-
Notifications
You must be signed in to change notification settings - Fork 350
Security concern
Since the Filemanager is able to manipulate files on your server, it is necessary to secure safely your application.
By default, everyone is able to use the Filemanager. This is because you want you to be able to fix your own rules with your own authentication mechanism.
Deploying the Filemanager in a production environment, copy/paste the /connectors/php/default.config.php file to /connectors/php/user.config.php and implement your own auth() function to be sure only wanted users can use it.
If /connectors/php/user.config.php exists, the default configuration file will simply be ignored.
Here comes an example of a custom auth() function :
function auth() {
if(isset($_SESSION['authenticated']) && $_SESSION['user_type'] == 'admin') return true;
else return false;
}Please refer to the security section on the configuration page.
We encourage you to use the default uploadPolicy (DISALLOW_ALL) and specify the allowed files extension.