Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: Give Admin-Access to Certain Scripts for a Specified Group  (Read 42536 times)

0 Members and 1 Guest are viewing this topic.

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Give Admin-Access to Certain Scripts for a Specified Group
« on: June 20, 2006, 04:39:58 pm »

EDIT
Don't care of my previous and next posts in the topic. I've changed my request, which is this:

Please just help me in changing this part of include/init.inc.php to something that doesn't check if you're admin but checks if you belong to a group, for me it is group 5 in the group_id in the table _usergroup of the databae... please please help me just with this!!

Code: [Select]
// Test if admin mode
$USER['am'] = isset($USER['am']) ? (int)$USER['am'] : 0;
define('GALLERY_ADMIN_MODE', USER_IS_ADMIN && $USER['am']);
define('USER_ADMIN_MODE', USER_ID && USER_CAN_CREATE_ALBUMS && $USER['am'] && !GALLERY_ADMIN_MODE);

I know that it would be the same thing to make the users who belong to that group admins, but after that modification I'll do something else which makes that modification different than making 'em admins.

Edit (by Paver): Changed subject from "!>Check if you belong to a group instead of checking if you are an admin<!" to "Give Admin-Access to Certain Scripts for a Specified Group".  Also removed bold from some text.

Edit (by Paver): Please read the entire thread before implementing this mod.  The mod and mod-guide start at this post.

OLD REQUEST, DON'T CARE ABOUT THIS:
Hi!
I know there is not a way to allow users to make albums in public categories and/or categories, so I'm asking if it is possible to leave just "Categories" and "Albums" in the admin menù. (i mean also that if the admin types for example picmgr.php, he can't run that option).
Thanks.
P.s. I've searched the forum and didn't find anything, if there is already a topic sorry for that.
« Last Edit: June 23, 2006, 07:51:43 am by GauGau »
Logged

Vargha

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 223
  • Persian Soldier
    • Rangarang
Re: >Remove admin possibilities
« Reply #1 on: June 20, 2006, 04:42:59 pm »

i dont understand you, can u explain more clear if u dont mind :)
its not good to do that for admin accounts tho :-\
« Last Edit: June 20, 2006, 05:04:49 pm by Vargha »
Logged
Haalaa Boro Ye Chayi Vasam Dorost Kon Ta Man Ye Fekri Be Halet Bokonam ;) Ye Hendooneye Shotoriham Biyar Bizahmat :)
Visit My Site www.Rangarang.co.nr
Check Out My Gallery
www.Rangarang.co.nr/buddies
(http://img157.imageshack.us/img157/838/rangarang4xn.jpg)

Nibbler

  • Guest
Re: >Remove admin possibilities
« Reply #2 on: June 20, 2006, 05:01:24 pm »

You can remove the buttons from your theme and change the GALLERY_ADMIN_MODE checks in each file to match on user id instead. Be aware that it is not a good idea to make users admins who you do not trust completely.
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: >Remove admin possibilities
« Reply #3 on: June 20, 2006, 05:39:22 pm »

i dont understand you, can u explain more clear if u dont mind :)
its not good to do that for admin accounts tho :-\
I want to make admins able to see only the Albums and Categories links (catmgr.php & albmgr.php)
and change the GALLERY_ADMIN_MODE checks in each file to match on user id instead. Be aware that it is not a good idea to make users admins who you do not trust completely.
I don't understand what to do...

I was thinking...isn't it possibile to make an external script which allows members of a group to make albums and categories... just a script which sends queries for making albums to the database... an external page known only by the members I trust.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: >Remove admin possibilities
« Reply #4 on: June 20, 2006, 06:17:18 pm »

I want to make admins able to see only the Albums and Categories links (catmgr.php & albmgr.php)
As Nibbler said, you need to modify your admin toolbar, which is done through your theme.  Read the sticky threads on the themes board.  But you say "admins" - it is dangerous to have more than one admin.  Usually, you are the only admin and then you give permissions to others to do things.

Quote
I was thinking...isn't it possibile to make an external script which allows members of a group to make albums and categories... just a script which sends queries for making albums to the database... an external page known only by the members I trust.
Of course you can do anything you want - an external script, a plugin, a hack like Nibbler mentioned.  The script would be the least preferable unless you put in very careful security checks. 
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: >Remove admin possibilities
« Reply #5 on: June 20, 2006, 08:21:10 pm »

Usually, you are the only admin and then you give permissions to others to do things.
Yes, but it's impossibile to give permission to make albums... I can modificate the admin menu ok... but I'm thinking that I need also the other options...  :-\
Of course you can do anything you want - an external script, a plugin, a hack like Nibbler mentioned.  The script would be the least preferable unless you put in very careful security checks.
I'm not php expert, so I can't make it... if someone could make a SIMPLE script WITHOUT security checks (I'll give the link to the script to very trusted persons) which allows to make categories and albums I'll be very thankful...
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: >Remove admin rights
« Reply #6 on: June 20, 2006, 10:16:03 pm »

