CKFinder relies on CheckAuthentication() in includes/filemanager.config.php for authenticating. CheckAuthentication() bootstraps Drupal, then checks for user rights. Drupal sets the session cookie name to a hash of $base_url at bootstrap. If $base_url is not explicitly set in the Drupal settings.php file, Drupal will set it based on the current URL, which for CKFinder is something like /sites/all/modules/ckeditor/ckfinder/core/connector/php. Thus, Drupal will look for the session cookie under the wrong name. This renders CKFinder useless.

Steps to reproduce:
1. make sure $base_url is not manually set
2. open some WYSIWYG content
3. click on the image icon
4. click on Browse Server
You will get a permission error.

Comments

Tgr’s picture

The HTML filter ate part of the url... so, the base URL Drupal sets for the AJAX request sent by CKFinder is (real-base-url)/sites/all/modules/ckeditor/ckfinder/core/connector/php.

Tgr’s picture

A quick and very dirty way to work around the problem is adding

$_SERVER['SCRIPT_NAME'] = str_replace('/sites/all/modules/ckeditor/ckfinder/core/connector/php/connector.php', '/index.php', $_SERVER['SCRIPT_NAME']);

to the beginning of filemanager.config.php.

mkesicki’s picture

Status: Active » Closed (works as designed)

Setting $base_url and $cookie_domain is required to use CKFinder.
Everything is described in documentation: http://docs.cksource.com/CKEditor_for_Drupal/Open_Source/Drupal_7/CKFinder.
I don't think that this is big problem to set these two variables.

Tgr’s picture

It can be, when you have multiple domains pointing to the same site. Drupal has an intelligent algorithm for figuring out base_url from the domain name of the request, replicating that in settings.php can be problematic for multiple reasons:
- it is not DRY
- you are putting non-trivial code in a configuration file which is likely not version-controlled; that is hard to maintain
- there might be security implications if you mess up (e. g. do not sanitize $_SERVER['HTTP_HOST'] properly)