Serious Security Issue with Collect?

offcamberoffcamber Registered Users Posts: 43 Big grins
edited July 31, 2013 in SmugMug Support
I noticed tonight that if I log into my site and then go to someone elses SmugMug site and browse their galleries then view one of their images in the lightbox there is an option to "collect" the photo. If you click it, it allows you to collect that photo into your own gallery. With the bug introduced with the new design today, if I were to delete that photo from my gallery, wouldn't it delete the original from the owners original gallery?!?!?!?!

Comments

  • offcamberoffcamber Registered Users Posts: 43 Big grins
    edited July 31, 2013
    Well, I tested it. Luckily it errors when you try to delete a file from someone elses collection.

    It generates the error below:

    {
    "Response": {
    "Uri": "/api/v2/album/Kd3938/image/2NqrSh7?_filteruri=z&_quiet=1",
    "UriDescription": "Endpoint returning Album Image resources.",
    "EndpointType": "AlbumImage"
    },
    "Code": 405,
    "Message": "Method Not Allowed"
    }
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited July 31, 2013
    Collecting photos is a feature that has been offered for a number of years...
    http://help.smugmug.com/customer/portal/articles/93310-how-can-i-display-photos-in-more-than-one-gallery-
    David Parry
    SmugMug API Developer
    My Photos
  • richWrichW Registered Users Posts: 941 Major grins
    edited July 31, 2013
    offcamber wrote: »
    Well, I tested it. Luckily it errors when you try to delete a file from someone elses collection.

    It generates the error below:

    {
    "Response": {
    "Uri": "/api/v2/album/Kd3938/image/2NqrSh7?_filteruri=z&_quiet=1",
    "UriDescription": "Endpoint returning Album Image resources.",
    "EndpointType": "AlbumImage"
    },
    "Code": 405,
    "Message": "Method Not Allowed"
    }
    Collecting and removing collected images via organizer would be very nice. I'll add that to our features request list.

    Regarding the error message, I'm going to forward that over to the organizer engineer for you.
  • richWrichW Registered Users Posts: 941 Major grins
    edited July 31, 2013
    offcamber wrote: »
    Well, I tested it. Luckily it errors when you try to delete a file from someone elses collection.

    It generates the error below:

    {
    "Response": {
    "Uri": "/api/v2/album/Kd3938/image/2NqrSh7?_filteruri=z&_quiet=1",
    "UriDescription": "Endpoint returning Album Image resources.",
    "EndpointType": "AlbumImage"
    },
    "Code": 405,
    "Message": "Method Not Allowed"
    }

    As I was in the process of replying to your message, our organizer engineer contacted me and said a fix for this just went out. Could you give it another try? No error messages should be throw out at you.
Sign In or Register to comment.