admin image safety issue

[stressedout72]

I am using the current version1.5.5. I ran into an issue of allowing standard users to be able to upload images. this is a great feature however, there is no real good way of protection for the admin image directory.

Here is what i did. I created 3 directories 1-"admin" for admin only. 2-"alluser" for a top directory and had to creat a "none" group (this group has no permissions) I gave the "alluser" no read/write permissions. the third directory is "alluserimages" this directory is a sub of "allusers". this way when a new user wants to upload images they only see the "alluserimages" directory and nothing else, the user has "standard" User privelages only.

the problem is that if the user does not select the "alluserimage" from the drop down button. then the image will be uploaded to the "base directory" although they cannot see the adimn images there anyway. my question is where can i find the file that has the "Base File" text for the button, so that i can change it to match my needs?

i would like to find where this is "all in bold"
<!-- WARNING: Do not change spacing or breaks below. If you do, the JavaScript childNodes need to be edited. Newlines count as nodes! -->
<div id="upload_template">
<table style="margin-top: 35px" id="upload_table" class="image_add_local">
<tr>
<td nowrap='nowrap'>Select a file you wish to upload:</td>
<td><input class="input_file" id="userfile_1" name="serendipity[userfile][1]"
onchange="checkInputs();"
type="file" /></td>
</tr>

<tr>
<td align="center" colspan="2"><br /></td>
</tr>

<tr>
<td>Save the file as:</td>
<td><input class="input_textbox" type="text" id="target_filename_1" name="serendipity[target_filename][1]" value="" size="40" /></td>
</tr>

<tr>
<td>Store inside the following directory: </td>
<td><select id="target_directory_1" name="serendipity[target_directory][1]">
<option value="">Base directory</option>
<option value="AllUsers/Alluserimages/">&nbsp;&nbsp;&nbsp;&nbsp; Alluserimages</option>
</select>
</td>
</tr>
</table>



This is in templates/default/admin/media_upload.tpl but it is not showing the button text!
<!-- WARNING: Do not change spacing or breaks below. If you do, the JavaScript childNodes need to be edited. Newlines count as nodes! -->
<div id="upload_template">
<table style="margin-top: 35px" id="upload_table" class="image_add_local">
<tr>
<td nowrap='nowrap'>{$CONST.ENTER_MEDIA_UPLOAD}</td>
<td><input class="input_file" id="userfile_1" name="serendipity[userfile][1]"
onchange="checkInputs();"
type="file" /></td>
</tr>

<tr>
<td align="center" colspan="2"><br /></td>
</tr>

<tr>
<td>{$CONST.SAVE_FILE_AS}</td>
<td><input class="input_textbox" type="text" id="target_filename_1" name="serendipity[target_filename][1]" value="" size="40" /></td>
</tr>

<tr>
<td>{$CONST.STORE_IN_DIRECTORY}</td>
<td><select id="target_directory_1" name="serendipity[target_directory][1]">
<option value="">{$CONST.BASE_DIRECTORY}</option>
{foreach from=$media.folders item="folder"}
<option {if $media.only_path == $folder.relpath}selected="selected"{/if} value="{$folder.relpath}">{'&nbsp;'|@str_repeat:$folder.depth*2} {$folder.name}</option>
{/foreach}
</select>
</td>
</tr>
</table>

[garvinhicking]

Hi!

The directory list is created by the controllers in include/admin/images.inc.php (occurs twice, once for dir creation and once for upload).

The easiest way to find things like this is, first look up the string in the lang/serendipity_lang_en.inc.php . This is "BASE_DIRECTORY" as a string. Now you can do a search in all *.php files to see where it's used.

HTH,
Garvin