Hi!
Module bypass any access control!
I have update my ckeditor to http://ftp.drupal.org/files/projects/ckeditor-7.x-1.4.tar.gz
There is an option:
"Enable access to files located in the private folder
Use this option with care. If checked, CKEditor will allow anyone knowing the URL to view a file, if it located inside of the private path (sites/default/files/private) and if there is no information about the file in the Drupal database."
If i uncheck this then i cant download anything from private file system even i am user 1.
But when i check this option i am able to download it from even that account have not access to node from file is.
so please remove this feature or make it to work with other modules.
regards,
Mike
Comments
Comment #1
MStrzelecki_ CreditAttribution: MStrzelecki_ commentedI have to change default private file path in ckeditor settings, so this information might be useful for somebody.
Comment #2
mkesicki CreditAttribution: mkesicki commentedComment #3
veleiro CreditAttribution: veleiro commentedI confirm this bug. It had me baffled for the longest time until i went down and disabled and re-enabled my long list of mods. If left unchecked "Enable access to files located in the private folder," User 1, nor anyone else, cannot even access private files.
Comment #4
veleiro CreditAttribution: veleiro commentedComment #5
mkesicki CreditAttribution: mkesicki commented@veleiro , please write which modules to check access control do you use
Comment #6
veleiro CreditAttribution: veleiro commentedI didn't understand your request.
Steps to reproduce: when ckeditor is installed and enabled on a private file system with no other modules installed, the default configuration has "Enable access to files located in the private folder" checked, under Global Profile settings. With this default configuration, User 1 no anyone else can access any private files added.
Comment #7
mkesicki CreditAttribution: mkesicki commented@veleiro
when "Enable access to files located in the private folder" option is checked you should access private files.
Which version of CKEditor module do you use ?
Does your file exists in database ?
Can you try access it when CKEditor module is disabled ?
Comment #8
mkesicki CreditAttribution: mkesicki commentedI commited change to #1343310: [D7] Change settings for private download please check latest DEV version.
Comment #9
veleiro CreditAttribution: veleiro commented@michal_cksource
thank you for your repies
I am using the development version of ckeditor (25 Nov), and my file does exist in the database (I uploaded it through drupal). When I disable the CKEditor module, I am able to access my private files again. Does this help?
In theory, shouldn't User 1 always be able to access any files, private or public, if they are served through drupal?
Comment #10
mkesicki CreditAttribution: mkesicki commentedI committed changes to GIT (click here to see the diff).
Please check it and write if this helps or not.
@veleiro thank you for help.
Comment #11
veleiro CreditAttribution: veleiro commentedThis fixes the problem, thank you!!
Now I think that when new users of CKeditor enable the mod, they wont have a hard time figuring out why they cant get access to their private files
Comment #12
mkesicki CreditAttribution: mkesicki commentedThank you @veleiro.
Glad to hear that this problem is fixed.
Comment #14
alexkb CreditAttribution: alexkb commentedI'm using the current -dev version, and having various issues with CKFinder actually saving the files that get uploaded. It seems to know they exist, but they're no where to be found in sites/default/files/private, and the html just renders out broken images.
Additionally, I see the following error in my drupal status report, that I can't get rid of:
The config.php definitely exists, and ckfinder actually works when I goto "Browse Server" in CKEditor, so it's probably fine to ignore, i guess? I'll have another go tomorrow, and will report back what I find.
Comment #15
mkesicki CreditAttribution: mkesicki commented@alexkb mentioned error about status report is known and will be fixed.
If you use private download method in drupal please check settings for "Enable access to files located in the private folder " and "Location of files uploaded with CKEditor to the private folder " options in CKEditor Global profile. Please remember that these settings shows only when you have "Private download method" set in Drupal.
Comment #16
alexkb CreditAttribution: alexkb commentedmichal_cksource: as mentioned, these settings were already checked. I've given up on CKFinder, and resorted to using IMCE which works fine.
There is still an issue with private files being accessible even when the node is restricted, but that's another matter.
Thanks.
Comment #17
jorgbert CreditAttribution: jorgbert commentedIt appears that I may be running into the flip side of this exact same problem. And yes, it IS a problem. I have wasted the better part of a day trying to figure out what is going on. It's maddening. :)
"FileDepot throws "Access denied error" when combined with Drupal CKEditor 7.x-1.6 module"
http://drupal.org/node/1445458
Comment #18
jorgbert CreditAttribution: jorgbert commentedWe don't have any plans to store our images in the private directory. The solution was to comment out ALL of the "ckeditor_file_download" function in ckeditor.module. Now we no longer have problems with our FileDepot module for secure Document Management, and CKFinder works perfectly for embedding images, etc into webpages. The direct file access shaves about a minute over other solutions like WebFM that run through the database. We're not using CKFinder to download assets anyway. The web server directly accesses the custom /assets/images/ directory for lightning speed.
Comment #19
mkesicki CreditAttribution: mkesicki commented@jorgbert which version of CKEditor module do you tried and have problems with "FileDepot" module ?
Comment #20
jorgbert CreditAttribution: jorgbert commentedDrupal CKEditor 7.x-1.6 module
Here is the complete rundown, and how I solved the problem - http://drupal.org/node/1445458
By the way I love both your CKEditor, CKFinder and their FileDepot Document Management. Media rounds out support for that area. All three products are (or will be since I found FileDepot) core parts of our installations. Now that I have CKFinder working with the other products I want to go online, and purchase your Corporate License at http://ckfinder.com/purchase
Have a great day!
Comment #21
mkesicki CreditAttribution: mkesicki commented@jorgbert in DEV version there is a patch to hook_download function in CKEditor module.
You can check it.
Comment #22
jorgbert CreditAttribution: jorgbert commentedCool. Thanks!