CKFinder3 ASP.NET The file browser is disabled for security reasons - asp.net
I know this question is already answered but that's for PHP user. I'm using ASP.NET and this error keep happens. I tried to look for the config in the CKFinderScripts folder but there is no such config (in 2nd version there is but i dont understand why this version is not). I created a config in aspx myself but it still doesn't work.
<%# Control Language="C#" EnableViewState="false" AutoEventWireup="false" Inherits="CKFinder.Settings.ConfigFile" %>
<%# Import Namespace="CKFinder.Settings" %>
<script runat="server">
/**
* This function must check the user session to be sure that he/she is
* authorized to upload and access files using CKFinder.
*/
public override bool CheckAuthentication()
{
// WARNING : DO NOT simply return "true". By doing so, you are allowing
// "anyone" to upload and list the files in your server. You must implement
// some kind of session validation here. Even something very simple as...
//
// return ( Session[ "IsAuthorized" ] != null && (bool)Session[ "IsAuthorized" ] == true );
//
// ... where Session[ "IsAuthorized" ] is set to "true" as soon as the
// user logs on your system.
return true;
}
/**
* All configuration settings must be defined here.
*/
public override void SetConfig()
{
// Paste your license name and key here. If left blank, CKFinder will
// be fully functional, in Demo Mode.
LicenseName = "";
LicenseKey = "";
// The base URL used to reach files in CKFinder through the browser.
BaseUrl = "/ckfinder/userfiles/";
// The phisical directory in the server where the file will end up. If
// blank, CKFinder attempts to resolve BaseUrl.
BaseDir = "";
// Optional: enable extra plugins (remember to copy .dll files first).
Plugins = new string[] {
// "CKFinder.Plugins.FileEditor, CKFinder_FileEditor",
// "CKFinder.Plugins.ImageResize, CKFinder_ImageResize",
// "CKFinder.Plugins.Watermark, CKFinder_Watermark"
};
// Settings for extra plugins.
PluginSettings = new Hashtable();
PluginSettings.Add("ImageResize_smallThumb", "90x90" );
PluginSettings.Add("ImageResize_mediumThumb", "120x120" );
PluginSettings.Add("ImageResize_largeThumb", "180x180" );
// Name of the watermark image in plugins/watermark folder
PluginSettings.Add("Watermark_source", "logo.gif" );
PluginSettings.Add("Watermark_marginRight", "5" );
PluginSettings.Add("Watermark_marginBottom", "5" );
PluginSettings.Add("Watermark_quality", "90" );
PluginSettings.Add("Watermark_transparency", "80" );
// Thumbnail settings.
// "Url" is used to reach the thumbnails with the browser, while "Dir"
// points to the physical location of the thumbnail files in the server.
Thumbnails.Url = BaseUrl + "_thumbs/";
if ( BaseDir != "" ) {
Thumbnails.Dir = BaseDir + "_thumbs/";
}
Thumbnails.Enabled = true;
Thumbnails.DirectAccess = false;
Thumbnails.MaxWidth = 100;
Thumbnails.MaxHeight = 100;
Thumbnails.Quality = 80;
// Set the maximum size of uploaded images. If an uploaded image is
// larger, it gets scaled down proportionally. Set to 0 to disable this
// feature.
Images.MaxWidth = 1600;
Images.MaxHeight = 1200;
Images.Quality = 80;
// Indicates that the file size (MaxSize) for images must be checked only
// after scaling them. Otherwise, it is checked right after uploading.
CheckSizeAfterScaling = true;
// Increases the security on an IIS web server.
// If enabled, CKFinder will disallow creating folders and uploading files whose names contain characters
// that are not safe under an IIS 6.0 web server.
DisallowUnsafeCharacters = true;
// If CheckDoubleExtension is enabled, each part of the file name after a dot is
// checked, not only the last part. In this way, uploading foo.php.rar would be
// denied, because "php" is on the denied extensions list.
// This option is used only if ForceSingleExtension is set to false.
