The forum operates in read-only mode. Please head to StackOverflow for support.

Wed, 04/22/2009 - 11:45

gaoge_2000

Joined: 22/04/2009

Posts: 6

How to control the authorization when upload image

Hi, I am start using fckeditor(java version), and it works fine except upload function.

In our application, we expect that everybody can only operate the directories and images which
created by themselves. What I know just now is that there is a interface(net.fckeditor.requestcycle.UserAction),
which can be used for authorization.

We don't want user to view all the directories and images.( It means both operation and data query priviledge should be
under control.)
So is it applicable to implement this feature using the UserAction interface?

Please help me.
Thanks !

Wed, 04/22/2009 - 12:19

mosipov

Joined: 22/02/2008

Posts: 574

Re: How to control the authorization when upload image

Yes, UserAction gives you control on every request. So you may block requests on any basis. In 2.5 you have even access to all preprocesssed context parameters with any effort.

Thu, 04/23/2009 - 04:35

gaoge_2000

Joined: 22/04/2009

Posts: 6

Re: How to control the authorization when upload image

Thanks to Michael!
It 's really usefull to control which directory use can access using the interface UserAction.
But is it possible that we just list the directories which are created by themselves, instead of
listing all the directories on the server?
If the directory is not mine, how should you listed it to me and then don't let me see it.
It 's really very unnesscessary. It should be more friendly to the users when upload files.

Please give me more suggestions.

Thanks in advance.

Thu, 04/23/2009 - 22:47

mosipov

Joined: 22/02/2008

Posts: 574

Re: How to control the authorization when upload image

Well, there are two options to achieve this. You first have to realize, how can you safely determine who has created a specific directory? Do you 'chown' on every directory and file? Java does not allow to determine the object owner directly (except upcoming NIO 2 in Java 7 maybe). I wouldn't go this way.

The preferred option would be to provide a userfiles folder for every user. To provide this, you have to implement UserPathBuilder interface and serve paths as desired.

Be aware that this is virtually a superficial restriction/listing. No one hinders other users to access someone other's files directly through browser's address bar.

Mike

Fri, 04/24/2009 - 04:20

gaoge_2000

Joined: 22/04/2009

Posts: 6

Re: How to control the authorization when upload image

Thanks, Mike!

It seems that "UserPathBuilder" is more applicable to our application, it 's much better now although

essentially it can't stop user view others' directory.

May be in our business application(e.g. a forum), we already recorded relationship between the uploaded file and the

upload user in the database. So it may be possible to control which folder should be open for the termimal user

when "getFolderAndList" action triggers. This mean, we don't expect to "check own" on each directory in the server.

Any way, your suggestion is very useful for me.

Cheers.

Fri, 04/24/2009 - 10:17

mosipov

Joined: 22/02/2008

Posts: 574

Re: How to control the authorization when upload image

gaoge_2000 wrote::)
Thanks, Mike!

It seems that "UserPathBuilder" is more applicable to our application, it 's much better now although

essentially it can't stop user view others' directory.

May be in our business application(e.g. a forum), we already recorded relationship between the uploaded file and the

upload user in the database. So it may be possible to control which folder should be open for the termimal user

when "getFolderAndList" action triggers. This mean, we don't expect to "check own" on each directory in the server.

Any way, your suggestion is very useful for me.

Cheers.

Hi,

the interface is not intended to enforce any url rights management. It manages only access to X. If you need to control who's accessing a file/dir, do it with a request filter.
If you override the getFolders or getFiles method and you know which is the owner of a folder or file, you can simply filter the list or map you return. Displaying only necessary elements. This is really a no brainer:

String[] fileList = currentDir.list(DirectoryFileFilter.DIRECTORY);
return Arrays.asList(fileList);

would turn into:

String[] fileList = currentDir.list(DirectoryFileFilter.DIRECTORY);
String[] filteredList = filterBySomeCriterion(fileList);
return Arrays.asList(fileList);

Taken from: http://dev.fckeditor.net/browser/FCKedi ... .java#L162

The user will only see what he sould see.

But again, do the better way:

server files with:

/userfiles/<username>/<file type> instead of /userfiles/<file type>. Read the JavaDocs of the LocalConnector: http://dev.fckeditor.net/browser/FCKedi ... ector.java it gives you some ideas.

Wed, 09/23/2009 - 04:00

coolgeek

Joined: 23/09/2009

Posts: 4

Re: How to control the authorization when upload image

Sorry if this is a noob question, but I'd like to achieve the same goal - each user being directed to their own directory - but I'm not using java... the app I'm using FCKeditor in is developed in PHP. Do I have any options, or do I need to look somewhere else?

Thanks

Wed, 09/23/2009 - 08:26

mosipov

Joined: 22/02/2008

Posts: 574

Re: How to control the authorization when upload image

coolgeek wrote:Sorry if this is a noob question, but I'd like to achieve the same goal - each user being directed to their own directory - but I'm not using java... the app I'm using FCKeditor in is developed in PHP. Do I have any options, or do I need to look somewhere else?

Thanks

You always have an option by coding the solution yourself. No other connection offers that of out the box besides the Java one.

Wed, 09/23/2009 - 14:31

coolgeek

Joined: 23/09/2009

Posts: 4

Re: How to control the authorization when upload image

Thanks for the reply Michael!