Pages 1
How can i disable (i would like nobody can see that path) the url path in mcefilemanager when I open it in a new window?
This is very important security problem for me!
I don't understand. The path is encrypted no full file system paths are displayed by default.
I don't understand. The path is encrypted no full file system paths are displayed by default.
I explain:
The users of a website have their own username and password. The username is also the folder name which they use.
Using a form, login in a specific web page in which I have the following link:
<a href="javascript:;" onclick="mcFileManager.browse({oninsert : customInsert, rootpath : '{0}/<%=(check.Fields.Item("Folder_name").Value)%>'});">SEND FILES</a>
So each user have their own private folder, in which can send files using mcfilemanager without any problem!
My problem is that when someone click on SEND FILES link, a new window opens with mcfilemanager. The user can see the url in web browser which is:
http://<website name>/scripts/tiny_mce/plugins/filemanager/pages/fm/index.html
if he copies the above link in a new web browser window can see all the folders of all the users
not only his folder.
How can i stop this?
The example link you gave wouldn't show all the folders you have created for each username. Regardless, you can add an index.html file to the main folder where the files are being uploaded to prevent the browser from displaying a list of folders. Or on Apache webservers, you can prevent the server from sending a list of all folders by addition the "Options -Indexes" directive to your htacess file.
This is really a problem with MCFileManager as your integration of their software would dictate what type of security would need to be created for your specific implementation.
Thank you for your answer...I use IIS7 and the .net version of mcfilemanager.
Unfortunately, the link I gave shows all the folders I have created!
[Regardless, you can add an index.html file to the main folder where the files are being uploaded to prevent the browser from displaying a list of folders].
How can do that?
The example link you gave wouldn't show all the folders you have created for each username. Regardless, you can add an index.html file to the main folder where the files are being uploaded to prevent the browser from displaying a list of folders. Or on Apache webservers, you can prevent the server from sending a list of all folders by addition the "Options -Indexes" directive to your htacess file.
This is really a problem with MCFileManager as your integration of their software would dictate what type of security would need to be created for your specific implementation.
Last edited by anestis100 (2011-05-09 15:57:28)
You can disable file listing in the IIS and that is a good practice anyway.
http://blogs.iis.net/nitashav/archive/2 … wsing.aspx
If you have the session authenticator enables only logged in users will be able to see the files. All other users won't have the specified session and there for not see any files. The session authenticator can scope the user to a specific directory. The root path init option is client side only and is only to be used to further scope the user for convenience not security.
Directory listing is disabled anyway!
My problem is that when someone click on SEND FILES link, a new window opens with mcfilemanager. The user can see the url in web browser which is:
http://<website name>/scripts/tiny_mce/plugins/filemanager/pages/fm/index.html
if someone copies the above link in a new web browser window can see all the folders of all the users
not only his folder from the interface of the mcfilemanager. He can see the all the folder inside mcfilemanager! that's my problem!
You can disable file listing in the IIS and that is a good practice anyway.
http://blogs.iis.net/nitashav/archive/2 … wsing.aspx
If you have the session authenticator enables only logged in users will be able to see the files. All other users won't have the specified session and there for not see any files. The session authenticator can scope the user to a specific directory.
How can i do this?
The root path init option is client side only and is only to be used to further scope the user for convenience not security.
I use this:
Using a form, login in a specific web page in which I have the following link:
<a href="javascript:;" onclick="mcFileManager.browse({oninsert : customInsert, rootpath : '{0}/<%=(check.Fields.Item("Folder_name").Value)%>'});">SEND FILES</a>
is there any other way, when a user logins with a specific user name and password, in order to see only a specific folder within mcfilemanager?
These examples show how to set the root path based on sessions:
http://tinymce.moxiecode.com/wiki.php/M … entication
The product is made to be easy to integrate into existing systems. So just add some of that logic to your login page and it will be restricted to a specific user directory. However it seems that you are using classical ASP so then you would have to share the sessions though the external authenticator.
That is also described on the link.
Pages 1
You are not logged in. Please login or register.
