Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: An anonymous user can delete EVERY anonymous commment  (Read 5040 times)

0 Members and 1 Guest are viewing this topic.

raetsche

  • Coppermine newbie
  • Offline Offline
  • Posts: 10
An anonymous user can delete EVERY anonymous commment
« on: January 28, 2004, 12:20:42 pm »

Hi there,

this problem/feature request was already mentioned some time ago.
http://forum.coppermine-gallery.net/index.php?topic=2270&highlight=comments+delete

But there haven't been posted any answers yet, because it was posted in a closed forum.
The problem is that anonymous users can delete any comment different anonymous users have posted before! So p.e. if i read an anonymous post, i don't like, i can delete it without problems.
It would be a solution to allow anonymous users only to create comments but NOT to delete comments. Only the Administrator should be able to delete anonymous comments.

Has anybody an idea how to solve this problem or is already something in work?

Nice greetings
Logged

Nibbler

  • Guest
An anonymous user can delete EVERY anonymous commment
« Reply #1 on: January 28, 2004, 01:17:18 pm »

I was unable to replicate this problem, but if you open displayimage.php and change:

Code: [Select]

$user_can_edit = (GALLERY_ADMIN_MODE) || (USER_ID && USER_ID == $row['author_id'] && USER_CAN_POST_COMMENTS) || (!USER_ID && USER_CAN_POST_COMMENTS && ($USER['ID'] == $row['author_md5_id']));


to:

Code: [Select]

$user_can_edit = (GALLERY_ADMIN_MODE) || (USER_ID && USER_ID == $row['author_id'] && USER_CAN_POST_COMMENTS);


which will stop any anonymous user being given the option to delete/edit

and if you want to be extra safe, comment out this line:

Code: [Select]

$update = db_query("UPDATE {$CONFIG['TABLE_COMMENTS']} SET msg_body='$msg_body' WHERE msg_id='$msg_id' AND author_md5_id ='{$USER['ID']}' AND author_id = '0' LIMIT 1");


from db_input.php to actually remove that ability from them.
Logged

raetsche

  • Coppermine newbie
  • Offline Offline
  • Posts: 10
An anonymous user can delete EVERY anonymous commment
« Reply #2 on: January 28, 2004, 02:38:06 pm »

Thanks for the answer, but now i know why you couldn't replicate the problem. The ability to delete posts is based on the writers IP-address. I am testing here on a local system and the IP-address is always 127.0.0.1 so i can delete every anonymous comment...

Anyway, maybe the post is helpful for other people testing on a local system ;-)
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 20 queries.