AccessControl and RoleSessioneVar

Hi,
first of all congratulations for the great script.
I'ld like to know if I can use CKFinder on my own website without license.

I tried to use access control but don't work
I use php, and so I uncommented session_start();
In my config file there are:

$config['RoleSessionVar'] = 'CKFinder_UserRole';
session_start();

$config['AccessControl'][] = Array(
      'role' => 'CKFinder_UserRole',
      'resourceType' => '*',
      'folder' => '/',

      'folderView' => true,
      'folderCreate' => false,
      'folderRename' => false,
      'folderDelete' => false,

      'fileView' => true,
      'fileUpload' => false,
      'fileRename' => false,
      'fileDelete' => false);

But don't work :/
If change role to '*' it shows all

Wed, 08/29/2007 - 15:01

wiktor

Joined: 16/07/2007

Posts: 1641

Re: AccessControl and RoleSessioneVar

Hi,

We are glad that you are enjoying CKFinder
If you define RoleSessionVar:


$config['RoleSessionVar'] = 'CKFinder_UserRole';

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Wed, 08/29/2007 - 21:28

vincio

Joined: 29/08/2007

Posts: 3

Re: AccessControl and RoleSessioneVar

Tnx for all

Wed, 02/06/2008 - 19:24

mjturn

Joined: 06/02/2008

Posts: 2

Re: AccessControl and RoleSessioneVar

I have done all the above but when I set role to jake or any other name it still gives permission to rename, delete all files. It does give the proper permission for rename/delete of folders but not to files.

Any ideas??

Here are my settings and I have confirmed that the Session variable is actually set to the right value BUT the permissions are not right.

$config['RoleSessionVar'] = 'CKFinder_UserRole';
session_start();

$config['AccessControl'][] = Array(
'role' => '*',
'resourceType' => '*',
'folder' => '/',

'folderView' => true,
'folderCreate' => false,
'folderRename' => false,
'folderDelete' => false,

'fileView' => true,
'fileUpload' => false,
'fileRename' => false,
'fileDelete' => false);

$config['AccessControl'][] = Array(
'role' => 'admin',
'resourceType' => '*',
'folder' => '/',

'folderView' => true,
'folderCreate' => true,
'folderRename' => true,
'folderDelete' => true,

'fileView' => true,
'fileUpload' => true,
'fileRename' => true,
'fileDelete' => true);

Thu, 02/07/2008 - 10:58

wiktor

Joined: 16/07/2007

Posts: 1641

Re: AccessControl and RoleSessioneVar

I think I was able to reproduce the steps you were following:

I set the role to admin and loaded CKFinder.
Then I set role to jake, but didn't refresh the CKFinder interface.
In the context menu, option to delete/rename file is still available, clicking on the refresh button in CKFinder doesn't help unfortunately (tested in Firefox), I had to refresh the browser.
However, although delete/rename option were visually available, when user clicked it, he was warned that he had insufficient permissions and action had been denied.

So to summarize: it's not a security issue and may happen if user roles are switched dynamically, refreshing the browser solves it.
It will be fixed in the next release.

Thanks!

Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Thu, 02/07/2008 - 18:56

mjturn

Joined: 06/02/2008

Posts: 2

Re: AccessControl and RoleSessioneVar

Thanks for looking into this! I was really pulling out my hair!

I learned to clear cache while working with fckeditor and so was doing that too! It seemed to me Refresh on Firefox was not working either... but this morning with a new browser up jake had no permission! Yippee!

However, I do have users who have multiple accounts so having it fixed for the dynamic case would be great!!

Thanks again!