CheckDoubleExtension = true;
// Due to security issues with Apache modules, it is recommended to leave the
// following setting enabled. It can be safely disabled on IIS.
ForceSingleExtension = true;
// For security, HTML is allowed in the first Kb of data for files having the
// following extensions only.
HtmlExtensions = new string[] { "html", "htm", "xml", "js" };
// Folders to not display in CKFinder, no matter their location. No
// paths are accepted, only the folder name.
// The * and ? wildcards are accepted.
// By default folders starting with a dot character are disallowed.
HideFolders = new string[] { ".*", "CVS" };
// Files to not display in CKFinder, no matter their location. No
// paths are accepted, only the file name, including extension.
// The * and ? wildcards are accepted.
HideFiles = new string[] { ".*" };
// Perform additional checks for image files.
SecureImageUploads = true;
// Enables protection in the connector.
// The default CSRF protection mechanism is based on double submit cookies, where
// connector checks if the request contains a valid token that matches the token
// sent in the cookie
//
// https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies
EnableCsrfProtection = true;
// The session variable name that CKFinder must use to retrieve the
// "role" of the current user. The "role" is optional and can be used
// in the "AccessControl" settings (bellow in this file).
RoleSessionVar = "CKFinder_UserRole";
// ACL (Access Control) settings. Used to restrict access or features
// to specific folders.
// Several "AccessControl.Add()" calls can be made, which return a
// single ACL setting object to be configured. All properties settings
// are optional in that object.
// Subfolders inherit their default settings from their parents' definitions.
//
// - The "Role" property accepts the special "*" value, which means
// "everybody".
// - The "ResourceType" attribute accepts the special value "*", which
// means "all resource types".
AccessControl acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "*";
acl.Folder = "/";
acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;
acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;
// Resource Type settings.
// A resource type is nothing more than a way to group files under
// different paths, each one having different configuration settings.
// Each resource type name must be unique.
// When loading CKFinder, the "type" querystring parameter can be used
// to display a specific type only. If "type" is omitted in the URL,
// the "DefaultResourceTypes" settings is used (may contain the
// resource type names separated by a comma). If left empty, all types
// are loaded.
// ==============================================================================
// ATTENTION: Flash files with `swf' extension, just like HTML files, can be used
// to execute JavaScript code and to e.g. perform an XSS attack. Grant permission
// to upload `.swf` files only if you understand and can accept this risk.
// ==============================================================================
DefaultResourceTypes = "";
ResourceType type;
type = ResourceType.Add( "Files" );
type.Url = BaseUrl + "files/";
type.Dir = BaseDir == "" ? "" : BaseDir + "files/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "7z", "aiff", "asf", "avi", "bmp", "csv", "doc", "docx", "fla", "flv", "gif", "gz", "gzip", "jpeg", "jpg", "mid", "mov", "mp3", "mp4", "mpc", "mpeg", "mpg", "ods", "odt", "pdf", "png", "ppt", "pptx", "pxd", "qt", "ram", "rar", "rm", "rmi", "rmvb", "rtf", "sdc", "sitd", "swf", "sxc", "sxw", "tar", "tgz", "tif", "tiff", "txt", "vsd", "wav", "wma", "wmv", "xls", "xlsx", "zip" };
type.DeniedExtensions = new string[] { };
type = ResourceType.Add( "Images" );
type.Url = BaseUrl + "images/";
type.Dir = BaseDir == "" ? "" : BaseDir + "images/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "bmp", "gif", "jpeg", "jpg", "png" };
type.DeniedExtensions = new string[] { };
type = ResourceType.Add( "Flash" );
type.Url = BaseUrl + "flash/";
type.Dir = BaseDir == "" ? "" : BaseDir + "flash/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "swf", "flv" };
type.DeniedExtensions = new string[] { };
}
</script>
CKFinder 3 doesn't use config.aspx. It uses web.config. Now, if you are using CKFinder as standalone application then please see: https://docs.ckeditor.com/ckfinder/ckfinder3-net/quickstart.html#quickstart_configuration_authentication. Adding the * in <add key="ckfinderAllowedRole" value="" /> will fix the problem but please note that everyone will have access to your CKFinder then and while this approach may be good for testing, you should create your own authentication mechanism before hitting the production: https://docs.ckeditor.com/ckfinder/ckfinder3-net/howto.html#howto_custom_authenticator
If your CKFinder is integrated into application e.g. you have used basic MVC template together with NuGet packages then it is the application which controls access to its resources and in order to get to CKFinder, you need to log into your application (simple as that). If you have any extra access levels where you can define what user can access or not, this is something, you figure out and configure on your own.