What you're up to is security by obscurity: making everybody admin and just removing the links to the pages where they could ruin your site is not a bright idea, as a missing link won't keep users from entering the URL manually (or malevolent users doing worse stuff). Requesting a script without security checks is just the opposite of what Paver suggested.
Quite frankly: don't try to create workarounds for a missing feature! Coppermine doesn't have the feature to allow regular users to create categories and albums within the public gallery. Trying to figure out workarounds is just nonsense! Don't try to be smarter than everybody else - if there was an easy solution for the missing feature, we would have posted it. Trust us, there is no easy solution. Malevolent users or hackers will be smarter than that, they will ruin your site or use your webspace for illegal activities - you won't even be aware of it. Bad guys usually don't just deface a site, they use it for immoral stuff using backdoors. Don't be one of the guys who is surprised when getting blamed for child porn distribution, hosting warez, denial of service attacks or spam sending. Don't!
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: >Remove admin rights
« Reply #7 on: June 21, 2006, 10:33:19 am »

Ok. Never mind...
(p.s.: I didn't wanna make everyone admin, just some users)
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: >Remove admin rights
« Reply #8 on: June 21, 2006, 02:04:35 pm »

Maybe I've made it!!!
Please just help me in changing this part of include/init.inc.php to something that doesn't check if you're admin but checks if you belong to a group of persons allowed, for me it is group 5 in the group_id in the table _usergroup of the databae... please please help me just with this!!

// Test if admin mode
$USER['am'] = isset($USER['am']) ? (int)$USER['am'] : 0;
define('GALLERY_ADMIN_MODE', USER_IS_ADMIN && $USER['am']);
define('USER_ADMIN_MODE', USER_ID && USER_CAN_CREATE_ALBUMS && $USER['am'] && !GALLERY_ADMIN_MODE);

Edit: I know that it would be the same thing to make the users who belong to that group admins, but after that modification I'll do something else.
« Last Edit: June 21, 2006, 08:21:34 pm by AvrilBoi »
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: >Remove admin rights
« Reply #9 on: June 21, 2006, 02:49:00 pm »

If you change this code, the users in group 5 will be able to do *anything* on your gallery - change the configuration settings, add & delete photos & albums & categories - everything.

What Nibbler suggested in the beginning above was to change *only* the GALLERY_ADMIN_MODE checks for the features you wanted - creating categories & albums.  That way, you are not opening up your entire gallery.

Basically, if you want to change this code, it would be easier to not change the code and merely add the users to the administrators group - it would be identical.
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: >Remove admin rights
« Reply #10 on: June 21, 2006, 02:50:37 pm »

I know that, infact i'm duplicating catmgr.php, albmgr.php, delete.php and init.inc.php... i'm not modificating the default files.
So, could you please help me changin that code? :)
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61
Re: >Remove admin rights
« Reply #11 on: June 21, 2006, 06:42:52 pm »

No one? (http://www.my-smileys.de/smileys2/angel_sadangel.gif)
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: >Remove admin rights
« Reply #12 on: June 21, 2006, 07:25:56 pm »

(1) This board is *not* a hotline - http://coppermine-gallery.net/demo/cpg14x/docs/faq.htm#lamesupport

(2) It is not at all clear what you now want help with.  Are you still asking the same question in the first post?  If so, you need to realize that the supporters have answered with as much as they can right now.  If any supporter or anyone else decides to spend the time to code what you want, he/she will post here.  But that takes patience and luck - not repeated bumps of this thread to ask "no one?" over & over again.  If you have a specific question about a specific line of code in a specific script, go ahead and ask it.

If you want a code solution right now, you might consider the Freelancer board.  Otherwise, you can either sit back & wait - realizing that there is no guarantee someone will post a solution, or learn the code yourself to write your own code.

One added note: more permission features are being considered for Coppermine 1.5.x.  There is no guarantee that your request will make it.  And there is no time set for a 1.5.x release.
« Last Edit: June 21, 2006, 07:31:11 pm by Paver »
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61

I'm sorry Paver, I'll try to not make it happen anymore.
Anyway, I've made order in the topic, now my request is clear in bold in the first post of the topic, I've edited the posts and the topic title.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.

AvrilBoi: This thread is now a mess.  I would strongly urge you to remove the bold text in the first post and change the title back.  Right now, for someone new who wants to read this thread, they would immediately get very confused.

It is fine to post your new request as a reply at the end of the thread.  People can then clearly see what the history of this discussion is.  Right now, I recommend you move your request to the reply just before this one.

