Forum OpenACS Q&A: Photo Album Permissions

Collapse
Posted by Brad Ford on
I just did a fresh install from head - great progress on the release! I installed photo-album, encountered an error re couldn't exec ImageMagick commands but found a thread on correcting the ImageMagick path parameter (it's in /usr/bin on Suse). No problems down to the level of thumbnail views. When a non-admin (be it a registered user or the public) clicks to view the jpg, they get an error saying they don't have permission to write. If I grant permission to write, they can view but they also can edit. Am I missing a permission level specific to viewing in photo album here? I have the parameters for the photo album package set to the_public read registered_users read i.e. I took away the write privileges as I don't want people futzing with my posts. Is there a happy medium between reading and writing?
Collapse
Posted by Staffan Hansson on
Brad, I reported this as bug #1234 a few days ago. Maybe you would like to add a comment to the bug.
Collapse
Posted by Brad Ford on
I just noticed that bug report myself (mental note - check bug tracker before posting questions). I'll see if I can figure out a fix for it...
Collapse
Posted by Brad Ford on
I think this is the source of the error - lines 42 - 54 of photo.tcl:
ad_require_permission $photo_id "read"
set user_id [ad_conn user_id]
set context [pa_context_bar_list $photo_id]
set root_folder_id [pa_get_root_folder]

# to move a photo need write on photo, and old parent album
# and pa_create_photo on new parent album (which is check in the is_valid block)


set old_album_id [db_string get_parent_album {}]

ad_require_permission $photo_id write
ad_require_permission $old_album_id write
Those lines are all outside of any code blocks i.e., no if statements - looks like the permissions are first checked for read (as one would expect), then checked again for write in case the user is trying to move a photo to a different album. I think the write permissions need to be in an if statement checking to see if that action is being taken - I'm just not sure where on the page that is or which flag is set to do that. Anyone else care to take a peek? I'll keep digging and drag out the old tcl manual...
Collapse
Posted by Brad Ford on
Ok, digging further, the code block for moving the code block for displaying the form to move the photo to another album starts on line 85:
# to move a photo need write on photo and write on parent album
set move_p [expr $write_p && $album_write_p]
# build form to move the photo if move_p is 1
if $move_p {

    template::form create move_photo

    template::element create move_photo photo_id -label "photo ID" \
	-datatype integer -widget hidden


    set albums_list [db_list_of_lists get_albums { *SQL* }]
...
the $album_write_p on line 86 is not set anywhere on the page so I'm guessing the ad_require_permission's on line 54/55 should have been something like:
set album_write_p [expr ad_permission_p $photo_id write &&ad_permission_p $old_album_id write]
My tcl is way rusty - is that correct syntax above? And is ad_permission_p the accepted api for permission checking?

Later in the code (line 96), sql query named get_albums is called but is not defined in photo.xql - could it be defined elsewhere and still be read into this page?

And then there's a stray '7' on line 124...

Looks like the code was not finished for this form and it snuck in as the undefined album_write_p means the code block to set up the form is never called and the code to display the form on photo.adp is also never called.

I will try to fix it but have no idea what the sql for getting a list of album id's would be - looks like get_children from photo-album's index-postgres.xql would do the trick using the root folder id?

Am I way off base here?

Collapse
Posted by Brad Ford on
As a quick fix, commenting out lines 54 and 55 fix the read problem and don't seem to cause any other issues re permissioning. Just can't move photos to different albums until the rest of the code is fixed
Collapse
Posted by Christian Eva on
Done that as well and works smooth, nice application!

The only thing I missed so far was in the "Edit these Photos" a "delete" checkbox beside the "hide" box...

Collapse
Posted by Jose Pablo Escobedo Del Cid on
I tried commenting out the lines 54 and 55 and everything seems to be ok. I even tried to move photos to different albums owned by the same user and I could, what were you trying to do ("Just can't move photos to different albums until the rest of the code is fixed")?

the write_p and album_write_p are set in the xql page so I don't see where the problem is, or am I missing someting?

Collapse
Posted by Brad Ford on
Hi Pablo,

That would probably be me being off-base... I'm still pretty new to digging around in the code and gaining an understanding of how all the bits fit together. I missed the var being set in the main tcl page.