Hi!

Module bypass any access control!

I have update my ckeditor to http://ftp.drupal.org/files/projects/ckeditor-7.x-1.4.tar.gz

There is an option:

"Enable access to files located in the private folder
Use this option with care. If checked, CKEditor will allow anyone knowing the URL to view a file, if it located inside of the private path (sites/default/files/private) and if there is no information about the file in the Drupal database."

If i uncheck this then i cant download anything from private file system even i am user 1.
But when i check this option i am able to download it from even that account have not access to node from file is.

so please remove this feature or make it to work with other modules.

regards,
Mike

Comments

MStrzelecki_’s picture

Status: Active » Closed (works as designed)

I have to change default private file path in ckeditor settings, so this information might be useful for somebody.

mkesicki’s picture

Title: bypass any access control » [D7] Access to private file (download) problems
veleiro’s picture

Version: 7.x-1.4 » 7.x-1.x-dev
Assigned: MStrzelecki_ » Unassigned

I confirm this bug. It had me baffled for the longest time until i went down and disabled and re-enabled my long list of mods. If left unchecked "Enable access to files located in the private folder," User 1, nor anyone else, cannot even access private files.

veleiro’s picture

Status: Closed (works as designed) » Active
mkesicki’s picture

Status: Active » Postponed (maintainer needs more info)

@veleiro , please write which modules to check access control do you use

veleiro’s picture

I didn't understand your request.

Steps to reproduce: when ckeditor is installed and enabled on a private file system with no other modules installed, the default configuration has "Enable access to files located in the private folder" checked, under Global Profile settings. With this default configuration, User 1 no anyone else can access any private files added.

mkesicki’s picture

@veleiro
when "Enable access to files located in the private folder" option is checked you should access private files.
Which version of CKEditor module do you use ?
Does your file exists in database ?
Can you try access it when CKEditor module is disabled ?

mkesicki’s picture

I commited change to #1343310: [D7] Change settings for private download please check latest DEV version.

veleiro’s picture

@michal_cksource

thank you for your repies

I am using the development version of ckeditor (25 Nov), and my file does exist in the database (I uploaded it through drupal). When I disable the CKEditor module, I am able to access my private files again. Does this help?

In theory, shouldn't User 1 always be able to access any files, private or public, if they are served through drupal?

mkesicki’s picture

I committed changes to GIT (click here to see the diff).
Please check it and write if this helps or not.
@veleiro thank you for help.

veleiro’s picture

This fixes the problem, thank you!!

Now I think that when new users of CKeditor enable the mod, they wont have a hard time figuring out why they cant get access to their private files

mkesicki’s picture

Status: Postponed (maintainer needs more info) » Fixed

Thank you @veleiro.
Glad to hear that this problem is fixed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

alexkb’s picture

I'm using the current -dev version, and having various issues with CKFinder actually saving the files that get uploaded. It seems to know they exist, but they're no where to be found in sites/default/files/private, and the html just renders out broken images.

Additionally, I see the following error in my drupal status report, that I can't get rid of:

CKFinder is not installed correctly: C:\wamp\vhosts\drupal-7.10sites/all/modules/ckeditor/ckfinder/config.php not found. Make sure that you uploaded all files and did not accidentally remove the configuration file

The config.php definitely exists, and ckfinder actually works when I goto "Browse Server" in CKEditor, so it's probably fine to ignore, i guess? I'll have another go tomorrow, and will report back what I find.

mkesicki’s picture

@alexkb mentioned error about status report is known and will be fixed.
If you use private download method in drupal please check settings for "Enable access to files located in the private folder " and "Location of files uploaded with CKEditor to the private folder " options in CKEditor Global profile. Please remember that these settings shows only when you have "Private download method" set in Drupal.

alexkb’s picture

michal_cksource: as mentioned, these settings were already checked. I've given up on CKFinder, and resorted to using IMCE which works fine.

There is still an issue with private files being accessible even when the node is restricted, but that's another matter.

Thanks.

jorgbert’s picture

It appears that I may be running into the flip side of this exact same problem. And yes, it IS a problem. I have wasted the better part of a day trying to figure out what is going on. It's maddening. :)

"FileDepot throws "Access denied error" when combined with Drupal CKEditor 7.x-1.6 module"

http://drupal.org/node/1445458

jorgbert’s picture

We don't have any plans to store our images in the private directory. The solution was to comment out ALL of the "ckeditor_file_download" function in ckeditor.module. Now we no longer have problems with our FileDepot module for secure Document Management, and CKFinder works perfectly for embedding images, etc into webpages. The direct file access shaves about a minute over other solutions like WebFM that run through the database. We're not using CKFinder to download assets anyway. The web server directly accesses the custom /assets/images/ directory for lightning speed.

mkesicki’s picture

@jorgbert which version of CKEditor module do you tried and have problems with "FileDepot" module ?

jorgbert’s picture

Drupal CKEditor 7.x-1.6 module

Here is the complete rundown, and how I solved the problem - http://drupal.org/node/1445458

By the way I love both your CKEditor, CKFinder and their FileDepot Document Management. Media rounds out support for that area. All three products are (or will be since I found FileDepot) core parts of our installations. Now that I have CKFinder working with the other products I want to go online, and purchase your Corporate License at http://ckfinder.com/purchase

Have a great day!

mkesicki’s picture

@jorgbert in DEV version there is a patch to hook_download function in CKEditor module.
You can check it.

jorgbert’s picture

Cool. Thanks!