Hi,
version: MaxiGallery v0.4.1
The gallery I’ve set up can only be viewed or managed when you are logged in as a webuser. But now I have an issue if I want to edit a gallery while I’m logged in as a manager-user. In MODx 092 the manager-users and webusers are not ’synchronised’ so when I want to manage the gallery I have to also login as a webuser. Since I’m logged in as a manager-user I want to be able edit all images but currently maxigallery will only let me see my own pictures.
I’ve had a look at the code to see why this is so and noticed that firstly the checkPermissions() function bails out immediately after testing for a webuser.
<?php
function checkPermissions($userid,$docid,$mgconfig){
global $modx;
if($userid) {
// check whether user is allowed to modify this page (-> $result1=1)
$rs1=$modx->db->query("SELECT * FROM (" . $modx->db->config['table_prefix'] . "member_groups LEFT JOIN " . $modx->db->config['table_prefix'] . "membergroup_access ON user_group=membergroup) LEFT JOIN " . $modx->db->config['table_prefix'] . "document_groups ON documentgroup=document_group WHERE member='" . $userid . "' and document='" . $docid . "'");
$result1=$modx->db->getRecordCount($rs1);
// check if user is administrator (-> $result2=1)
$rs2=$modx->db->query("SELECT * FROM " . $modx->db->config['table_prefix'] . "user_attributes WHERE id='" . $userid . "' AND role='1'");
$result2=$modx->db->getRecordCount($rs2);
if($result1>0 || $result2>0) {
return true;
} else {
return false;
}
//check whether user is logged in and belongs to selected webgroups
} else if(count($mgconfig['manager_webgroups'])>0 && $modx->isMemberOfWebGroup($mgconfig['manager_webgroups'])){
return true;
//check whether user is logged in and is defined in manager_webusers
} else if ($modx->getLoginUserName()!="" && in_array($modx->getLoginUserName(), $mgconfig['manager_webusers'])){
return true;
} else {
return false;
}
}
?>
This would mean that if I as a webuser do not have the right priviliges but as a manager-user I do, I am unable to manage any images at all. This seems counter intuitive to me. I’ve re-written the function slightly so it checks for both webuser and manager-user and if either is ok return a positive.
[b]the MOD:[/b]
<?php
// Original fails if user is logged in both as a manager-user and as a webuser where the webuser does not
// have edit permissions but the manager-user does
// MOD by TobyL
function checkPermissions($userid,$docid,$mgconfig){
global $modx;
if($userid) {
// check whether user is allowed to modify this page (-> $result1=1)
$rs1=$modx->db->query("SELECT * FROM (" . $modx->db->config['table_prefix'] . "member_groups LEFT JOIN " . $modx->db->config['table_prefix'] . "membergroup_access ON user_group=membergroup) LEFT JOIN " . $modx->db->config['table_prefix'] . "document_groups ON documentgroup=document_group WHERE member='" . $userid . "' and document='" . $docid . "'");
$result1=$modx->db->getRecordCount($rs1);
// check if user is administrator (-> $result2=1)
$rs2=$modx->db->query("SELECT * FROM " . $modx->db->config['table_prefix'] . "user_attributes WHERE id='" . $userid . "' AND role='1'");
$result2=$modx->db->getRecordCount($rs2);
if($result1>0 || $result2>0) {
return true;
}
}
//check whether user is logged in and belongs to selected webgroups
if(count($mgconfig['manager_webgroups'])>0 && $modx->isMemberOfWebGroup($mgconfig['manager_webgroups'])){
return true;
//check whether user is logged in and is defined in manager_webusers
} else if ($modx->getLoginUserName()!="" && in_array($modx->getLoginUserName(), $mgconfig['manager_webusers'])){
return true;
} else {
return false;
}
}
?>
The second bit of code that causes to only show images owned by the webuser starts at line 546 in the snippet itself. I made small change here as well.
Orginal:
<?php
//if webuser and logged in, get only pics owned my him
if($modx->getLoginUserID()!="" && $modx->getLoginUserType()=='web'){
$rs1=$modx->db->query("SELECT * FROM " . $pics_tbl . " WHERE gal_id='" . $pageinfo['id'] . "' AND own_id='" . $modx->getLoginUserID() . "' ORDER BY " . $mgconfig['order_by'] . " " . $mgconfig['order_direction']);
}else{ //else, logged from backend and rights to edit this page, get all pics
$rs1=$modx->db->query("SELECT * FROM " . $pics_tbl . " WHERE gal_id='" . $pageinfo['id'] . "' ORDER BY " . $mgconfig['order_by'] . " " . $mgconfig['order_direction']);
}
?>
<?php
//if logged from backend and rights to edit this page, get all pics
if($_SESSION['mgrValidated'] && $_SESSION['mgrPermissions']['edit_document']){
$rs1=$modx->db->query("SELECT * FROM " . $pics_tbl . " WHERE gal_id='" . $pageinfo['id'] . "' ORDER BY " . $mgconfig['order_by'] . " " . $mgconfig['order_direction']);
}else{
$rs1=$modx->db->query("SELECT * FROM " . $pics_tbl . " WHERE gal_id='" . $pageinfo['id'] . "' AND own_id='" . $modx->getLoginUserID() . "' ORDER BY " . $mgconfig['order_by'] . " " . $mgconfig['order_direction']);
}
?>
The upshot of these mods is that:
When a user is logged in as a manager-user (as well as a webuser) the permissions of the manager user takes precendence and all images are shown in the gallery manager (provided (s)he has document-edit priviliges).
When only logged in as a webuser (and being allowed to manage the gallery) the gallery manager will only show the images owned by the webuser.
Let me know if I’ve overlooked something but it seems to me this is more logical..
Thanks for the fix, I’ll include it to the next version!