Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: How to give reg. users access to the batch upload function  (Read 3831 times)

0 Members and 1 Guest are viewing this topic.

_dopehead_

  • Coppermine newbie
  • Offline Offline
  • Posts: 14
How to give reg. users access to the batch upload function
« on: March 14, 2004, 05:46:23 pm »

I have been searching for this and did not find any answers. How do i enable access to the batch upload function in coppermine for my registered users ? i don't wan't them to be admins, but they should have access to batch uploading the pics that they have ftp'ed to my server.

Jan
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
How to give reg. users access to the batch upload function
« Reply #1 on: March 14, 2004, 11:11:04 pm »

batch-add is an admin-only function, as it would require your users to have ftp access, which they could easily use to take over your whole server. In other words: this can't be done!

GauGau
Logged

goebelmeier

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: How to give reg. users access to the batch upload function
« Reply #2 on: July 13, 2004, 03:46:43 pm »

Why can't this be done? I'm webmaster of a website with 5 different photographers (dict.leo.org, german -> english :)), each have his own ftp-directory in a chroot which is named /albums/<name>/. Since now, all 5 have admin-rights, to use batch-add. In future I would like them only to add albums and use batch-add. I don't see any security-risk in implementing such a feature.

Wow, bad english, but I hope, you will understand :)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: How to give reg. users access to the batch upload function
« Reply #3 on: July 13, 2004, 06:50:59 pm »

OK, we decided to let only admins have batch-add, because if we didn't, there'd be a lot of newbie webmaster who gave away ftp-upload permissions to their users without any restriction. The restriction must be that the ftp-uploads must either not be accessible by http or php-parsing must be disabled or uploads must be server-sided restricted to certain file types that can't be harmfull. The reason why an un-secured ftp access would be disastrous for security is easy to see: a "bad guy" might upload a script file (php, perl or whatever) and execute it in the brwoser - this way, he could gain access to the whole website and take it over.
I'm sure that the pro's out there know how to secure their ftp-uploads, but "regular" webhosted "wannabe-admins" won't. This is why there's no batch-add for "regular" users - just to not lead "newbies" into temptation. Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

GauGau
Logged

goebelmeier

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: How to give reg. users access to the batch upload function
« Reply #4 on: July 13, 2004, 08:40:48 pm »

Those who're in the know can easily disable the "is-admin" check inside the batch-add routine...

Thanks... Very good hint. I haven't looked at the source yet.
Logged
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 20 queries.