All postnuke users are superusers!

ONda

Joined: 2003-06-21
Posts: 7

Posted: Sun, 2003-06-22 10:48

HELP!

I don't know when this happened but I recently found out that every registered PostNuke user has full access to all my albums, including the option to add new albums! Anonymous users have no options thank god.

I've read all FAQ's and checked evey option, but nothing changes.

I saw that all my albums had the 'NOBODY' user as owner, so I changed that to 'admin'.

I've done a reinstall of the gallery module and made a new album, but they have access to those aswell!

I've upgraded to the latest Gallery 1.3.4 but it doesn't fix my problem!

Please please please help!

Thanks! --ONda

Login or register to post comments

ONda

Joined: 2003-06-21
Posts: 7

Posted: Sun, 2003-06-22 11:26

I think I've found a solution:

In classes/postnuke0.7.1/User.php on line 53 change:

$this->isAdmin = (pnSecAuthAction(0, '::', '::', ACCESS_ADMIN));

to this:

$this->isAdmin = (pnSecAuthAction(0, 'Gallery::', '::', ACCESS_ADMIN));

Now, regular users can't do nothing much except place comments, but users with admin rights can do everything. If you want certain users to have these rights add the following to your permissions:

<USER/GROUP> | Gallery:: | .* | ADMIN

I hope this helps anyone!

Login or register to post comments

beckett

Joined: 2002-08-16
Posts: 3469

Posted: Tue, 2003-06-24 07:38

Quoted from http://gallery.sf.net/forums.php?topic=6837

This was fixed on June 6 in 1.3.5-cvs-b12.
Please grab a current snapshot from CVS (see FAQ A.2 or Jesse's page).
(This should only ever have affected users who have admin privileges, though ?)
Let us know if you need any more assistance.

-Beckett (

)

Login or register to post comments

MasterMerlin

Joined: 2002-12-16
Posts: 13

Posted: Sat, 2005-05-21 04:24

This appears to be happening again on PostNuke MDPro in gallery version 1.5 but the above fix is not helping.

Login or register to post comments

MasterMerlin

Joined: 2002-12-16
Posts: 13

Posted: Sat, 2005-05-21 05:59

Okay I figured out what was wrong and fixed it.

Login or register to post comments

Achriel

Joined: 2004-11-22
Posts: 1

Posted: Wed, 2005-08-03 03:09

Sadly this error does seem to exist in as far as Gallery woprks in Postnuke, but in a rather bizarre form.

If a user has ANY Admin level access as defined through the either the User or Group Permissions then they will inherit Admin level access in the entire Gallery. Which could be a serious security hole. The fix is easy and exactly as above with a small change:

In \classes\postnuke0.7.1\User.php line 60:$this->isAdmin = (pnSecAuthAction(0, "$name::", '::', ACCESS_ADMIN));
Change to:$this->isAdmin = (pnSecAuthAction(0, "Gallery::", '::', ACCESS_ADMIN));

This is assuming Gallery is how you wish to define this permission setting (best to use the module directory name as a default). After that it works a charm and I'm sure somone can write a superior fix/patch in moments by simply using a valid module name.

At least my permissions work as expected now. Love Gallery, great program.

Login or register to post comments

MasterMerlin

Joined: 2002-12-16
Posts: 13

Posted: Wed, 2005-08-03 03:18

Some one did write a fix. It is called mdGallery. How ever it is only current to 1.5 I believe. New version should be coming out soon.

Login or register to post comments

msandersen

Joined: 2005-07-29
Posts: 13

Posted: Thu, 2005-08-04 15:48

A general fix for classes/postnuke0.7.1/User.php, using the pnAPI:

	function loadByUid($uid) {
		$name = pnModGetName();

Login or register to post comments

ONda Joined: 2003-06-21 Posts: 7	Posted: Sun, 2003-06-22 10:48
	HELP! I don't know when this happened but I recently found out that every registered PostNuke user has full access to all my albums, including the option to add new albums! Anonymous users have no options thank god. I've read all FAQ's and checked evey option, but nothing changes. I saw that all my albums had the 'NOBODY' user as owner, so I changed that to 'admin'. I've done a reinstall of the gallery module and made a new album, but they have access to those aswell! I've upgraded to the latest Gallery 1.3.4 but it doesn't fix my problem! Please please please help! Thanks! --ONda
	Login or register to post comments XUser login Username: * Password: * Create new account Request new password
ONda Joined: 2003-06-21 Posts: 7	Posted: Sun, 2003-06-22 11:26
	I think I've found a solution: In classes/postnuke0.7.1/User.php on line 53 change: $this->isAdmin = (pnSecAuthAction(0, '::', '::', ACCESS_ADMIN)); to this: $this->isAdmin = (pnSecAuthAction(0, 'Gallery::', '::', ACCESS_ADMIN)); Now, regular users can't do nothing much except place comments, but users with admin rights can do everything. If you want certain users to have these rights add the following to your permissions: <USER/GROUP> \| Gallery:: \| .* \| ADMIN I hope this helps anyone!
	Login or register to post comments
beckett Joined: 2002-08-16 Posts: 3469	Posted: Tue, 2003-06-24 07:38
	Quoted from http://gallery.sf.net/forums.php?topic=6837 This was fixed on June 6 in 1.3.5-cvs-b12. Please grab a current snapshot from CVS (see FAQ A.2 or Jesse's page). (This should only ever have affected users who have admin privileges, though ?) Let us know if you need any more assistance. -Beckett ( )
	Login or register to post comments
MasterMerlin Joined: 2002-12-16 Posts: 13	Posted: Sat, 2005-05-21 04:24
	This appears to be happening again on PostNuke MDPro in gallery version 1.5 but the above fix is not helping.
	Login or register to post comments
MasterMerlin Joined: 2002-12-16 Posts: 13	Posted: Sat, 2005-05-21 05:59
	Okay I figured out what was wrong and fixed it.
	Login or register to post comments
Achriel Joined: 2004-11-22 Posts: 1	Posted: Wed, 2005-08-03 03:09
	Sadly this error does seem to exist in as far as Gallery woprks in Postnuke, but in a rather bizarre form. If a user has ANY Admin level access as defined through the either the User or Group Permissions then they will inherit Admin level access in the entire Gallery. Which could be a serious security hole. The fix is easy and exactly as above with a small change: In \classes\postnuke0.7.1\User.php line 60:`$this->isAdmin = (pnSecAuthAction(0, "$name::", '::', ACCESS_ADMIN));` Change to:`$this->isAdmin = (pnSecAuthAction(0, "Gallery::", '::', ACCESS_ADMIN));` This is assuming Gallery is how you wish to define this permission setting (best to use the module directory name as a default). After that it works a charm and I'm sure somone can write a superior fix/patch in moments by simply using a valid module name. At least my permissions work as expected now. Love Gallery, great program.
	Login or register to post comments
MasterMerlin Joined: 2002-12-16 Posts: 13	Posted: Wed, 2005-08-03 03:18
	Some one did write a fix. It is called mdGallery. How ever it is only current to 1.5 I believe. New version should be coming out soon.
	Login or register to post comments
msandersen Joined: 2005-07-29 Posts: 13	Posted: Thu, 2005-08-04 15:48
	A general fix for classes/postnuke0.7.1/User.php, using the pnAPI: function loadByUid($uid) { $name = pnModGetName();
	Login or register to post comments

All postnuke users are superusers!

XUser login