File Manager
How to add file upload/management in wikkaWhy
I've setup a wikka site for my company in order to store the knoweldge base and allow every users to read/write doc without leaving their workstations to find an old doc in the company's archives.My problem was quite simple, I need users to add screenshots in wiki pages. Letting them doing so by ftp would be a loss of time for them, they need something quick and simple. I also had less than 1hr to add this feature.
What
I want a file manager, with upload, rename, move, directory support and so on. Once gently asked for that, google pointed me on a script called webadminThis script is a single file doing everything a file manager is supposed to do. Now let's add it to wikka to allow my users to work more efficiently.
How
First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in /handlers/page/edit.php :$output .=
$this->FormOpen("edit").
"<input type=\"hidden\" name=\"previous\" value=\"".$previous."\" />\n".
"<textarea onKeyDown=\"fKeyDown()\" id=\"body\" name=\"body\" style=\"width: 100%; height: 500px\">".htmlspecialchars($body)."</textarea><br />\n".
//note add Edit
"<input size=\"40\" type=\"text\" name=\"note\" value=\"".htmlspecialchars($note)."\" /> Please add a note on youredit.<br />\n".
//finsih
"<input name=\"submit\" type=\"submit\" value=\"Store\" accesskey=\"s\" /> <input name=\"submit\" type=\"submit\" value=\"Preview\" accesskey=\"p\" /> <input type=\"button\" value=\"Cancel\" onclick=\"\" /> ".
//ChiWaWa's little FileManagerHack
"<input type=\"button\" value=\"Manage Files\" onclick=\"window.open('/handlers/3rdparty/webadmin.php','FileManagement','height=600,width=800,toolbar=yes,location=1')\" />\n".
$this->FormClose();
$this->FormOpen("edit").
"<input type=\"hidden\" name=\"previous\" value=\"".$previous."\" />\n".
"<textarea onKeyDown=\"fKeyDown()\" id=\"body\" name=\"body\" style=\"width: 100%; height: 500px\">".htmlspecialchars($body)."</textarea><br />\n".
//note add Edit
"<input size=\"40\" type=\"text\" name=\"note\" value=\"".htmlspecialchars($note)."\" /> Please add a note on youredit.<br />\n".
//finsih
"<input name=\"submit\" type=\"submit\" value=\"Store\" accesskey=\"s\" /> <input name=\"submit\" type=\"submit\" value=\"Preview\" accesskey=\"p\" /> <input type=\"button\" value=\"Cancel\" onclick=\"\" /> ".
//ChiWaWa's little FileManagerHack
"<input type=\"button\" value=\"Manage Files\" onclick=\"window.open('/handlers/3rdparty/webadmin.php','FileManagement','height=600,width=800,toolbar=yes,location=1')\" />\n".
$this->FormClose();
Notes :
- wikka is the site root, it is important to know when setting the path /handlers/3rdparty/webadmin.php. Giving the full URI to the webadmin.php script also work but I had troubles with relative paths
- The file manager open in a popup window to not interact with the current page edition
- Fell free to modify the popup window parameters to fit your needs. Usually 800x600 gives the best results.
Next step : add the script on wikka's tree
- Create the /handlers/3rdparty directory
- copy webadmin.php in it
- Important (i've lost a lot of time trying to fix that) : copy /images/.htaccess in /handlers/3rdparty/
Finally edit webadmin.php to change some parameters :
$lang = 'auto';
//this is probably what you want, although setting $lang to 'en' is closer to wikka's way to handle I18N
$homedir = '../../images';
//this is intended to use webadmin as an image uploader. It still able to go to wikka's root directory... ouch
//this is probably what you want, although setting $lang to 'en' is closer to wikka's way to handle I18N
$homedir = '../../images';
//this is intended to use webadmin as an image uploader. It still able to go to wikka's root directory... ouch
And.. that's it. Now edit a page, click on the button, and if the webserver has write access to the images directory, you're able to upload and manage files.
BUT
This hack is an awfull security threat for a public sitewebadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded PHPMyAdmin to dump and modify your database...
This was not an issue to me as the hack was first intended to work only on a intranet site. But using it on a public site is impossible for a non-brainless admin. So here's what we can do :
According to some user feedback on wikka's crowded IRC channel (irc://irc.freenode.net/#wikka), the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to apache's .htaccess/.htpasswd. (What? you're running Microsoft IIS? oh so you don't even know what security is? ;o) )
So here is the simpliest way to get an admin authentification system to access to 3rdparty scripts :
- edit /handlers/3rdparty/.htaccess (the one you got from /images/)
- add the folowing lines :
AuthName "Section Name" AuthType Basic AuthUserFile /full/path/to/your/.htpasswd Require valid-user
- Then run :
htpasswd -c /full/path/to/your/.htpasswd AdminUserName
- type your password twice, it'll add an encoded password line in the file, and that's it. Simply run to add a new user
htpasswd /full/path/to/your/.htpasswd NewUserName
Notes:
The .htpasswd file should not be in your webserver's root. It's better to not even give write access to it by apache. It also can have another name, some use httpasswd or passwords
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or MacOs X.
And now?
This thing is just an ugly hack to add file management capabilities to wikka. It cannot handle ACL and is a security threat. So please use it with caution.In the future, I'd try to work on integrating a file management system in WikkaCore to handle ACL and user rights. This would be a page attachement more than a file manager imho.
The End
For more information, ask in comments or come and idle on IRC ;o)
Thanks
thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)CategoryUserContributions
