Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: non-admin user, not in admin mode without personal gallery  (Read 11386 times)

0 Members and 1 Guest are viewing this topic.

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
non-admin user, not in admin mode without personal gallery
« on: March 27, 2005, 01:29:24 pm »

Not sure if this is intentional or not.

Nonadmin users are allowed to edit their own files uploaded to public albums. However, if they are in a group that does not grant them personal gallery permissions, they can't edit their individual files in the public albums because they are not seen as being in user admin mode.
« Last Edit: June 30, 2005, 07:36:41 am by TranzNDance »
Logged

Nibbler

  • Guest
Re: non-admin user, not in admin mode without personal gallery
« Reply #1 on: March 27, 2005, 01:36:15 pm »

Didn't we remove user admin mode ?
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #2 on: March 27, 2005, 01:43:53 pm »

There's no explicit mode, but it is implicit that they are admin if they have personal galleries. However, if they can't have personal galleries, they can't be in admin mode. Thus, they can't edit individual files that they can upload to public albums because they are not in admin mode.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: non-admin user, not in admin mode without personal gallery
« Reply #3 on: March 27, 2005, 03:47:58 pm »

Didn't we remove user admin mode ?

we only removed the toggle, so the user stays in "admin mode" (when logged in) all the time - in fact we removed the "user user mode".

Joachim
Logged

Casper

  • VIP
  • Coppermine addict
  • ***
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 5231
Re: non-admin user, not in admin mode without personal gallery
« Reply #4 on: March 27, 2005, 11:11:24 pm »

Could we not just replace the first conditional with the same as the second, i.e., replace this;

Code: [Select]
if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
with this;

Code: [Select]
if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
Logged
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Nibbler

  • Guest
Re: non-admin user, not in admin mode without personal gallery
« Reply #5 on: March 27, 2005, 11:49:16 pm »

I think that would allow an unlogged user to edit an anonymously uploaded pic, so check for that too.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: non-admin user, not in admin mode without personal gallery
« Reply #6 on: April 09, 2005, 01:34:13 pm »

*bump*
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: non-admin user, not in admin mode without personal gallery
« Reply #7 on: April 10, 2005, 07:36:14 pm »

Isn't there a config option to allow a user to retain control of thier pics in public albums? how does it play into this situation?
Logged

cryogenic

  • Tester
  • Coppermine regular visitor
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 79
    • the cynic says...
Re: non-admin user, not in admin mode without personal gallery
« Reply #8 on: April 15, 2005, 03:30:13 am »

under user settings there is in fact such an option. However, I believe the previous posters are making the point that if you set your gallery such that regular non-admin (but still logged in) users are not allowed to have their own galleries, that option has no bearing and they have no control over the pictures they've uploaded into public galleries. That's my take on the situation and I haven't tested it as of yet as I have allowed my users to have their own galleries.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #9 on: April 15, 2005, 03:37:46 am »

Your understanding is correct.

I want to set up a showcase gallery where users can upload to public albums. I do not want them to have personal galleries. However, this means those users are unable to edit their files in the public albums.

I think if we can get this fixed, we can roll out that showcase gallery. :)
Logged

Nibbler

  • Guest
Re: non-admin user, not in admin mode without personal gallery
« Reply #10 on: April 15, 2005, 12:14:21 pm »

Does Casper's suggestion work ?
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #11 on: April 16, 2005, 12:16:26 am »

I didn't try it because of what you brought up afterward.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #12 on: May 01, 2005, 09:21:22 am »

I tried Casper's suggestion. I got this error message:

Quote
You don't have permission to access this page.

File: C:\wamp\websites\cpg-dev\editOnePic.php - Line: 24

 "Allow users to retain control over their pics in public galleries" is set to yes.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #13 on: May 01, 2005, 09:33:33 am »

hmm... even when I allow the group to have personal galleries, the user cannot edit the file.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #14 on: May 01, 2005, 09:53:42 am »

Nevermind. After I ran update.php, I was able to edit the file.

And it does not allow an anonymous user to edit the file.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #15 on: May 07, 2005, 08:16:36 pm »

It turned out that the fix worked for my unbridged installation. When I tested it at cpg-contrib, which is bridged with SMF, I got this error:
You don't have permission to access this page.

