G2.3: Limiting useralbums to group members, limiting album/item permissions

Da Nag

Joined: 2008-11-15
Posts: 1
Posted: Sun, 2008-11-23 07:23

A huge, massive, don't-go-further-without-believing-it disclaimer: I'm a moderate hack. My experience with G2.3 consists of about one week of frustration, trying to get something seemingly simple to work. This is the fruit of my labor, and it's worth every penny you paid for it. Don't ask me for help, expecting any kind of intelligent reply - it may or may not come, and I may disappear from here and not come back for months. If this doesn't scare you off, read on. ;)

My goal:

1. To use the useralbum module, but only have albums created for users in a specific G2.3 group. I don't want useralbums created for every registered user - only those that have been approved, and placed in the group.

2. To lock down all useralbums to the bare minimums. No ability to modify themes. No ability to change permissions, either for the parent album, sub-albums or images. The only users to whom these limitations don't apply, are G2 admins.

Nothing I found here addressed all of the above. Looked at jensperms, ownerperms, and many other code snippets. Picked up pieces from all over, and here's what did it for me. Note - this is for G2.3. I've no idea what might be different in other versions.

Pre-requisite: Create a G2.3 group that will contain approved useralbum users. Note: The group name is hard-coded in the changes below. If you wish to use the modifications as-is, name your group "User Albums". If you wish to use something else, you'll need to change the instances of that name as appropriate in the modifications below.

Note: It should go without saying, but please...back up everything. The mods below change core, so beware - both now, and come upgrade time.

open modules/core/ItemAddAlbum.inc

find:

		/* Prepare our status message */
		list ($ret, $module) = GalleryCoreApi::loadPlugin('module', 'core');
		if ($ret) {
		    GalleryCoreApi::releaseLocks($lockIds);
		    return array($ret, null);
		}

add after:

		/* Added to prevent permissions settings for non-admins */
		$ret = GalleryCoreApi::removeUserPermission($instance->getId(),
		$instance->getOwnerId(),
		'core.changePermissions',false);

open modules/core/ItemEditAlbum.inc

find:

    function isSupported($item, $thumbnail) {
	return (GalleryUtilities::isA($item, 'GalleryAlbumItem'));
    }

replace with:

    function isSupported($item, $thumbnail) {
        list ($ret, $isAdmin) = GalleryCoreApi::isUserInSiteAdminGroup();
        return (!$ret && $isAdmin && GalleryUtilities::isA($item, 'GalleryAlbumItem'));
    }

open modules/core/ItemEditTheme.inc

find:

    function isSupported($item, $thumbnail) {
	return (GalleryUtilities::isA($item, 'GalleryAlbumItem'));
    }

replace with:

    function isSupported($item, $thumbnail) {
        list ($ret, $isAdmin) = GalleryCoreApi::isUserInSiteAdminGroup();
        return (!$ret && $isAdmin && GalleryUtilities::isA($item, 'GalleryAlbumItem'));
    }

open modules/useralbum/classes/UserAlbumHelper.class

find:

	/* Make sure the album owner has core.all permissions */
	$ret = GalleryCoreApi::addUserPermission($albumId, $user->getId(), 'core.all');
	if ($ret) {
	    GalleryCoreApi::releaseLocks($lockId);
	    return $ret;
	}

add after:

	$ret = GalleryCoreApi::removeUserPermission($albumId, $user->getId(), 'core.changePermissions');
        if ($ret) {
            GalleryCoreApi::releaseLocks($lockId);
            return $ret;
        }

open modules/useralbum/UserAlbum.inc

find:

	$userId = GalleryUtilities::getRequestVariables('userId');
	if (empty($userId)) {
	    $userId = $activeUserId;
	}

add after:

	list ($ret, $useralbumGroup) = GalleryCoreApi::fetchGroupByGroupName('User Albums');
    	if ($ret) {
        	return $ret;
    	}

	list ($ret, $inUseralbumGroup) = GalleryCoreApi::isUserInGroup($userId, $useralbumGroup->getId());
    	if ($ret) {
        return $ret;
	}

find:

	if ($isAnonymous) {
	    return array(GalleryCoreApi::error(ERROR_PERMISSION_DENIED), null);
	}

replace with:

	if ($isAnonymous || !$inUseralbumGroup) {
	    return array(GalleryCoreApi::error(ERROR_PERMISSION_DENIED), null);
	}

open modules/useralbum/module.inc

find:

    /**
     * @see GalleryModule::getSystemLinks
     */
    function getSystemLinks() {
	global $gallery;
	$links = array();

add after:

    $activeUserId = $gallery->getActiveUserId();

    $userId = GalleryUtilities::getRequestVariables('userId');
     if (empty($userId)) {
         $userId = $activeUserId;
     }

find:

	/* Check if link is enabled */
	if (!empty($params['homeLink'])) {
	    list ($ret, $isAnonymous) = GalleryCoreApi::isAnonymousUser();
	    if ($ret) {
		return array($ret, null);

add after:

        list ($ret, $useralbumGroup) = GalleryCoreApi::fetchGroupByGroupName('User Albums');
        if ($ret) {
                return $ret;
        }

        list ($ret, $inUseralbumGroup) = GalleryCoreApi::isUserInGroup($userId, $useralbumGroup->getId());
        if ($ret) {
        return $ret;
        }

find:

		if (!empty($albumId) || $params['create'] == 'access') {

replace with:

		if (!empty($albumId) || ($params['create'] == 'access' && $inUseralbumGroup)) {
 
yeahy

Joined: 2008-11-07
Posts: 69
Posted: Tue, 2008-12-23 16:54

this is great! The default setting (full album permission to owner) is not a good idea. I'd like try this mod. Thanks!

 
yeahy

Joined: 2008-11-07
Posts: 69
Posted: Tue, 2008-12-23 19:34

It works! Thanks.

Just for double confirm, no.2 change in modules/useralbum/module.inc, the new added codes should be added before the close curly as below, right?

if (!empty($params['homeLink'])) {
	    list ($ret, $isAnonymous) = GalleryCoreApi::isAnonymousUser();
	    if ($ret) {
		return array($ret, null);
(Should add the mod code here)
  }
(Should NOT add the mod code here)


Two suggestions:

1. If possible, the 'view permission' function for user should be disable either. The admin can view and edit the permission, that's enough.

2. If there're 3 level user groups having the user album permission, e.g. approval user group with 5MB quota, vip group with 50MB quota, admin group with unlimited quota. How to modify the codes to do that?

PS: If the user group name is not in English, there're some issues to send the string to DB. So I change this part

list ($ret, $useralbumGroup) = GalleryCoreApi::fetchGroupByGroupName('User Albums');
        if ($ret) {
                return $ret;
        }

to this:
$useralbumGroup = 2;
Yes, it's hard code. But I can't figure out a better solution.

 
planeguy013

Joined: 2009-03-30
Posts: 1
Posted: Fri, 2009-04-10 03:49

Thanks Da Nag. Really helpful as a start to making the useralbums plugin useful.

Just for followup to yeahy: The code does need to be placed before the closing brace as you have indicated above - placing it after the closing brace will cause the gallery to have conniptions, and not be able to show anything other than the front page.

I have looked through the feature request database, and there are about 5 different requests (all with lowish or no votes) for a better useralbums module, starting with implementing group permissions.

I don'tknow enough coding to work on it, and have tried to extend Da Nag's code above. What I want:

Immediate Requirement:
- Remove some non-Core module permissions from the user album owner. I seem to have success setting the permissions related to the Core module, but have not been able to disable Formatted URLs or eCards.
- I'd like to set it so that only members of the group that has useralbums can view the album - ie by default, only members of the 'User Album" group in the original example can view the album.

Long Term Feature Enhancements:
- Admin Page ability to set which groups/users can get User Albums
- Proper linking to the permission system, so default permissions can be set for the albums through the admin pages
- Help pages, written in basic language, so users unfamiliar with Gallery2, who get a useralbum, know how to use it without consulting the site owner (ie me!)

 
djpumpkin

Joined: 2006-12-06
Posts: 135
Posted: Fri, 2009-05-15 14:12

I have applied Da Nag's mods - following to the letter - but it doesn't seem to work. When I add a user to the group 'User Albums', that user should see a link to their album when they log-in, but they don't.

Am I missing something here? Is there something else needed to give a user access to a user album?

System set up below:

Quote:
Gallery version = 2.3 core 1.3.0
API = Core 7.54, Module 3.9, Theme 2.6, Embed 1.5
PHP version = 5.2.0-8+etch13 apache2handler
Webserver = Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Database = mysqli 5.0.32-Debian_7etch8-log, lock.system=flock
Toolkits = Gd, Ffmpeg, ImageMagick, jpegtran, NetPBM, LinkItemToolkit, Thumbnail, SquareThumb
Acceleration = full/259200, partial/259200
Operating system = Linux vps.gallery2 2.6.18-028stab062.3-ent #1 SMP Thu Mar 26 15:12:05 MSK 2009 i686
Default theme = ice
gettext = enabled
Locale = en_US

Would really love to get this fixed!
Thanks for any info.

DJ

 
djpumpkin

Joined: 2006-12-06
Posts: 135
Posted: Mon, 2009-05-18 19:36

OK - I found the problem. It won't work because I am using gallery 2.3 embedded in Drupal 5.x
Such a shame.

 
m3lvm

Joined: 2009-06-17
Posts: 49
Posted: Wed, 2009-06-17 21:09

Thankyou This mod worked straight out of the tin
The only thing that I have found is owner is showing I expect that is in admin settings.