I still recommend adding in *only* the features you want to group 5, and not making them full admins, but here's the simple mod you want.  In include/init.inc.php, add the lines bracketted by // MOD and // MOD - end into the lines you already specified, as shown:
Code: [Select]
// Test if admin mode
$USER['am'] = isset($USER['am']) ? (int)$USER['am'] : 0;
// MOD - add manual admin access
$mod_usergroups = explode(',',substr(USER_GROUP_SET,1,-1));
$mod_allowedgroups = array('5');
$mod_validuser = (array_intersect($mod_allowedgroups,$mod_usergroups) ? true : false);
define('USER_IS_ADMIN_MANUAL', $mod_validuser);
define('GALLERY_ADMIN_MODE', (USER_IS_ADMIN || USER_IS_ADMIN_MANUAL) && $USER['am']);
// MOD - end
define('GALLERY_ADMIN_MODE', USER_IS_ADMIN && $USER['am']);
define('USER_ADMIN_MODE', USER_ID && USER_CAN_CREATE_ALBUMS && $USER['am'] && !GALLERY_ADMIN_MODE);

Once again, you are playing with fire by giving GALLERY_ADMIN_MODE to other users.  It wouldn't be too difficult to add only the permissions you want to the category manager and album manager.  But it would take more time than this code took, so once again, there is no guarantee someone will do it for you.
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61

I don't know how to thank you! Thanx 9999999999999
I don't think I'll have security problems... this is what I've done, with your help... I think it will be very useful for other persons, I know that many people want to allow other users to manage public albums!
So, this is what I've done (I've made it as a guide, if you wanna risk and wanna trust me :D):
1) make a group
2) put in the group the users you want to allow to manage albums
3) go in the database, than go in the table _usergroup, and than check in group_id the number referring to the new group you've made
4) make a copy of albmgr.php, delete.php and include/init.inc.php and coll'em for example albmgr_mod.php etc.
5) open albmgr_mod.php
find
require('include/init.inc.php');
replace with
require('include/init_mod.inc.php');
find
action="delete.php?what=albmgr"
replace with
action="delete_mod.php?what=albmgr"
6) open delete_mod.php
find
require('include/init.inc.php');
replace with
require('include/init_mod.inc.php');
7) open init_mod.inc.php
find
$USER['am'] = isset($USER['am']) ? (int)$USER['am'] : 0;
after, add
// MOD - add manual admin access
$mod_usergroups = explode(',',substr(USER_GROUP_SET,1,-1));
$mod_allowedgroups = array('NUMBER CHECKED BEFORE');
$mod_validuser = (array_intersect($mod_allowedgroups,$mod_usergroups) ? true : false);
define('USER_IS_ADMIN_MANUAL', $mod_validuser);
define('GALLERY_ADMIN_MODE', (USER_IS_ADMIN || USER_IS_ADMIN_MANUAL) && $USER['am']);
// MOD - end
8) upload all new files
9) give the users who belong to the group 5 the link to albmgr_mod.php


Paver, can you tell me if, at the end of this adventure ;D, I could have security problems?
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.

Right now, any member of the group you set can completely control your Coppermine gallery.

Besides that - in my mind - very large risk, no other security risks caused by this mod.

I'm assuming you are running Coppermine 1.4.8.  Earlier versions have security risks.

A much better way to add permissions is to remove this line from the mod:
Code: [Select]
define('GALLERY_ADMIN_MODE', (USER_IS_ADMIN || USER_IS_ADMIN_MANUAL) && $USER['am']);
Then change any GALLERY_ADMIN_MODE checks to add in USER_IS_ADMIN_MANUAL.  For example, in catmgr.php, replace this line at the beginning:
Code: [Select]
if (!GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);with this line:
Code: [Select]
if (!GALLERY_ADMIN_MODE && !USER_IS_ADMIN_MANUAL) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);
The other scripts are more complicated since they don't have just one check at the very beginning.
« Last Edit: June 21, 2006, 09:30:50 pm by Paver »
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61

Thanks.
Yes, I'm running 1.4.8 version.
One question: users who belong to that group have full access to administration only if they know something about php or in any way? Because if I log in as a member of the group and go in albmgr_mod.php, I can do everything related to albmgr.php, and I get the administration menu, but if I click on any of the links in the administration menu, I get "You don't have permission.......".
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.

That's a good point.  Since you created an init_mod.inc.php, only the PHP scripts that use this mod script will be given admin access.  All others that use init.inc.php won't.
Logged

AvrilBoi

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 61

I'm a little bit confused now... before you said "Right now, any member of the group you set can completely control your Coppermine gallery." and now you said that only the scripts which use init_mod.inc.php have admin rights, so do I have security problems right now or can I be sure that all the users who belong to that group can only administrate the albums (I've not used your better way to add permissions mentioned in your post)?
Maybe I'm too stupid to understand.... ???
Logged
Pages: [1] 2   Go Up
 

Page created in 0.096 seconds with 19 queries.