Skip to content

Security

Jump to bottom
pavel edited this page Mar 17, 2018 · 2 revisions

Since the RichFilemanager is able to manipulate files on your server, it is necessary to secure safely your application.

The security section of the configuration file defines options which give you a wide range of customizations in the security aspect. Learn the comments carefully to understand the use of each.

Server scripts execution

By default, all server scripts execution are disabled in the default userfiles folder. See .htaccess and IIS files content.

User storage folder access

By default, everyone is able to access user storage folder. To make your application secure the entry script provides a few predefined functions which allow you to define your own authentication mechanism.

  1. fm_authenticate() - Authenticate the user, for example to check a password login, or restrict client IP address. If function returns false, the user will see an error. You can change it to redirect the user to a login page instead.

This function is called for every server connection. It must return true.

session_start();

function fm_authenticate()
{
    return $_SESSION['user_type'] === "admin";
}

NOTE: This function only authorizes the user to connect and/or load the initial page. Authorization for individual files or dirs is provided by the functions below.

  1. fm_has_read_permission() - Perform custom individual-file READ permission checks.

This function is called before any filesystem read operation, where $filepath is the absolute path to file or directory being read. It must return true, otherwise the read operation will be denied.

function fm_has_read_permission($filepath)
{
    if ($filepath === "/var/www/userfiles/some_file.txt") {
        return false;
    }

    return true;
}

NOTE: This is not the only permissions check that must pass. The read operation must also pass:

  • Filesystem permissions (if any), e.g. POSIX rwx permissions on Linux
  • The $filepath must be allowed according to the patterns and extensions configuration options
  1. fm_has_write_permission() - Perform custom individual-file WRITE permission checks.

This function is called before any filesystem write operation, where $filepath is the absolute path to file or directory being written to. It must return true, otherwise the write operation will be denied.

function fm_has_write_permission($filepath)
{
    if ($filepath === "/var/www/userfiles/some_file.txt") {
        return false;
    }

    return true;
}

NOTE: This is not the only permissions check that must pass. The write operation must also pass:

  • Filesystem permissions (if any), e.g. POSIX rwx permissions on Linux
  • The $filepath must be allowed according to the patterns and extensions configuration options
  • read_only configuration option must be set to false, otherwise all writes are disabled
Clone this wiki locally