Album random image & permission security breach

apaxi
apaxi's picture

Joined: 2005-05-05
Posts: 11
Posted: Wed, 2005-05-25 01:47

I've noticed that random highlights for albums display pictures that do not have the appropriate permissions for the logged in user (or users that are not logged in, for that matter). Is there something I'm missing when restricting permissions for certain photos, or is this a potential permission security hole? Other than that, G2B3 is solid!

----

Gallery URL (optional): http://wightout.com
Gallery version: G2B3 (not nightly)
Webserver (with version): IIS 5.1
Datatabase (with version): MySQL 4.1.12
PHP version (eg 4.2.1): 5.0.3
phpinfo URL (optional):
Graphics Toolkit(s): GD
Operating system: WinXP Pro
Web browser/version: Firefox 1.0.4
G1 version (for migration bugs): was 1.4.4 (replaced by G2)
 
apaxi
apaxi's picture

Joined: 2005-05-05
Posts: 11
Posted: Wed, 2005-05-25 03:22

I think that I figured this potential error out. If the random highlights are regenerated when logged in as admin, these same highlights show when logged out or logged in as a user with no permission to view those images. The problem resolves itself when the random highlights regenerate while the user with permission restrictions is logged in or when users are not logged in at all.

Shouldn't there be a security check when displaying the highlights to determine if the user logged in has rights to view that image highlight?
 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Wed, 2005-05-25 05:46

see this bug report.
G2 allows you to do 'make highlight' on a private item and use that as the album thumbnail, so that's how random highlight module was written..
 
codeword

Joined: 2005-12-15
Posts: 5
Posted: Thu, 2005-12-15 03:04
mindless wrote:
see this bug report.
G2 allows you to do 'make highlight' on a private item and use that as the album thumbnail, so that's how random highlight module was written..

is there some difference between the "random block" (The one that shows up on side nav of the gallery's page) and "Random Highlight" this is mentioned in this thread?
 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Thu, 2005-12-15 05:05

g2 has an imageblock which offers random images.
which is entirely different from the "randomhighlight" module, which changes the thumbnail of a listed module in a random fashion.
 
codeword

Joined: 2005-12-15
Posts: 5
Posted: Thu, 2005-12-15 21:09
valiant wrote:
g2 has an imageblock which offers random images.
which is entirely different from the "randomhighlight" module, which changes the thumbnail of a listed module in a random fashion.

which one is used on the side nav of the gallery?
Do these share the same business logic?
Do they have the same business rules?
 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Thu, 2005-12-15 21:47

as i said, they are entirely different. they don't share the logic etc. these are 2 different modules.

in site admin -> themes -> matrix, you can add blocks to the sidebar. does it say "random highlight block"? no. it says "image block". does it's the imageblock random images that you see in the sidebar.