Users getting Security Violation when trying to access the gallery

Oldiesmann
Oldiesmann's picture

Joined: 2005-05-18
Posts: 151
Posted: Wed, 2011-11-30 05:57

I recently released a new version of SMF+G2 which includes a few new features, and now I'm having a huge problem here. New gallery users are getting "security violation" messages when trying to access other users' albums and even the main gallery, even though there's nothing blocking them from doing so. I have gone through my code and cannot figure out what's going on, but it's happening on at least two different sites, so I'm wondering what I may have done wrong.

The error message from the event log is this:

Quote:
Error (ERROR_MISSING_OBJECT, ERROR_PERMISSION_DENIED)in modules/core/classes/GalleryView.class at line 368 (GalleryCoreApi::error)
in modules/core/ShowItem.inc at line 106 (GalleryView::getItem)
in modules/core/ShowItem.inc at line 61 (ShowItemView::getItem)
in modules/core/classes/GalleryView.class at line 293 (ShowItemView::loadTemplate)
in main.php at line 465 (GalleryView::doLoadTemplate)
in main.php at line 104
in modules/core/classes/GalleryEmbed.class at line 189
in /.../Sources/Gallery.php at line 189 (GalleryEmbed::handleRequest)
in ??? at line 0
in /.../index.php at line 152

Request variables: Array
(
[path] => useralbums/kasti/
[itemId] => 7982
[view] => core.ShowItem
)

That's from a user trying to access their own user album. The album does actually exist, and I can access it just fine as an administrator.

System information:

Quote:
Gallery URL = http://galleryproject.oldiesmann.us/gallery2/main.php
Gallery version = 2.3.1 core 1.3.0.1
API = Core 7.54, Module 3.9, Theme 2.6, Embed 1.5
PHP version = 5.3.8 cgi-fcgi
Webserver = Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.6
Database = mysqlt 5.1.56-log, lock.system=flock
Toolkits = ArchiveUpload, Gd, Thumbnail, LinkItemToolkit, Getid3, NetPBM, Exif, ImageMagick
Acceleration = partial/3600, partial/3600
Operating system = Linux oldies.fbyneserv.com 2.6.18-028stab094.3 #1 SMP Thu Sep 22 12:47:37 MSD 2011 x86_64
Default theme = matrix
gettext = enabled
Locale = en_US
Browser = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.8 (KHTML, like Gecko) Chrome/17.0.942.0 Safari/535.8
Rows in GalleryAccessMap table = 5161
Rows in GalleryAccessSubscriberMap table = 494
Rows in GalleryUser table = 579
Rows in GalleryItem table = 486
Rows in GalleryAlbumItem table = 173
Rows in GalleryCacheMap table = 37196

Any suggestions? I've attached my Gallery.php if it's any help. As I said, this only seems to happen to users who register in the gallery for the first time after I've updated this - anyone who was already a gallery user prior to the update doesn't have this problem. I've already verified that the IDs are correct in SMF's members table too.

A user on another forum where this problem occurs said they get the same error if they try to access the gallery directly (instead of embedded).
---------------------
The Oldiesmann
SMF Marketing Team member
SMF+G2 Integration Project - 1.0 now available! (Supports SMF 2.0 and higher, released 11/17/

AttachmentSize
Gallery.php_.txt49.5 KB
 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Wed, 2011-11-30 14:08

Missing object is probably referring to the externalId
Process:
New user created in your CMS
New User created in Gallery
Retrieve new User from Gallery by userName
add externalIdMap for CMS User <-> Gallery User
GalleryEmbed::addExternalIdMapEntry($CMSUser, $GalleryUser->getId(), 'GalleryUser')

Always remember to commit changes when using GalleryEmbed by executing GalleryEmbed::done()

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

 
Oldiesmann
Oldiesmann's picture

Joined: 2005-05-18
Posts: 151
Posted: Wed, 2011-11-30 16:32

That's already been done by the time they're getting this error. In the example I provided above, the user's user album has already been created (which can't happen if they don't have an account obviously), and they're getting that error while trying to access their own user album. Some users are able to get to their user albums but get that error while trying to access other parts of the gallery.

If it were a missing user account, it would just throw ERROR_MISSING_OBJECT with the ID of the missing object and would also say that it was a user that was missing.
---------------------
The Oldiesmann
SMF Marketing Team member
SMF+G2 Integration Project - 1.0 now available! (Supports SMF 2.0 and higher, released 11/17/

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Wed, 2011-11-30 16:45

permission denied makes me think gallery does know who the user is. Are you initializing gallery w/ the externalId? ie.
GalleryEmbed::init(array('embedUri'=>'/media/index.php', 'g2Uri'=>'/gallery2/', 'loginRedirect'=>'/users.php', 'activeLanguage'=>'en_GB', 'activeUserId'=>$CMS_uid, 'fullInit'=>true))
-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

 
Oldiesmann
Oldiesmann's picture

Joined: 2005-05-18
Posts: 151
Posted: Thu, 2011-12-01 17:39

It's actually happening after the initialization has been finished. It's basically saying that the user doesn't have access to view the gallery, even though they should.

Because I had more time to look at this today, I think I may have finally gotten to the bottom of the issue.

We've actually had problems on two different forums...

On my forum, where the user couldn't view their own user album, they had limited permissions on that album despite being the owner. I've changed it so that they have the standard "all access" on that one and will check my settings to ensure I've got it set up properly.

On the forum where users couldn't view anything but their own albums, I'm thinking it may be a membergroup issue. I have the forum set up to copy all groups and group membership over to the gallery, so the admin can set gallery permissions based on a user's status in the forum. On that gallery, the "Everybody" group had the "[core] View all versions" permission, but none of the other groups (the ones copied over from the forum) had any permissions at all.

I have since added permissions for all of those groups and am awaiting confirmation from the users to see if that fixes anything. I'm also going to be digging through my code a bit more to see if I might have changed something somewhere along the lines that would have affected that (the forum in question has had the integration set up for some time now, and users reported that it started happening after a forum upgrade I did a couple months ago).
---------------------
The Oldiesmann
SMF Marketing Team member
SMF+G2 Integration Project - 1.0 now available! (Supports SMF 2.0 and higher, released 11/17/