Access / Rights Problem when gallery is private

Phase2

Hi,

Alltough I'm newly registered, I've been using zenphoto and reading the forum for some time now. And i really love your software.

I'm using zenphoto 1.4.2-Dev at the moment, but the following problem also occurs in 1.4.1.4

I configured a gallery to be private. (So only registered users have access.)

Normal users (loged in, but without admin rights) now have the problem that they can't view any albums, that are not specifically assigned to them in the 'managed albums'-part of the rights section.
If they click a link to view the album in the menu, they are redirected to the login-page.

As I'm using the Zenpage-Theme the same occurs for Pages and News.

If a User is assigned the 'View Albums', 'View News' or 'View Pages' - Rights the gallery is working but also unpublished-Items are shown.

Is this behaviour intended or is it a bug?

I was able to track the problem back and wrote a little plugin that hooks to `isMyItemToView`-Filter in `checkAccess()` of template-functions.php

It's allmost a copy of the original function and just also grants access if e.g. `$_zp_current_album->getShow()` is true.

This workaround is certainly not the cleanest solution, but it partly fixes the problem for me.

only partly because:
The news section is still not working as it has other security checks inside, which I didn't find a workaround without modifying the core itself.

sbillard

I am not seeing this issue. But there are two things for you to check (depending on if it is the DEV or the trunk branch).

DEV: if what you are not seeing is images and subablums within the album, then maybe they are unpublished. The user needs "EDIT" subrights to see these.

Trunk: Same observation, but here the subright for "view unpublished" is needed.

Also be sure you are running the latest nightly builds in both cases.

Phase2

Thanks for your quick reply.

I checked that and everything is published. they also show up on the gallery-index and are displayed correctly through `printAlbumMenu()`. Just when I open album.php, image.php, pages.php or news.php I get redirect to the login_page, as if I'm not logged in at all.

But as you couldn't reproduce my problem,
I did a clean install of the latest dev nightly on another test-server and I'm not experiencing the problems there, with no plugins enabled and on a new db. strange.

so my guess is I'm having problems either with a plugin or somehow my mysql-db got corrupted.
though the stored `rights`-value of `272497` in `zp_administrators` is correct.

I guess i have to do some more invastigation what causes this problem.

Phase2

Just saw, that the latest nightly has some changes that adresses this problem.
that's maybe cause it works on my test installation now.

I'll test it on my exsisting installation, and report back.
But the code changes look promising.

Thanks for your help.

Phase2

I played around a bit with the latest nightly and now normal users have access to published albums. so that works perfectly.

zenpage - News is still not working though.
`isMyItem()` need some tweaking in this classes aswell.

click on a category takes you to the login-page again and on 'All news' every entry is marked with 'This article belongs to a protected category.'
and CombiNews entrys are marked with 'This entry belongs to a protected album.'

sbillard

I have made some changes in the DEV branch to hopefully fix these. (Sorry, the change is extensive, it will NOT go into the 1.4.1 release.) Please try tonight's DEV build and report back. Specially try various combi-news pages as this is an area that I was not sure of the proper handling.

Phase2

ok after doing som testing i can tell that:

- combi-news seems to work fine.

- news articles still won't work.
In zenppage-class-news.php `isMyItem()` needs some changes.
On line 193
`if (!empty($mycategories)) {`
should be change to something like
`if (!empty($mycategories) || ($this->getShow() && $action == LIST_RIGHTS)) {`
i think.

- the changes made for albums screwed things on the backend.
users are now able to upload to all published albums +
the option to create an subalbum for there 'user album' has disappeared.
users will be shown all published albums in the albums manager tab instead of only the ones they have manage rights on.
also they will be given the possibility to 'edit album' in the admin toolbox if they are on an album page.
In class-album.php on line 1244 changing:
`if (GALLERY_SECURITY == 'private' && $this->getShow()) {`
to:
`if (GALLERY_SECURITY == 'private' && $this->getShow() && $action == LIST_RIGHTS) {`
fixed the problem for me.

sbillard

Both those fixes look correct. Thanks for your efforts. Let us know if you discover anything else.

vib_guy

Hello, I am using version 1.4.1.5 [8326] with a similar issue. If a user does not have management rights for a category he can not view the news articles. (Even though "View News" is checked in the news frame of the user options.) It states that these belong to a protected category. If I add management rights everything is fine.

Please clarify if your comment means that the fixes will not be in any 1.4.1.x releases and I should use a DEV release to resolve this issue.

Thanks for the great work on the gallery.

sbillard

Sorry, what is not clear? The statement says that the fixes will not go into the 1.4.1.x release stream. What is unclear about that?

The fixes have gone into the 1.4.2 release stream. That was (at the time of posting) represented by the DEV branch of the Zenphoto repostiory and the DEV nightly builds. However, 1.4.2 has gone into Beta now, so the Trunk branch and nightly builds now represent the up-coming release.

If you wish to have these fixes you will have to install the 1.4.2 Beta release.