1
kaotik
ck editor + file browser is disabled
  • 2009/10/26 14:13

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


Hi
I've been tring to implement ckeditor (with XOOPS 2.4) in one of my modules.
When I try to upload an image it gives me a "file browser is disabled"
I've been reading through the ckeditor files in xoopseditor/ckeditor but haven't been able to pinpoint it.
Has anyone also encountered this?
Thank for any help.

2
ghia
Re: ck editor + file browser is disabled
  • 2009/10/26 14:30

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
When I try to upload an image it gives me a "file browser is disabled"
Didn't it tell you the full story?
Quote:
The file browser is disabled for security reasons. Please contact your system administrator and check the CKFinder configuration file.

Adapt /class/xoopseditor/ckeditor/ckfinder/config.php
Warning from the file:
Quote:
WARNING : DO NOT simply return "true". By doing so, you are allowing "anyone" to upload and list the files in your server. You must implement some kind of session validation here. Even something very simple as...

CKFinder Doc

3
kaotik
Re: ck editor + file browser is disabled
  • 2009/10/26 14:35

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


I've checked that already. All seems to be set correctly but it still doesn't work.

4
kaotik
Re: ck editor + file browser is disabled
  • 2009/10/28 12:08

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


I've solved it. Now the editor will first check if you are a XOOPS admin, if yes it will let you manage images and upload.

Here's the solution:
Open class/xoopseditor/ckeditor/ckfinder/config.php

around line line 32 find:
return false;


replace with:
include_once "../../../../../../../mainfile.php";
    
$isadmin = ($xoopsUser && $xoopsUser->isAdmin()) ? 0
if (
$isadmin===1) {
return 
true;
} else {
return 
false;
}


So the entire function should look like this:
function CheckAuthentication()
{
    
//WARNING : DO NOT simply return "true". By doing so, you are allowing
    //"anyone" to upload and list the files in your server. You must implement
    //some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    //... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    //user logs in your system.
    
    
include_once "../../../../../../../mainfile.php";
    
$isadmin = ($xoopsUser && $xoopsUser->isAdmin()) ? 0
if (
$isadmin===1) {
return 
true;
} else {
return 
false;
}
    
}

5
hrac
Re: ck editor + file browser is disabled
  • 2010/9/21 20:40

  • hrac

  • Quite a regular

  • Posts: 305

  • Since: 2002/7/15


I guess it is a good idea that every xoops user have a unique folder for uploads and every user can see (list), upload and delete own files in his/her unique folder. Is it possible to implement this kind of mechanism?

6
ghia
Re: ck editor + file browser is disabled
  • 2010/9/21 23:47

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Allowing people to upload files is a serious security risk.
Only limited file types should be possible and only for trustworthy people, that have also the knowledge of what files can breach security and which don't.

7
hrac
Re: ck editor + file browser is disabled
  • 2010/9/22 1:27

  • hrac

  • Quite a regular

  • Posts: 305

  • Since: 2002/7/15


If we allow only jpeg or gif image file, and than publish them on website. Does this cause any security risk?

8
ghia
Re: ck editor + file browser is disabled
  • 2010/9/22 8:22

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


In principle no, but it is possible to 'execute' files of another type as PHP files (image contains code), when the .htaccess is manipulated and some jpg files can make use of security flaws in Windows, when your users' computer is not running the latest security updates.
Because 'An image is 1000 words', it is easier to have offending content.

Login

Who's Online

212 user(s) are online (138 user(s) are browsing Support Forums)


Members: 0


Guests: 212


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits