9 replies to this topic

[churchyard]

I want 1 gallery on my site, in witch can guests add pictures (but not to delet/edit them). And may be some floop control (10 images per hour ?), but floop limit is secondary problem.

What about make user "gallery", who can add pictures, but not to delete them and just make a form to log in (saying: "log as gallery, password 1a2B3c4D5#")

but how to make underlined part of this?

[mikef]

I want 1 gallery on my site, in witch can guests add pictures (but not to delet/edit them). And may be some floop control (10 images per hour ?), but floop limit is secondary problem.

What about make user "gallery", who can add pictures, but not to delete them and just make a form to log in (saying: "log as gallery, password 1a2B3c4D5#")

but how to make underlined part of this?

Add only users:
Not possible at present, without changes to several parts of the code. One of the bits that would need to change would be in the checking for a permitted user part, which I don't want to touch until 0.6.1 final is available and the new userlogin features are documented. (I'm still using RC3 on my sites)
Once we've worked out how we want to use the new login features, adding an 'add only' permission may be easy.

Flood control
Flood control is more tricky, as we don't keep any time based information in the etogal table, so would have to get it from the file system.

However, once a visitor is given the ability to upload a file there is the potential for other exploits, and I'd want to think about this carefully before permitting it. Also, I'm not sure that flood control within etogal could be made fully effective against someone determined to get round it, so such a facility could be used to break the site.

[churchyard]

what about copying EtGal snippet (to 2nd, named EtoGalGuest) and in that copy just disallow deleting?

but then there would be problem deleting wrong images by admin. That can be solved using SQl DB to detele them.

[mikef]

what about copying EtGal snippet (to 2nd, named EtoGalGuest) and in that copy just disallow deleting?

but then there would be problem deleting wrong images by admin. That can be solved using SQl DB to detele them.

Yes, you could do that as a temporary measure. All you'd need to do is remove (or disable) the checkbox in the admin form. (You could even add a check on whether the user is an admin if you're happy with php coding.)

Using the SQL admin program isn't enough - you'd also need to go and delete the files from the gallery's directory.

[churchyard]

no problem about deleting files.

___________________________


something like if userid == X (admin) -> $checkbox = "<html of checkbox>";
else -> $checkbox = "&nbsp;";

?

[mikef]

no problem about deleting files.

___________________________
something like if userid == X (admin) -> $checkbox = "<html of checkbox>";
else -> $checkbox = "&nbsp;";

?

yes, something like that ...

[churchyard]

is this secure?

(...)





$access_permitted=1; // no tests, everyone is allowed



// figure out access permissions of the user viewing this page

$userdetails=$etomite->userLoggedIn();

// check whether user is allowed to modify this page (-> $result1=1)

/*

 $rs1=$etomite->dbQuery("SELECT * FROM (" . $etomite->db . "member_groups JOIN " . $etomite->db . "membergroup_access ON user_group=membergroup) JOIN " . $etomite->db . "document_groups ON documentgroup=document_group WHERE member='" . $userdetails['id'] . "' and document='" . $etomite->documentIdentifier . "'");

 $result1=mysql_num_rows($rs1);

*/

 $result1=0; //skip the first test



  // check if user is administrator (-> $result2=1)

  $rs2=$etomite->dbQuery("SELECT * FROM " . $etomite->db . "user_attributes WHERE id='" . $userdetails['id'] . "' AND role='1'");

  $result2=mysql_num_rows($rs2);



  if($result1>0 || $result2>0) $can_delete="<input type=\"checkbox\" name=\"delete$i\" value=\"yes\" title=\"" . $strings['check_to_delete_this_picture'] . "\">";

  else $can_delete="&nbsp;";







(...)



     <td>" . $strings['delete'] . ": " . $can_delete . "</td>



(...)

Edited by churchyard, 26 March 2006 - 02:21 PM.

[mikef]

is this secure?

removed to save space

Looks as if it will do the job you want, though its definitely not secure! What you want to do is inherently insecure - you are allowing anyone access to upload files to your server, which inevitably presents a risk that they could crash your server. I would not recommend doing this, even if an attempt at flood control was added.

Edited by mikef, 26 March 2006 - 03:12 PM.

[churchyard]

and is there any way to stop adding any file, that is not jpg ?

[mikef]

and is there any way to stop adding any file, that is not jpg ?

Just limiting files to .jpg would help, but I can still think of two ways of potentially crashing the server.

To make upload secure against malicious users would need the whole image upload section to be carefully checked and assessed for risks, and extra checks added where required. Etogal was designed to handle only people who had an account set up, and who ought therefor to be able to be trusted; converting it to be even reasonably secure against malicious users is unlikely to be trivial. Its not a problem I want to spend time trying to address at the moment, though of course anyone else is welcome to try!