Confirmed Regular users can't move images between albums

Version
3.16.2
Website URL
https://imagerot.com
PHP version
7.4.12
Database driver
MySQL
Database version
10.5.6
Web browser
Firefox/Linux

SimplyCorbett

Network license
License owner
As the admin user I can move images from no album to an album, but as a regular user I'm not able to move images after they are uploaded to another album.

It states an error occurred. It will not tell me what the error is even with debugging enabled.

Set to datafolders with mix original + random, file name IMG_20200821_154010.jpg when uploading. EXIF data removed.

Nginx config:

Code:
server {
    listen 443 ssl http2;
    server_name imagerot.com;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant
    ssl_certificate /etc/nginx/certs/imagerot.com/fullchain1.pem;
    ssl_certificate_key /etc/nginx/certs/imagerot.com/privkey1.pem;
    ssl_dhparam /etc/nginx/certs/dhparam.pem;
    client_max_body_size 20M;
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
    set_real_ip_from 209.141.35.202/32;
    set_real_ip_from 205.185.125.36/32;
    set_real_ip_from 10.0.1.50/32;
    set_real_ip_from 192.168.5.1/32;
    set_real_ip_from 172.16.49.45/32;
    set_real_ip_from 209.141.39.71/32;
    set_real_ip_from 172.16.254.165/32;
    set_real_ip_from 172.16.78.153/32;
    set_real_ip_from 209.141.38.128/32;
    set_real_ip_from 209.185.117.216/32;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
        fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/imagerot;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # Disable access to sensitive files
    location ~* (app|content|lib)/.*\.(po|php|lock|sql)$ {
        deny all;
    }

    # Image not found replacement
    location ~ \.(jpe?g|png|gif|webp)$ {
        log_not_found off;
        error_page 404 /content/images/system/default/404.gif;
    }

    # Pretty URLs
    location / {
        index index.php;
        try_files $uri $uri/ /index.php$is_args$query_string;
    }

    location ~* \.php$ {
        fastcgi_pass php-handler;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
    }
}
 

SimplyCorbett

Network license
License owner
Have triple checked with display_errors and debug level 3 enabled. The only thing that pops up is a timezone error.
 

Rodolfo

Chevereto creator
Chevereto Staff
I'm unable to replicate the issue.

I was capable of moving user images from no album to some existing album without issues. It also worked when moving images from no album to a new album.
 

SimplyCorbett

Network license
License owner
It looks like it's limited to one area. Chevereto will let users move images between albums when viewing the image directly, but when it's in the image viewer/slideshow it doesn't work.
 

Attachments

  • part1.png
    part1.png
    162.1 KB · Views: 13
  • part2.png
    part2.png
    504.1 KB · Views: 2

SimplyCorbett

Network license
License owner
Shot you a DM on discord with a gif/webp of the problem. I can replicate it on the demo site and it happens on both linux and windows with firefox & ublock.
 

Rodolfo

Chevereto creator
Chevereto Staff
The issue is triggered for normal users moving images from listings when the setting "Lock NSFW editing" is enabled. I've patched the demo, please check.
 
Top