function execute($queryParameters) and POST / No way to change a command argument on server side #29
Comments
|
Ping @nicolasmure |
|
Hello, Does the home folder feature can suit your needs? I agree with you about the security breach, so can you also explain more your use case please to make the problem easier to understand? |
|
Hello, Yes thanks, i found that solution recently. But consede that this actual script don't allow to access the entire ElFinder's Command properties =/ |
|
Hello again, i thought that my problen was resolved with your solution. but finally not. So first, let's imagine that i have a such homeFolder : domain.com/home Now, if before the upload i change the homefolder on the event onPreExecute: i get an error "ERROR_TRGDIR_NOT_FOUND". with few research, i noticed that in the ElFinderVolumeDriver.php > function file() and here, i'm stuck. well, i could create an heavy solution where i create and delete some new Directory. but i'm sure that you can provide some more conveniente solution :P isn't it? :D |
|
Oh ok, then why don't you make sure the folder you're setting with your preExecute eventListener actually exists? If it doesn't exists, create one using the filesystem component |
|
Well, from onPreExecute i don't find how to get the directory which ElFinder is uploading. |
|
Yes, elFinder uses hashes to store its informations about files and folders. Maybe the comments in this PR can help you. But if you're hooking into a $src = $_SERVER["REQUEST_METHOD"] == 'POST' ? $_POST : $queryParameters;then, maybe you could try to edit this line as it : $src = array_merge($_POST, $queryParameters);and make a new PR 😉 |
|
If you look to the $_POST parameters when you're uploading your file, you'll see that it's an array with 2 keys :
If you make a subrequest with the An other workaround would be to let elFinder upload your file normally (i.e. no preExec eventListener), and then move the uploaded file in your custom directory with a postExec eventListener. |
|
If you try to upload a file and have firebug (or any other tool) open, then look to the POST request response : elFinder controller returns the following json response : {
"removed": [],
"added": [
{
"hash": "l1_Zm9sZGVyL0JpcmQuanBn",
"name": "Bird.jpg",
"read": 1,
"ts": 1445356113,
"write": 1,
"tmb": 1,
"mime": "image/jpeg",
"phash": "l1_Zm9sZGVy",
"path": "10/folder/Bird.jpg",
"size": 63057
}
]
}You can see a |
|
Thanks, that's why i have to change the upload path to a restricted area where i zip the files before moving it to the expected directory. that "info" trick is good for the PreExecution. but as you will probably accept a PR for let develloper use the command's parameters on a POST request, then i prefer use it :D |
|
By using a postExec eventListener, you won't have any sub requests and your zip'n'move operation will be transparent to the user. // Acme/MyBundle/EventListener/ElFinder/PostExecutionEventListener.php
class PostExecutionEventListener
{
public function onPostExecute(ElFinderPostExecutionEvent $event)
{
// be sure you're on a successful upload command
if ($event->hasErrors() || $event->getCommand() != 'upload') {
return;
}
$result = $event->getResult();
foreach ($result['added'] as $key => $value) {
// be sure you've uploaded a file you want to zip'n'move by checking its extension and its mimetype
if (is_file_ok($value) === false) { // you can implement is_file_ok using $value['path'] and $value['mime']
continue;
}
$filepath = $value['path'];
try {
zip_file($filepath);
move_file($filepath, 'new/destination');
} catch (ZipOrMoveException $e) { // any exception thrown by the zip or by the move operation
remove_file($filepath); // do not keep the original file as you can't handle it
}
unset($result['added'][$key]); // do not send to elFinder client infos about the file.
}
// updating the result to send back to the client
// to avoid elFinder.js to make operations on the moved files
// and to list them in the current folder
$event->setResult($result);
}
}Doing so, I think your file will be uploaded (+zipped and moved) and you won't see it in the current folder after the upload on elFinder.js client. |
|
But by doing so, the original file will be accessible(through another tab) during the zipping process, as the upload is already done before the PostExecution's event. |
|
Yep, that's right, but do you upload files that takes more than some milliseconds to zip? |
|
lol, it's not profesionnal at all! x) (and it's easy to make an heavy text file.) |
|
Yes, seems legit then if you want to be sure the file isn't uploaded at all in the current folder... |
Hello,
i noticed that when i upload a file on ELFinder, i can't change the argument "upload_path" on the server side.
The reason is simple, the whole configuration is done in the POST x(
can't you find a way to merge the $queryParameters with the POST parameters?
So my "upload_path" could write/overwrite the default "upload_path".
i don't know also the intire process inside Elfinder, but changing the "upload_path" from the client side, it isn't a security breach?
The text was updated successfully, but these errors were encountered: