the activation link while I am logged in (as admin or regular user), it says:
Quote
You don't have permission to access this page.

it's due to this line:
Code: [Select]
if (!$CONFIG['allow_user_registration'] || USER_ID) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

I changed this to
Code: [Select]
if (!$CONFIG['allow_user_registration'] || !GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
That caused other issues.

If the account is already active, it shows the header twice (including admin menu) when it shows the error message "Account is already active!".

Then if I try to register, it says I don't have permission. So that admin conditional needs to go elsewhere.

So current issue is the admin can't activate the registration while logged in. However, the link should require an admin being logged in for it to work. Maybe there needs to be another parameter in the URL to indicate that it is an admin activation.
« Last Edit: March 25, 2005, 09:31:55 am by TranzNDance »
Logged

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: admin approval of registration only works when logged out
« Reply #1 on: March 22, 2005, 07:56:49 am »

I changed this to
Code: [Select]
if (!$CONFIG['allow_user_registration'] || !GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

By doing this we are denying new registrations. What if we remove the second condition?

Quote
If the account is already active, it shows the header twice (including admin menu) when it shows the error message "Account is already active!".

I suggest following code changes to avoid this:

Code: [Select]
if (isset($_GET['activate'])) {
                //$CONFIG['admin_activation'] = FALSE;
                //$CONFIG['admin_activation'] = TRUE;

    $act_key = addslashes(substr($_GET['activate'], 0 , 32));
    if (strlen($act_key) != 32) cpg_die(ERROR, $lang_register_php['acct_act_failed'], __FILE__, __LINE__);

    $sql = "SELECT user_active user_active, user_email, user_name, user_password " . "FROM {$CONFIG['TABLE_USERS']} " . "WHERE user_actkey = '$act_key' " . "LIMIT 1";
    $result = cpg_db_query($sql);
    if (!mysql_num_rows($result)) cpg_die(ERROR, $lang_register_php['acct_act_failed'], __FILE__, __LINE__);

    $row = mysql_fetch_array($result);
    mysql_free_result($result);

    if ($row['user_active'] == 'YES') cpg_die(ERROR, $lang_register_php['acct_already_act'], __FILE__, __LINE__);

    pageheader($lang_register_php['page_title']);
    $email = $row['user_email'];
    $user_name = $row['user_name'];
    $password = $row['user_password'];

    $sql = "UPDATE {$CONFIG['TABLE_USERS']} " . "SET user_active = 'YES' " . "WHERE user_actkey = '$act_key' " . "LIMIT 1";
    $result = cpg_db_query($sql);

                if ($CONFIG['admin_activation']==1) { //after admin approves, user receives email notification
                        msg_box($lang_register_php['information'], $lang_register_php['acct_active_admin_activation'], $lang_continue, 'index.php');
                        $site_link = $CONFIG['site_url'];
                        $template_vars = array(
                         '{SITE_LINK}' => $site_link,
                         '{USER_NAME}' => $user_name,
                         '{PASSWORD}' => $password,
                         '{SITE_NAME}' => $CONFIG['gallery_name'],
                                );
                        cpg_mail($email, sprintf($lang_register_php['notify_user_email_subject'], $CONFIG['gallery_name']), nl2br(strtr($lang_register_activated_email, $template_vars)));
                } else { //user self-activated, gets message box that account was activated
                        msg_box($lang_register_php['information'], $lang_register_php['acct_active'], $lang_continue, 'index.php');
                }
} else {
  pageheader($lang_register_php['page_title']);
  if (isset($_POST['agree'])) {
    input_user_info();
  } elseif (isset($_POST['submit'])) {
    $errors = '';
    if (!check_user_info($errors)) {
      input_user_info($errors);
    }
  } else {
    display_disclaimer();
  }
}
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: admin approval of registration only works when logged out
« Reply #2 on: March 25, 2005, 08:57:06 am »

Commited the changes to CVS.
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: admin approval of registration only works when logged out
« Reply #3 on: March 25, 2005, 09:32:13 am »

Great. Thanks, Aditya. :)
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 20 queries.