Hi

I have a DataBound form to allow privileged users to compose a message. It has two richtext fields and it also has file fields for attachments.

(I know about the security issues, and they don't apply to the intended users of the form). It all works pretty well except for file/image selection.

The richtext fields display with CKeditor (there's an include statement in the template), and work OK on the front end - except that when the user tries to insert an image, there's no 'browse server' button. The back end admin form works OK and does show the 'browse server' button.

The file fields on the front end have a 'browse server' button, and KCfinder comes up when you click it; but it comes up in full window, and clicking on a file does nothing. On the back end admin form, KCfinder comes up in a lightbox and works OK.

I assume that CKeditor is behaving differently on the front end and back end, but I don't see how to change that. I've studied the CKeditor documentation and gone through the threads in the forum, but I'm none the wiser.

Any clues?

Thanks-in-advance,
David

[KK]

Hi David,

As a security measure, the file-explorer (KCFinder in later versions) component is restricted to only admins and super-admins.

For non-admins, ideally you should use 'securefile' region to allow uploads from the front-end.
Couch 1.4.5RC2, however, provides a 'hook' that can be used to allow access to selected users.

How do you differentiate the 'privileged users' from normal users? Are they in a different group, for example. Please let me know and we'll work out how to setup the mentioned hook to allow them access.

Thanks.

Hi KK

Thanks for such a prompt response - and for explaining why there's a problem!

The users with access are in a different group (Authenticated Users - Special) and there's also a separate security category system set using the extended users module. There's an 'Access type' setting which gives fine-grained control over access to certain pages and uploaded files. Only these 'Committee' users have access to the form, which allows them to send a broadcast email to the ordinary members of a club.

(I've created the form because I don't want to give these users access to the back-end of the website - they're not very technology-literate - but I won't always be there to manage the broadcast emails for them. It's a security trade-off. There will only be about ten people in this category at any one time, and only two or three are likely to make use of the form.)

So, any hook can be dependent on the 'Access type' setting in the extended user template. This would be more selective than the user-group setting in the standard user module.

Does this tell you what you need to know?

Cheers
David

Hi KK

I'm trying to get my head around 'securefile'... how does <cms:show_securefile /> work when there are several fields in the one form? I have five.

(I had overlooked 'securefile' because it doesn't appear in the tags documentation, which I tend to rely on to steer me in the right direction.)

Cheers
David

[KK]

I'm trying to get my head around 'securefile'... how does <cms:show_securefile /> work when there are several fields in the one form? I have five

The following thread give you full details about 'securefile' -
viewtopic.php?p=12865#p12865

Coming back to access to KCFinder, I'm detailing below the method to allow access to 'Authenticated Users - Special' group users.

IMP: This will require using the latest version of Couch to date (i.e. 1.4.5RC2). You can get it from viewtopic.php?f=5&t=8981 or GitHub). Upgrade is very easy and instructions are contained in the zip file.

1. Add trust_mode='1' to the form input bound to 'richtext' areas (this will make the 'Browse' button appear in image uploads) e.g.

<cms:input type='bound' name='my_richtext' trust_mode='1' />

2. In 'addons/kfunctions.php' file add the following hook event-handler -

Code: Select all

/* Allow authenticated-special users access to KCFinder */
$FUNCS->add_event_listener( 'kcfinder_alter_access', 'kcfinder_alter_access_handler' );

function kcfinder_alter_access_handler( &$__kcfinder_allow_access ){
    global $AUTH;
    
    if( $AUTH->user->access_level >= K_ACCESS_LEVEL_AUTHENTICATED_SPECIAL ){
        $__kcfinder_allow_access = 1;
    }     
}

This should allow authenticated-special users access to KCFinder.

Hope it helps.

Thanks for the suggestions, KK.

Unfortunately, they haven't made it work. Still no 'browse' button in CKeditor, alas. The file finder has switched back from KCfinder to CKfinder (I think) but is still running full-size in the same window - and when I click on a file link in it, the entire window/tab closes instantly, ending the session.

I'm running v1.4.5RC2 (build 20141202). I've attached some of the relevant files so you can check, if you are happy to take a look.

I'm very grateful for your help. If this is troublesome to sort out, let me know and I'll see what we can do.

Greatest regards

David

[KK]

Ok, to begin with please switch back to KCFinder - you'll find the setting in config.php

define( 'K_USE_KC_FINDER', 1 );

Moving ahead - originally there were two separate problems -
1. 'richtext' editable region - not showing 'browse' button' on front-end
2. 'image' editable region showing the 'browse' button but clicking it shows KCFinder in a separate window and (importantly) blank.

Let us tackle the first problem.
I mentioned in my last post

1. Add trust_mode='1' to the form input bound to 'richtext' areas (this will make the 'Browse' button appear in image uploads) e.g.
Quote:
<cms:input type='bound' name='my_richtext' trust_mode='1' />

From what I can see in the files you attached, you've added that parameter to cms:editable tag whereas I had actually mentioned the cms:input tag (i.e. in the front end form).

Please make the inputs in the form as follows and that should make the 'browse' button appear -

Code: Select all

<cms:input type='bound' name='bull_content' class='form-control input-sm' trust_mode='1' />
<cms:input type='bound' name='bull_footer' class='form-control input-sm' value=default_footer trust_mode='1' />

Now the second problem (i.e. the 'image' editable region showing KCFinder in a separate blank window).

If you have placed the hook code I suggested in my last post within the kfunctions.php file (as you have), the window should not be blank now - you should see the KCFinder displaying all files and folders in it.

So half the second problem is solved. What remains is that KCFinder is opening up in a separate tab/window and not within the modal popup you see in the admin-panel.

Let me explain - the admin-panel uses JS to make KCFinder show up in a popup and to get back the file path returned by it.

You'll have to do the same on the front-end.

Try duplicating the code used by the admin-panel. For example, the following works for me in a template that does not have any other JS library -

Code: Select all

<head>
    <script type="text/javascript" src="<cms:show k_admin_link />includes/mootools-core-1.4.5.js"></script>
    <script type="text/javascript" src="<cms:show k_admin_link />includes/smoothbox/smoothbox.js?v=1.3.5"></script>
    <link rel="stylesheet" href="<cms:show k_admin_link />includes/smoothbox/smoothbox.css" type="text/css" media="screen" />

    <script type="text/javascript">
        function k_browse_result( id, fileurl ){
            $(id).set( 'value', fileurl );
            try{
                $(id + "_preview").set( {href: fileurl, style:{visibility:'visible'}} );
                $(id + "_img_preview").set( 'src', fileurl );
            }
            catch( e ){}
            
            TB_remove();
        }
    </script>
</head>

As I said, it works well for templates that do not have any existing JS library (like jQuery).
You might have to tweak it if it happens to clash with existing code. Following works well with jQuery -

Code: Select all

<script type="text/javascript" src="http://code.jquery.com/jquery-1.6.2.min.js"></script>
<script type="text/javascript">
     jQuery.noConflict();
</script>

Hope this helps.

1st, sorry for sabotage this post with my question.

2nd, can i use trust_mode='1' like this :

Code: Select all

<cms:editable name='image_1' type='image' />

<cms:input type='bound' name='image_1' trust_mode='1' />

Thx.

[KK]

@GoingMarryAsap,
Yes, that is precisely how the 'trust_mode' parameter is supposed to be used.

Hi KK

Magic. Wonderful. Brilliant. Works like a charm.

Many, many thanks for your help, tact and patience. And my apologies for not reading your first post carefully enough.

I hope I can soon repay the favour.

David