Could it be due to it being bridged? I set the permissions on the Registered group. But that group does not seem to exist in the forums.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #16 on: June 26, 2005, 08:08:50 pm »

I revisited this issue and a nonadmin with no public gallery privileges still cannot edit a file in a public album.

In editOnePic.php is:
Code: [Select]
if (!(GALLERY_ADMIN_MODE || $pic['category'] == FIRST_USER_CAT + USER_ID || ($CONFIG['users_can_edit_pics'] && $pic['owner_id'] == USER_ID))) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

I might have had an error in my previous test.
Logged

Nibbler

  • Guest
Re: non-admin user, not in admin mode without personal gallery
« Reply #17 on: June 27, 2005, 02:28:23 pm »

Just comment out this line at the top of the file

Code: [Select]
if (!(GALLERY_ADMIN_MODE || USER_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

Any unauthorised access would get caught by other checks made once we determine ownership of the pic in question.
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #18 on: June 27, 2005, 04:15:49 pm »

Woohoo! It worked.

user can edit if config allows control; cannot edit if not allowed control.
anonymous cannot edit regardless of above config
admin can edit
user can edit regardless if allowed to have personal galleries

Anything else to check for? Is it ok to commit?
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: non-admin user, not in admin mode without personal gallery
« Reply #19 on: June 27, 2005, 04:26:35 pm »

I tested accessing the editing URL when not logged in and got this:
Quote
Template error
Failed to find block 'log_ecards'(#(<!-- BEGIN log_ecards -->)(.*?)(<!-- END log_ecards -->)#s) in :


                <div align="center">
                <table cellpadding="0" cellspacing="1">
                        <tr>

                                <td class="admin_menu"><a href="admin.php" title="{ADMIN_TITLE}">{ADMIN_LNK}</a></td>
                                <td class="admin_menu"><a href="catmgr.php" title="{CATEGORIES_TITLE}">{CATEGORIES_LNK}</a></td>
                                <td class="admin_menu"><a href="albmgr.php{CATL}" title="{ALBUMS_TITLE}">{ALBUMS_LNK}</a></td>
                                <td class="admin_menu"><a href="groupmgr.php" title="{GROUPS_TITLE}">{GROUPS_LNK}</a></td>
                                <td class="admin_menu"><a href="usermgr.php" title="{USERS_TITLE}">{USERS_LNK}</a></td>
                                <td class="admin_menu"><a href="banning.php" title="{BAN_TITLE}">{BAN_LNK}</a></td>
                                <td class="admin_menu"><a href="reviewcom.php" title="{COMMENTS_TITLE}">{COMMENTS_LNK}</a></td>

                                <td class="admin_menu"><a href="picmgr.php" title="{PICTURES_TITLE}">{PICTURES_LNK}</a></td>
                                <td class="admin_menu"><a href="searchnew.php" title="{SEARCHNEW_TITLE}">{SEARCHNEW_LNK}</a></td>
                                <td class="admin_menu"><a href="util.php" title="{UTIL_TITLE}">{UTIL_LNK}</a></td>
                                <td class="admin_menu"><a href="profile.php?op=edit_profile" title="{MY_PROF_TITLE}">{MY_PROF_LNK}</a></td>
<!-- BEGIN documentation -->
                                <td class="admin_menu"><a href="{DOCUMENTATION_HREF}" title="{DOCUMENTATION_TITLE}" target="cpg_documentation">{DOCUMENTATION_LNK}</a></td>
<!-- END documentation -->
<!-- BEGIN MiniCMS Config -->
                                <td class="admin_menu"><a href="index.php?file=minicms/cms_config" title="MiniCMS Config" >MiniCMS Config</a></td>
<!-- END MiniCMS Config -->

<!-- BEGIN MiniCMS Admin -->
                                <td class="admin_menu"><a href="index.php?file=minicms/cms_admin" title="MiniCMS Admin" >MiniCMS Admin</a></td>
<!-- END MiniCMS Admin -->

                        </tr>
                </table>
                </div>

If I try to access editOnePic.php without the file parameters, it shows the edit page but with no specific file to edit.
Logged
Pages: [1] 2   Go Up
 

Page created in 0.033 seconds with 19 queries.