CKEditor 4
Mon, 09/12/2011 - 09:32
#1
pnp_anchor
pnp_anchor's picture
Joined: 12/09/2011
Posts: 11

Access control for viewing pictures

Hi, I'm testing CKFinder in my environment.
About access control, I can't see how CKFinder will enforce "view" access control to only registered users:
When I click on "view" file (in the context menu) it just shows the images directing the user to the url of the images in the webserver tree.
Doing this, the access control can only be implemented on the server and no PHP is involved. A non user can guess the url and see the images as well.
Probably I'm missing something, can you give me a hint on how it is supposed to work?

Thanks Paolo
Top
Wed, 09/14/2011 - 12:05
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: Access control for viewing pictures

CKFinder itself has no control over the way how files are accessible if the "userfiles" folder is not protected in any way by the web server (if talking about read-only access). Most of the web servers, as you noticed, will allow viewing such file if user knows the url.

To deal with this issue, you can do at least three things, if we're talking about Apache and PHP:
- protect userfiles folder with HTTP authentication (rather insecure)
- add mod_rewrite rule in .htaccess that will forward all requests to some front controller that will check permissions first, before serving the file
- move the "userfiles" folder outside document root using the baseDir setting (so that it was impossible to view the file knowing the URL). After moving the userfiles folder, set baseUrl to something like "/viewfile.php?url=" where again, you'll do some additional authorization first, before offering the file.

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Fri, 09/16/2011 - 21:48
pnp_anchor
pnp_anchor's picture
Joined: 12/09/2011
Posts: 11

Re: Access control for viewing pictures

Hi Wiktor,
Thank you for the suggestions. I like the last one.I'll let you know how I'm doing.
/Paolo
Top
Mon, 09/19/2011 - 11:23
pnp_anchor
pnp_anchor's picture
Joined: 12/09/2011
Posts: 11

Re: Access control for viewing pictures

Hi again,

I tested the 3rd option as suggested. CKFinder makes it easy by passing the folder path to the query string so that, following your example, the link becomes for instance

/viewfile.php?url=/path/to/my/file.jpg

, so it is pretty straightforward to just code a viewer that is based on this GET variable.
This is great.

However I see that thumbnails within CKFinder are displayed id 2 different ways:
The 1st time, just after the file has been uploaded, the thumbnail is shown as a background-image with a link like:

background-image: url('http://www.example.com/ckfinder/core/connector/php/connector.php?command=Thumbnail&type=Files&currentFolder=%2Fpath%2Fto%2Fmy%2F&langCode=da&hash=6d1ea1cb358e4e22&FileName=file.jpg');


while the
2nd and subsequent times, after reload of the page or after click on "update" button, with a link like:

background-image: url('/najub/viewer/?file=_thumbs/path/to/my/file.jpg?hash=6d1ea1cb358e4e22');


Now, the first practical question is: is there a way to enforce CKFinder to always use the first method to display thumbnails?

Apart from this, I think that it would be correct for CKFinder to always use the first method because the second method above, relies on a viewer that is external of CKFinder while showing thumbnails in a context that is completely within CKFinder.

However, I would be happy if I can enforce this by configuration or otherwise. The alternative is that my viewer itself has to manage display of thumbnails, and change behaviour in relation to that. This makes it unnecessary complicated.

Top
Mon, 09/19/2011 - 13:20
pnp_anchor
pnp_anchor's picture
Joined: 12/09/2011
Posts: 11

Re: Access control for viewing pictures

hmm, I see mow that the 2nd way of displaying thumbnails, mentioned, above apparently only happens in my own (special) setup and not in the out of the box installation. I need to investigate this further, so please do not use your time on this. I'll get back as soon as I have a clearer picture.
Thx, Paolo
Top
Mon, 09/19/2011 - 15:24
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: Access control for viewing pictures

Try this:
$config['Thumbnails']['directAccess'] = false;

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Mon, 09/19/2011 - 17:22
pnp_anchor
pnp_anchor's picture
Joined: 12/09/2011
Posts: 11

Re: Access control for viewing pictures

Hi Wiktor,

Yes, thank you. That did it. I had changed that option during my many tests, and forgot about it afterwards :roll:

By the way, I've bought a license, many thanks for an excellent package and (pre sale) support.

Top
Thu, 09/22/2011 - 21:40
wiktor
wiktor's picture
Joined: 16/07/2007
Posts: 1641

Re: Access control for viewing pictures

I'm glad I could help :) , thanks for purchasing the license!

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check