Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: displayimage.php?&fullsize - access only for admins !? :(  (Read 4192 times)

0 Members and 1 Guest are viewing this topic.

Duracel

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
displayimage.php?&fullsize - access only for admins !? :(
« on: September 03, 2005, 05:29:27 pm »

the following link does work if im loogged in as admin, but it doesnt work for registered users(even if i give them same rights in the "groupmgr.php") and same problem with unregistered users.
But i would like to make it work for everyone.

http://www.duracel.de/gallery/displayimage.php?&fullsize=1&picfile=paintings%2F05-searchdestroy.jpg


Thx for help :)
Duracel
« Last Edit: September 05, 2005, 08:08:29 am by GauGau »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: displayimage.php?&fullsize - access only for admins !? :(
« Reply #1 on: September 04, 2005, 10:57:55 pm »

1) You're running the outdated version cpg1.3.2 - upgrade to the most recent stable version cpg1.3.4 asap
2) Did you apply any mods? Upload a fresh copy of displayimge.php.
3) Actually, this was never meant to work - the link to a fullsize pic is meant to contain the pid only, not the file name. I guess it's a custom mod that you have applied that is "misbehaving"
Logged

Duracel

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: displayimage.php?&fullsize - access only for admins !? :(
« Reply #2 on: September 05, 2005, 12:30:26 am »

1)  Well, i've downloaded the version some months ago, it works very well and i don't know if it is necessary to update it and how easy or time-consuming it is to upgrade.

2) Now, i only have installed the standard-version and there is no modification installed.

3) In the "batch add file" window (searchnew.php), where you can click on thumbnails you get a link just in the above style. So i guess it was meant to work this way.
But it works only with admin-access and thats very sad. And i guess this Problem is not solved by the new version!? Correct me if im wrong, but it seems to be set to work only for admins and you have to set it free.

Anyway its not a huge Problem - would be just fine if i could get it work for all users.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: displayimage.php?&fullsize - access only for admins !? :(
« Reply #3 on: September 05, 2005, 08:08:00 am »

1)  Well, i've downloaded the version some months ago, it works very well and i don't know if it is necessary to update it and how easy or time-consuming it is to upgrade.
I wouldn't have advised to update if it wasn't necessary. Read cpg1.3.3 released - upgrade strongly recommended and Security fix for coppermine: EXIF XSS vulnerability *MUST READ*

3) In the "batch add file" window (searchnew.php), where you can click on thumbnails you get a link just in the above style. So i guess it was meant to work this way.
But it works only with admin-access and thats very sad. And i guess this Problem is not solved by the new version!? Correct me if im wrong, but it seems to be set to work only for admins and you have to set it free.
searchnew.php is admin-only, so the link it opens for the thumbnails are admin-only as well. That's expected behaviour, the thumbnail target links are meant for trouble-shooting the batch-add process, not for permanent use. As I already said in my previous posting: links to full-size pics are suppossed to contain the PID. The way you're proposing to use coppermine simply is not meant to be used - if you need it, you'll have to code it. Marking this thread as "invalid".
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 20 queries.