CKFinder relies on CheckAuthentication() in includes/filemanager.config.php for authenticating. CheckAuthentication() bootstraps Drupal, then checks for user rights. Drupal sets the session cookie name to a hash of $base_url at bootstrap. If $base_url is not explicitly set in the Drupal settings.php file, Drupal will set it based on the current URL, which for CKFinder is something like /sites/all/modules/ckeditor/ckfinder/core/connector/php. Thus, Drupal will look for the session cookie under the wrong name. This renders CKFinder useless.
Steps to reproduce:
1. make sure $base_url is not manually set
2. open some WYSIWYG content
3. click on the image icon
4. click on Browse Server
You will get a permission error.
Comments
Comment #1
Tgr commentedThe HTML filter ate part of the url... so, the base URL Drupal sets for the AJAX request sent by CKFinder is (real-base-url)/sites/all/modules/ckeditor/ckfinder/core/connector/php.
Comment #2
Tgr commentedA quick and very dirty way to work around the problem is adding
to the beginning of filemanager.config.php.
Comment #3
mkesicki commentedSetting
$base_urland$cookie_domainis required to use CKFinder.Everything is described in documentation: http://docs.cksource.com/CKEditor_for_Drupal/Open_Source/Drupal_7/CKFinder.
I don't think that this is big problem to set these two variables.
Comment #4
Tgr commentedIt can be, when you have multiple domains pointing to the same site. Drupal has an intelligent algorithm for figuring out base_url from the domain name of the request, replicating that in settings.php can be problematic for multiple reasons:
- it is not DRY
- you are putting non-trivial code in a configuration file which is likely not version-controlled; that is hard to maintain
- there might be security implications if you mess up (e. g. do not sanitize $_SERVER['HTTP_HOST'] properly)