1.5.4 all users can delete my images

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 00:11

Bad things changed. Seems like any that visits my site can now delete any image! It is because they were uploaded by the anon user. How do you mass the image owner? I have tried every setting but only thing works is if I click on each image, which I can't do to all 3000 images!

Tim_j

Joined: 2002-08-15
Posts: 6818

Posted: Tue, 2006-08-15 00:25

Hello,

Its not possible to do a mass change of the owner.

I guess you set that the owners can modify and/or delete their own items.
This is a setting in the properties -> misc -> permissions.

As the owner is anonymous ...
So strictly seen Gallery behaves correct.

But suggestions/opinions are welcome.

Jens
--
Last Gallery v1 Developer and v1 translation manager.

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 00:27

thats so lame, it didn't used to do that.

I dont want anonymous user 2, deleting anonymous user 1's uploaded images.

right now my whole site has been compromised because of this upgrade.

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 00:44

so how do I stop people from deleting images?

ASAP!!!

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 01:01

my quick fix. I deleted delete_photo.php

now for the real fix please.....

so can you confirm in the past that anonymous user 2 could no anonymous user 1's uploaded images?

is this a new 'feature' or did I just not notice this in the past.

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 01:45

AHHHH IM FEAKING OUT>..... HOW DO I MASSCHANGE??? Why did this just pop up.... guess I could downgrade? NO BACKUPSSSSS.....

I'm so lame. this is so lame.. where is support.

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 01:53

FIXED!!!

well, kind of...

line 869 of view_album.php

            $albumItemOptions = getItemActions($i, false);
            if (sizeof($albumItemOptions) > 2 ||
              (sizeof($albumItemOptions) == 2 && !isset($albumItemOptions['showExif']))) {
//                echo drawSelect2("s$i", $albumItemOptions, array(
  //                  'onChange' => "imageEditChoice(document.vote_form.s$i)",
    //                'class' => 'adminform'));
            }

commented out those 3 lines....

this will disable ALL pull down menus for all images.
you should also delete the delete_photo.php file.. because if people know how to make the URL they will still be able to delete your images without have a menu.

Tim_j

Joined: 2002-08-15
Posts: 6818

Posted: Tue, 2006-08-15 08:34

Hello Sam,

this is no new 1.5.4 feature. There was a bug in 1.5.x and before that was fixed in 1.5.2.
The permissions now behave exact like you set them.

I guess your scenario is this:

owner of the albums : *everybody*
"Users who can add photos." : *everybody*

Now there can be 2 possibilities:

a.)
"Users who can delete photos." : *everybody*

or

b.)

"Users who can delete photos." : NOT *everybody*
"Allow item owners to delete their images" : checked.

In any case you should change the owner of the album to something different then everybody.

If a.) is correct, i dont need to say things, right ?
if b.) uncheck the checkbox in the properties dialog.

Jens
--
Last Gallery v1 Developer and v1 translation manager.

SamBeckett

Joined: 2002-09-29
Posts: 146

Posted: Tue, 2006-08-15 14:39

1) "Photo owner deletion Allow photo owners to delete their own photos?" set to NO
2) And will change the owner of the album from nobody to Admin

so these changes 2 should protect my data now from being deleted from anon?

(can't test because I removed the menus!! lol

Tim_j

Joined: 2002-08-15
Posts: 6818

Posted: Tue, 2006-08-15 15:07

Yes.

Jens
--
Last Gallery v1 Developer and v1 translation manager.

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 00:11
	Bad things changed. Seems like any that visits my site can now delete any image! It is because they were uploaded by the anon user. How do you mass the image owner? I have tried every setting but only thing works is if I click on each image, which I can't do to all 3000 images!
	XUser login Login/Register
Tim_j Joined: 2002-08-15 Posts: 6818	Posted: Tue, 2006-08-15 00:25
	Hello, Its not possible to do a mass change of the owner. I guess you set that the owners can modify and/or delete their own items. This is a setting in the properties -> misc -> permissions. As the owner is anonymous ... So strictly seen Gallery behaves correct. But suggestions/opinions are welcome. Jens -- Last Gallery v1 Developer and v1 translation manager.

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 00:27
	thats so lame, it didn't used to do that. I dont want anonymous user 2, deleting anonymous user 1's uploaded images. right now my whole site has been compromised because of this upgrade.

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 00:44
	so how do I stop people from deleting images? ASAP!!!

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 01:01
	my quick fix. I deleted delete_photo.php now for the real fix please..... so can you confirm in the past that anonymous user 2 could no anonymous user 1's uploaded images? is this a new 'feature' or did I just not notice this in the past.

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 01:45
	AHHHH IM FEAKING OUT>..... HOW DO I MASSCHANGE??? Why did this just pop up.... guess I could downgrade? NO BACKUPSSSSS..... I'm so lame. this is so lame.. where is support.

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 01:53
	FIXED!!! well, kind of... line 869 of view_album.php $albumItemOptions = getItemActions($i, false); if (sizeof($albumItemOptions) > 2 \|\| (sizeof($albumItemOptions) == 2 && !isset($albumItemOptions['showExif']))) { // echo drawSelect2("s$i", $albumItemOptions, array( // 'onChange' => "imageEditChoice(document.vote_form.s$i)", // 'class' => 'adminform')); } commented out those 3 lines.... this will disable ALL pull down menus for all images. you should also delete the delete_photo.php file.. because if people know how to make the URL they will still be able to delete your images without have a menu.

Tim_j Joined: 2002-08-15 Posts: 6818	Posted: Tue, 2006-08-15 08:34
	Hello Sam, this is no new 1.5.4 feature. There was a bug in 1.5.x and before that was fixed in 1.5.2. The permissions now behave exact like you set them. I guess your scenario is this: owner of the albums : everybody "Users who can add photos." : everybody Now there can be 2 possibilities: a.) "Users who can delete photos." : everybody or b.) "Users who can delete photos." : NOT everybody "Allow item owners to delete their images" : checked. In any case you should change the owner of the album to something different then everybody. If a.) is correct, i dont need to say things, right ? if b.) uncheck the checkbox in the properties dialog. Jens -- Last Gallery v1 Developer and v1 translation manager.

SamBeckett Joined: 2002-09-29 Posts: 146	Posted: Tue, 2006-08-15 14:39
	1) "Photo owner deletion Allow photo owners to delete their own photos?" set to NO 2) And will change the owner of the album from nobody to Admin so these changes 2 should protect my data now from being deleted from anon? (can't test because I removed the menus!! lol

Tim_j Joined: 2002-08-15 Posts: 6818	Posted: Tue, 2006-08-15 15:07
	Yes. Jens -- Last Gallery v1 Developer and v1 translation manager.

1.5.4 all users can delete my images

XUser login