Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Error: New Plugin for Permission Control  (Read 5249 times)

0 Members and 1 Guest are viewing this topic.

macmiller

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Posts: 80
Error: New Plugin for Permission Control
« on: January 13, 2012, 02:41:41 am »

Based on this plugin: plugin delete control I created another simple plugin which removes some settings from the modify album page.  The plugin code is as follows:
Code: [Select]
<?php
/**************************************************
  Coppermine Plugin - Delete Control
  *************************************************
  Copyright (c) 2005 Paul Van Rompay
  *************************************************
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.
***************************************************/
//
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

// ------------------------------------------------------------------------------------------------
// Add filters - process search album and add to search results page
// ------------------------------------------------------------------------------------------------
$thisplugin->add_filter('page_html','permControl_filterpage');

// ------------------------------------------------------------------------------------------------
// Filter page_html to remove delete buttons
// ------------------------------------------------------------------------------------------------
//
  
function permControl_filterpage($html) {
  
if (defined('MODIFYALB_PHP') && !GALLERY_ADMIN_MODE) {
$html preg_replace('/(?U)(?s)(<tr>\s*<td class="tableh2" colspan="2">\s*<strong>Permissions for this album<\/strong>).*depending on groups settings.*\/td>.*\/tr>/','',$html);
  
}

return $html;
}

// ------------------------------------------------------------------------------------------------
// End of plugin code
// ------------------------------------------------------------------------------------------------

?>

This code simply removes 4 options from the update album screen (modifyalb.php) for non-admins:

Album can be viewed by     
Password protect this album (Tick for yes)     
Visitors can post comments *     Yes    No
Visitors can rate files *     Yes    No
[and a line which reads * depending on group settings]

The problem comes into play when the user goes to perform an update.    A database error is generated due to the fact that the visibility variable is not initialized.  see 'visibility = , alb_password = '',' part of the sql query. 

Code: [Select]
While executing query 'UPDATE cpg15x_albums SET title = 'test project', description = 'album description', category = 10084, thumb = 0, comments = 'NO', votes = 'NO', visibility = , alb_password = '', alb_password_hint = '', keyword = '' WHERE aid = 1' in db_input.php on line 433
My question is where should I add the initialization of the variable?  I am confused since the plugin is only removing the display from the screen so wouldn't expect it to break things, however it does work fine when the plugin is deactivated so it is definitely the plugin. ???


Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: Error: New Plugin for Permission Control
« Reply #1 on: January 13, 2012, 11:15:35 am »

If you don't submit those form values, they'll be empty hence causing that issue. As far as I can see it's not possible to achieve a secure solution as Coppermine always uses the submitted values:
Code: [Select]
    $aid = $superCage->post->getInt('aid');
    $title = $superCage->post->getEscaped('title');
    $category = $superCage->post->getInt('category');
    $description = $superCage->post->getEscaped('description');
    $keyword = $superCage->post->getEscaped('keyword');
    $thumb = $superCage->post->getInt('thumb');
    $visibility = $superCage->post->getInt('visibility');

    $uploads = $superCage->post->getAlpha('uploads') == 'YES' ? 'YES' : 'NO';
    $comments = $superCage->post->getAlpha('comments') == 'YES' ? 'YES' : 'NO';
    $votes = $superCage->post->getAlpha('votes') == 'YES' ? 'YES' : 'NO';

Of course you can replace the buttons with hidden fields (you'd need them to avoid that error message), but users who know their way around could still change that values. A real secure solution would need a check around the above mentioned code.
Logged

macmiller

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Posts: 80
Re: Error: New Plugin for Permission Control
« Reply #2 on: January 14, 2012, 05:39:10 pm »

For the time being I hacked the db_input.php file adding this initialization code below the code mentioned above (where the variables are set from the form values).

Code: [Select]
    if (!GALLERY_ADMIN_MODE) {
       $visibility = '1';
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }

It is not a good solution as all the code should be in the plugin but it does work and eliminate the db access error. 
Logged

macmiller

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Posts: 80
Re: Error: New Plugin for Permission Control
« Reply #3 on: January 29, 2012, 10:17:59 am »

Just to correct the hack code in case anyone is looking at this.  The visibility code should be set to 0 and not 1. 

Code: [Select]
    if (!GALLERY_ADMIN_MODE) {
       $visibility = '0'; //this should be set to 0 not 1
       $comments = 'YES';
       $uploads = 'NO';
       $votes = 'YES';
    }
Logged

daveweb

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Error: New Plugin for Permission Control
« Reply #4 on: December 22, 2012, 08:43:13 pm »

I have installed the plugin and it appears to work ok, however when a user creates a new album it is setting the default method to Everybody (Public Album). Is there a way to make it default to Album owner only?
Any help would be appreciated
Logged

daveweb

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Error: New Plugin for Permission Control
« Reply #5 on: December 22, 2012, 09:39:39 pm »

Sorry please ignore last request, only just realised that the gallery default is for Everybody (Public Album). Of which I have found the solution for changing in another thread.
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 19 queries.