Skip to content
Tags

, , ,

Ajax Filemanager linked to Symfony sfGuard authentication

by Matthias Noback on September 1st, 2010

PHPLetter.com created an Ajax Filemanager plugin for the TinyMCE rich text editor. The filemanager is very insecure. By default, anybody can upload, move or delete files. Luckily, PHPLetter provides us paranoid developers with a way to secure the filemanager (“If you have security issue concern, you could turn the access control on”). In my opinion, everybody should have “security issue concern” when it comes to online filemanagers. Because Driebit uses the Symfony framework with the sfGuardPlugin/sfDoctrineGuardPlugin, I thought it would be nice to link the login system of the Ajax Filemanager to the sfGuardUser authentication system. I will show you how to accomplish this.

First, go to the directory that contains the filemanager plugin files, probably /web/js/tinymce/plugins/ajaxfilemanager/inc/config.base.php and so that the corresponding lines look like this:

define('CONFIG_ACCESS_CONTROL_MODE', true);
define("CONFIG_LOGIN_USERNAME", '98c0vjsfniciwefuosd8v7u8jxsd8fv'); // a random username
define('CONFIG_LOGIN_PASSWORD', 'cm9sf8nwm9sfkj3iusdfhsdhkfyusfuyu93rhjkf'); // a random password

Then open the file config.php in the same directory and disable the statement session_start by turning it into a comment. It should look like this:

if(!isset($_SESSION))
{
  //session_start();
}

Finally we have to change the way the Ajax Filemanager handles the authentication. In the same directory, open the file class.auth.php and replace the contents of the isLoggedIn method, with a few lines of code that instantiate a Symfony context (in this example it is a backend application in a production environment) and ask the current user if it is authenticated.

function isLoggedIn()
{
  require_once(dirname(__FILE__).'/../../../../../../config/ProjectConfiguration.class.php');
  $configuration = ProjectConfiguration::getApplicationConfiguration('backend', 'prod', false);
  $context = sfContext::createInstance($configuration);
  return $context->getUser()->isAuthenticated();
}

If your Ajax Filemanager files are in a different the directory than the one mentioned here (/web/js/tinymce/plugins/ajaxfilemanager), you may have to change the abovementioned path to the ProjectConfiguration.class.php file.

From → Security, TinyMCE

No comments yet

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS