Hello!

Is there any way to make the fileuploadbrowser to allow access to upload files without being logged in as super admin?

I've got a gallery on my site, as well as other pages that use images as well, that require me to be logged in as superadmin to access the fileuploadbrowser.html (Browse Server Button).

In my gallery.php file, I have

Code: Select all

<cms:input type="bound" name="gg_image" />

Everything works like a charm as long as I'm logged in as super admin, but if I'm not, I get an xml error 200(ok). I've found the code in the fileuploadbrowser.html that is throwing the error, but it would require I change the file itself to fix that, and I don't think that is the way to go.

I've been trying to modify around that by emulating the input field parameters with my own instance of kcfinder and it works fine and grabs the url, but when I create or edit an image in the gallery, the image url is sent as blank. I'm sure this is a security thing put in place.

Code: Select all

<input type="text" name="f_gg_image" id="f_gg_image" class="k_image_text" onclick="openKCFinder(this)" style="cursor:pointer" size="65" />

I'd like to have either or work.

Basically

Option 1: Can I make fileuploadbrowser.html be accessible without superadmin session set
or
Option 2: How can I allow my input field to pass the text field's url that KCFinder grabs (which is the proper url to the image, it's just sending nothing from the field to the database) without the data being stripped out?

Anything on this?

[KK]

@proofinlife, I think you'll have to make changes to the core code itself to allow this functionality.

I'm assuming the fileuploadbrowser session would probably be the easiest approach. Can you point me in the right direction as to where that pop up checks the session? I haven't had much time to look into this, i've been out for a few days, so I'll check the file itself to see if it's checking cookies.

[KK]

Hi,

Please do a text search for

Code: Select all

$AUTH = new KAuth( K_ACCESS_LEVEL_ADMIN, 0 );

where K_ACCESS_LEVEL_ADMIN (admin-level) is the only level allowed.

You can change this if you really want to but I'll have to state again that this strict permission is not without good reasons.

Modify it at your own risk.

I looked through a multitude of files for that line, and found nothing. I checked with textcrawler and it found that line in no files, either :/

[KK]

couch/upload.php (line 46)
couch/uploader.php (line 46)

You'd want to replace K_ACCESS_LEVEL_ADMIN with either of the following two levels
K_ACCESS_LEVEL_AUTHENTICATED_SPECIAL
K_ACCESS_LEVEL_AUTHENTICATED

It looks like the only authentication variables are for users logged in via the couch admin panel. Is there any way I can authenticate through the members module?

If not, I'm going to have to look at completely stripping out authentication for the uploader interfaces, I know it's a risk, but I absolutely need my members to be able to upload images to the gallery. As it stands right now only accounts in the couch admin panel can make any changes, and technically I want both, but most importantly members created in the members module.

I'm thinking my best bet is to completely bypass couch all together and reverse engineer your SQL queries to input images into the database. It's dirty, but I need this to work.

Okay, so I came up with my own answer to my quandry. It didn't involve editing any session variables or changing too much about Couch.

It did however involved editing field.php.

What I did was installed a vanilla non-couch version of KCFinder. I configured it according to KCFinder's instructions (basically, nothing special). So I won't bother going into detail on what I did with that part. Basically, i just pointed KCFinder's config.php to couch's

/uploads/gallery

folder and set the KCFinder window to type="images", so it still used couch's directory structure.


Modifications to couch field.php :

Note, this will affect/change both your front end bound inputs AS WELL as couch CMS's admin panel fields.

This is all assuming your kcfinder installation is located at ROOT_DIRECTORY/kcfinder.

Looks for :

Code: Select all

 if( $this->input_width ){ $style_rr = ' style="width:'.$this->input_width.'px"'; } // Set by repeatable tag

and

Code: Select all

$visibility = $value ? 'visible' : 'hidden';

Replace everything in between with :

Code: Select all

$html .= '<script type="text/javascript">';
$html .= 'function openKCFinder(field) {';
$html .= 'window.KCFinder = { callBack: function(url) { field.value = url; window.KCFinder = null; } };';
$html .= 'window.open(\'http://www.xyz.com/kcfinder/browse.php?type=images&TB_iframe=true&height=480&width=640&modal=true\', \'kcfinder_textbox\', \'status=0, toolbar=0, location=0, menubar=0, directories=0,\' + \'resizable=1, scrollbars=0, width=800, height=600\' ); } </script>';
$html .= '<em>Click on field to open image browser.</em><br><input type="text" onclick="openKCFinder(this)" style="cursor:pointer" size="65" value="'.$value.'" name="'.$input_name.'" id="'.$input_id.'" class="k_image_text" '.$notice0.$style_rr.' />';

Replace your site's url and kcfinder installation location.

This will replace the default couch code for both fileuploader and couch's built in kcfinder fields with a generic KCFinder clickable popup field. The code above removes "Browse Server" button as well, if you do not want to do that leave the conditions checking for KCFinder and it's related else that contain Browse Server button code alone.

All works well, and my members can now upload images to their assigned gallery!

[KK]

@proofinlife,

I've obfuscated the link to KCFinder on your site in your post.

I strongly suggest you undo the changes you have made as you have given access to the entire world to your server by doing that (please check and you'll find a folder named 'kk' and a couple of files I've uploaded in 'image' as well as 'file' folder without having any access permission from you.

As I said before, it is not without reason that Couch has put in all the security.
If you strip that off you are only waiting for your server to get hacked.

Please give me a little time - I'll get you the necessary code to allow only authenticated members inside securely.