elFinder

You can make it yourself and there is thousands ways how to implement it. elFinder itself does not create users and permissions.

you're right that it is not elFinder's job to handle users/permissions, but for security concerns, elFinder should be disabled by default, and enabled only by passing the right session params to it.

BTW, session params should also override options, that'd allow seamless upgrade by not changing any elfinder files.

This is what I've put in the end of the connector.php file, this way I can easily have user dependant options and unlogged users can't access elfinder:
session_start();
if (isset($_SESSION['elfinder'])) {
foreach ($_SESSION['elfinder'] as $key => $val) {
$opts[$key] = $val;
}
}
if ($opts['enabled']) {
$fm = new elFinder($opts);
$fm->run();
} else {
exit(json_encode(array('error' => 'not logged in')));
}


Maybe I don't understand this fully. Because elFinder uses jQueryUI, it is in effect JavaScript code that can only run if a visitor has access to the containing page. My pages are in themselves secure; unless someone can get to the page, they can't invoke elFinder.

This, in fact, is one of the reasons for my intense interest in elFinder. Other file managers have exactly the security issue raised here. Even Moxiecode's MCImageManager and MCFileManager have authentication methods built in and some other finders I've tried, such as the very nice ezFilemanager (http://www.webnaz.net/en/support/ezfilemanager-v2-installation), must be wrapped in some kind of authenticator.

I don't use the default connector.php file and my connector files are not stored in elfinder/connectors/php. Even if attempting to run a connector worked, somebody would have to know where I kept mine.

So am I wrong about this?

Thinking you're secure just because you think others don't know where your files are, that's a kind of "security through obscuration", considered by many as security holes.

Putting the security in the php layer via session variables means that:
1/ it is not elFinder's responsibility to achieve the security checks, it has just to enforce them
2/ even if a possible attacker knows the file URL, it won't be able to do anything.
3/ should one doesn't want the burden to use it, you have just to set $opts['enabled'] to true in the connector.php and that's all ;-)

Hubert Garrido wrote:

you're right that it is not elFinder's job to handle users/permissions, but for security concerns, elFinder should be disabled by default, and enabled only by passing the right session params to it.

BTW, session params should also override options, that'd allow seamless upgrade by not changing any elfinder files.

I'm glad elFinder finally made it to the 1.2 release.

I'd like to take this opportunity for upping again this concern: that upgrading elFinder should not change local preferences, or in other words, that it should be easy to upgrade without changing any inner elFinder files.

I'm glad elFinder finally made it to the 1.2 release.

Wait a little and you will see a 2.0 version - its realy bomb >_<