Hi, I'm testing CKFinder in my environment.
About access control, I can't see how CKFinder will enforce "view" access control to only registered users:
When I click on "view" file (in the context menu) it just shows the images directing the user to the url of the images in the webserver tree.
Doing this, the access control can only be implemented on the server and no PHP is involved. A non user can guess the url and see the images as well.
Probably I'm missing something, can you give me a hint on how it is supposed to work?
Thanks Paolo
About access control, I can't see how CKFinder will enforce "view" access control to only registered users:
When I click on "view" file (in the context menu) it just shows the images directing the user to the url of the images in the webserver tree.
Doing this, the access control can only be implemented on the server and no PHP is involved. A non user can guess the url and see the images as well.
Probably I'm missing something, can you give me a hint on how it is supposed to work?
Thanks Paolo
Re: Access control for viewing pictures
CKFinder itself has no control over the way how files are accessible if the "userfiles" folder is not protected in any way by the web server (if talking about read-only access). Most of the web servers, as you noticed, will allow viewing such file if user knows the url.
To deal with this issue, you can do at least three things, if we're talking about Apache and PHP:
- protect userfiles folder with HTTP authentication (rather insecure)
- add mod_rewrite rule in .htaccess that will forward all requests to some front controller that will check permissions first, before serving the file
- move the "userfiles" folder outside document root using the baseDir setting (so that it was impossible to view the file knowing the URL). After moving the userfiles folder, set baseUrl to something like "/viewfile.php?url=" where again, you'll do some additional authorization first, before offering the file.
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: Access control for viewing pictures
Thank you for the suggestions. I like the last one.I'll let you know how I'm doing.
/Paolo
Re: Access control for viewing pictures
Hi again,
I tested the 3rd option as suggested. CKFinder makes it easy by passing the folder path to the query string so that, following your example, the link becomes for instance
Re: Access control for viewing pictures
Thx, Paolo
Re: Access control for viewing pictures
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: Access control for viewing pictures
Hi Wiktor,
Yes, thank you. That did it. I had changed that option during my many tests, and forgot about it afterwards
By the way, I've bought a license, many thanks for an excellent package and (pre sale) support.
Re: Access control for viewing pictures
I'm glad I could help , thanks for purchasing the license!
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+