Enable the file manager connector with FCKEditor and PHP

Posted in FCKEditor -

By default the file manager is disabled in the FCKEditor in-browser WYSIWYG HTML editor for security reasons, so people can't browse files on your server. This post looks at how to enable the connector with PHP so you can browse files on your server.

Error message

In a default install of FCKEditor, if you click the "Browse Server" button in any of the file dialogs (e.g. when inserting an image) you'll get the following message:

This connector is disabled.
Please check the "editor/filemanager/connectors/php/config.php" file

Enabling the connector

To enable the connector simply open the file "editor/filemanager/connectors/php/config.php" under your FCKEditor root and locate the following line:

$Config['Enabled'] = false ;

Change it to this:

$Config['Enabled'] = true ;

Save the file and now you will be able to browse the server. There are some more settings required (covered below) to modify to actually get this working but first a note about security...

Security Issues

Unless your FCKEditor instance is protected via .htaccess with a username and password, by IP address or similar, you should normally never simply enable the connector as I have shown above, otherwise other people will be able to browse your server.

If the FCKEditor is used in e.g. a content editing admin system that requires user authentication, then you should add whatever is required to this config file to check they are authenticated. For example:

require_once('/path/to/authentication-libray.php');
$Config['Enabled'] = is_authenticated();

Getting the connector to actually work

Some other configuration options need to be set to actually get the connector working. By default it looks for and saves files to a folder called "userfiles". You can use this default if you want and need to create it if it doesn't already exist, changing the permissions to 0777 so the connector can create folders and files underneath this.

Alternatively you can change the following setting:

$Config['UserFilesPath'] = '/userfiles/' ;

to whereever it is you want to browse/store files. For example if you want to be able to browse all files and folders under the root level you can change it to this:

$Config['UserFilesPath'] = '/' ;

And then just change permissions for the directories you want to be able to upload to to 0777.

The section that looks like this also needs to be modified:

$Config['FileTypesPath']['Image'] = $Config['UserFilesPath'] . 'image/' ;
$Config['FileTypesAbsolutePath']['Image'] = ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'image/' ;
$Config['QuickUploadPath']['Image'] = $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['Image'] = $Config['UserFilesAbsolutePath'] ;

Either remove the 'image/' part from from $Config['FileTypesPath']['Image'] and $Config['FileTypesAbsolutePath']['Image'] or add it to the other two (or change it to e.g. 'images/' and add that to the others if you wish to use a different name).

If you don't do this, you won't be able to find any of the files you upload. There are also configuration options in the same section for files of File, Flash and Media types and they have the same issue as with images.

Preventing file uploads

To only allow browsing and to prevent file uploads, change the config option:

$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;

to:

$Config['ConfigAllowedCommands'] = array('GetFolders', 'GetFoldersAndFiles') ;

Preventing Flash and Media file uploads/browsing

To remove flash and media file types (you could also remove image and/or file types using this method), change the config option:

$Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;

to:

$Config['ConfigAllowedTypes'] = array('File', 'Image') ;

Removing file uploads from the Javascript dialogs

Even if you remove the file upload options from the server-sided configuration the options will still remain in the Javascript. When the user tries to upload a file they will get an error message. I have covered this is earlier posts so refer to those (Remove "Browse" button and "Upload" tab in FCKEditor Image Properties dialog and Remove "Browse" button and "Upload" tab in FCKEditor Link dialog).



Related posts:


Comments