More Flexible Upload Directory Control

[anonymous]

I am using FCK2.4 under cold fusion. I appreciate that one can control the image upload directory on a "per-session" basis and indeed have previously done just this.

However there are occasions when it is absolutely necessary to have each browser instance have its own unique image directory. Say, for example that a CMS manager operator opens one window (with image directory "a/") and then opens another with image directory "b/" to cut and paste some text from that window to the first one. On a session basis the window "b" will hijack the upload directory of window "a" and so any subsequent file activity on window will go to the wrong place. The user might not even notice.

I regard this as bizarre and unnecessary behaviour. I have modified FCK so that it behave the way I want and I am hoping my modifications will be integrated by someone who knows what they are doing in a more clinical and correct manner!!

This is what I did:

After creating the CF object with:

fckEditor = createObject("component", basepath & "FCKeditor");

I added:

fckEditor.Config["UserFilesPath"] = FCKUserFiles;

where FCKUserFiles is my control directory variable

In fckeditor.cfc line 205 ",UserFilesPath" added to end of lconfig. This is where it picks up the variable passed above. The result of this is that the html line (where my instance is called "pageText" is added to the form instance calling FCK. You can see my custom path.

<input type="hidden" id="pageText_Config" value="CustomConfigurationsPath=/fishing2006/FCKeditor/myconfig.js&amp; ToolbarStartExpanded=true&amp;UserFilesPath=fishing2006/userfiles/charters/69&amp; EditorAreaCSS=/fishing2006/include/site.css" style="display:none" />

Now it gets difficult because IE calls up the file browser with showModaldialog whereas gecko spawn another browser. I had to get the UserFiles data over to this window somehow. It then has to be passed to he actual file browser connector.

In editor/js/fckeditorcod_ie.js

On about line 92 (since this code is obfuscated) Look for the showModalDialog on about line 92 and then insert this line before it assuming that the letter A refers to the second argument showModalDialog. For the gecko version it is easier and handled later.

A.UserFilesPath =FCKConfig.UserFilesPath;

In editor/editor/fckdialog.html Line 37 add

var UserFilesPath (create variable)

and then line 45-47

UserFilesPath =  window.dialogArguments.UserFilesPath;
if (window.opener) UserFilesPath = window.opener.FCKConfig.UserFilesPath;
//(this is for gecko because on IE it uses a showModalDialog box and there is no window.opener)

In editor/_source/internals/fckdialog.js Line 90-91

if ( sKey == 'UserFilesPath' )	// My new userfiles path.
	FCKConfig[ sKey ] = sVal ;

In editor/filemanager/browser/default/browser.html Line 50

var sConnUserFilesPath =  window.opener.top.UserFilesPath;

Line 70,74

var sUrl = this.ConnectorUrl + 'Command=' + command ;
sUrl += '&Type=' + this.ResourceType ;
sUrl += '&UserFilesPath=' + encodeURIComponent(sConnUserFilesPath) ;
sUrl += '&CurrentFolder=' + encodeURIComponent( this.CurrentFolder ) ;

In editor/filemanager/browser/default/frmupload.html Line 38-39

sUrl += '&Type=' + resourceType ;
sUrl += '&UserFilesPath=' + encodeURIComponent(window.top.sConnUserFilesPath);
sUrl += '&CurrentFolder=' + encodeURIComponent( folderPath ) ;

In connectors/cfm/connector.cfm Line 46

<cfparam name="url.UserFilesPath" default="thisdirectoryhere">

Line 52-53

userFilesPath = URLDecode(url.UserFilesPath);
//	userFilesPath = config.userFilesPath; (commented out the original)

I hope you are all as confused as I was. Well you get the general idea. Pass the userfiles directory right from the form instance calling FCK up to the file browser connector. Believe it or not this works and I believe should be incorporated as an official change it is so useful!!

[Frederico Caldeira Knabben]

For security reasons, the parameters used by the File Browser connector can't come from the browser. It would be quite easy to change the UserFilesPath in your example and make the connector access a different directory in your server. So this is something to completely avoid, unless you are working a a closed and secure environment.

So, this is not the solution. Actually, for such customizzations the solution is much simpler. Just add your custom parameter in the connector URL. Something like this in the fckconfig.js:

FCKConfig.LinkBrowserURL = FCKConfig.BasePath +
'filemanager/browser/default/browser.html?Connector=connectors/cfm/connector.cfm%3FUserFilesPath%3D%2Fserver%2Fdir%2F'   ;

Note that the ?, = and / chars are encoded.

After decoded, the connector URL will be:

connectors/cfm/connector.cfm?UserFilesPath=/server/dir/

[Julian Warren]

Replying to fredck:

Dear Fred,

I fear you may have missed the point. I want each instance of FCK to possibly have a different target directory. This is mainly for cross browser cut and paste. If I put userfiles in FCKconfig then it will be fixed unless I change the coldfusion object so that it creates this FCKconfig parameter instead if it being fixed in fckconfig.js

What you have suggested does pass the filepath over in the url which is what I have done anyway, but via a tortuous path! Is this going to be incorporated in future releases?

Julian

For security reasons, the parameters used by the File Browser connector can't come from the browser. It would be quite easy to change the UserFilesPath in your example and make the connector access a different directory in your server. So this is something to completely avoid, unless you are working a a closed and secure environment.

So, this is not the solution. Actually, for such customizzations the solution is much simpler. Just add your custom parameter in the connector URL. Something like this in the fckconfig.js:

FCKConfig.LinkBrowserURL = FCKConfig.BasePath +
'filemanager/browser/default/browser.html?Connector=connectors/cfm/connector.cfm%3FUserFilesPath%3D%2Fserver%2Fdir%2F'   ;

Note that the ?, = and / chars are encoded.

After decoded, the connector URL will be:

connectors/cfm/connector.cfm?UserFilesPath=/server/dir/

[Frederico Caldeira Knabben]

To illustrate the problem, it would be easy as calling the following at any browser...

connectors/cfm/connector.cfm?UserFilesPath=/

...to give access to the root of your web site, including listing files, directories and even uploading files.

Again, this feature will ever be implemented in this way.

[Rafael Teixeira]

Well I needed quite the same thing, but although my solution was similar to the one initially posted, there is a very important conceptual difference:

The parameter I added (called "Subject") is just a token for the Connector to validate and map to some real root content folder, normally also taking the authenticated user into the equation, and so security is not diminished

I've implemented my Monorail-based (MVC) Connector to call into an Strategy Factory class that can take into account which user and portal is calling into it (we host many portals with a shared deployment of our system) to build the root path. I can offer to revise the ASP.NET Connector to work with it with a pluggable design, but I can't offer to revise all the other connectors to use this optional parameter.

I'll will attach a preliminary patch taken against an installed version of FCKeditor, for perusal, but we would love to make a definite patch and have it accept into trunk so that we don't need to keep a fork for our system.

[Frederico Caldeira Knabben]

@monoman, my previous comment already contains a solution for such particular need. It is not needed to add yet another setting that would fit the needs of a few users, but not for everybody. Actually, using the connector URL is a much more flexible solution as it gives you ways to use any combination of factors (you could also depend on two parameters, instead of one).

In any case, we still strongly avoid using the URL to determine the final upload URL. For example, in the above case it would be quite easy to access other "subject" files by just changing the URL. You would also end up having people passing the URL in the "subject" param.

The correct solution is instead using session variables for it. If anything is to be passed in the URL, I would opt using a temporary generated code (like a guid) that points to a server side dictionary containing the values to be used in the configuration file.

[Frederico Caldeira Knabben]

#1893 has been marked as DUP