Related
Alfresco web scripts: How do I stop processing or return early?
I have a web script in Alfresco that works when I pass in the correct arguments in my HTTP request. I have added validation similar to this snippet (source).
How can I tell Alfresco to stop processing the webscript if I find that my validation steps have failed? (If possible, I would like to do this without an else block.)
// extract folder listing arguments from URI
var verbose = (args.verbose == "true" ? true : false);
var folderpath = url.templateArgs.folderpath;
// search for folder within Alfresco content repository
var folder = roothome.childByNamePath(folderpath);
// validate that folder has been found
if (folder == undefined || !folder.isContainer) {
status.code = 404;
status.message = "Folder " + folderpath + " not found.";
status.redirect = true;
// ********* HOW DO I TELL ALFRESCO TO STOP PROCESSING HERE? ************
}
// perform some business logic with the parameters that passed validation......
// ********* I DO NOT WANT TO COME HERE IF VALIDATION FAILS ************
// construct model for response template to render
model.verbose = verbose;
model.folder = folder;
The trick here is to wrap your code in a function (usually called main by convention). Just call that function and return from that function if you want to stop processing. Like so:
function main() {
// extract folder listing arguments from URI
var verbose = (args.verbose == "true" ? true : false);
var folderpath = url.templateArgs.folderpath;
// search for folder within Alfresco content repository
var folder = roothome.childByNamePath(folderpath);
// validate that folder has been found
if (folder == undefined || !folder.isContainer) {
status.code = 404;
status.message = "Folder " + folderpath + " not found.";
status.redirect = true;
return;
}
// Do stuff with the folder
}
main();
Sqlite support for openfl
I'm trying to drop in sqlite support for saving the score and some flags. I need to open the db if it exists, then init game values based on db. If the db does not exist, I need to create/init it. The code below compiles but crashes for unknown reason.
package mygame;
<snip imports>
import sys.db.Types;
class ScoreDB extends sys.db.Object {
public var id : SId;
public var dbscore1 : SInt;
public var dbsound : SInt;
public var dbscore2 : SInt;
}
class mygame extends Sprite {
<snip var defines>
public function new () {
// start sqlite code
sys.db.Manager.initialize();
// db does exist
// then read values
// currentScore = score1.dbscore1;
// doSound = score1.dbsound;
// doScore = score1.dbscore2;
// db does not exist:
var cnx = sys.db.Sqlite.open("mybase.db");
sys.db.Manager.cnx = cnx;
sys.db.TableCreate.create(ScoreDB.manager);
var score1 = new ScoreDB();
score1.id = 0;
score1.dbscore1 = 0;
score1.dbsound = 0;
score1.dbscore2 = 0;
score1.insert();
currentScore = 0;
doSound = 0;
doScore = 0;
cnx.close();
// end sqlite code
super ();
initialize ();
construct ();
newGame ();
}
I actually just solved the same issue. The problem is that the app is essentially a .zip file and cannot be edited. You need to create (and later access) the DB in the app storage directory. To access the directory use following code: private static var localStoragePath:String = openfl.utils.SystemPath.applicationStorageDirectory; There is a known bug that the IDE's don't show the SystemPath class, but don't mind it, it will compile without problem. Later, with your common tools you can read and write the directory, create new folders etc. Here's a quick test, to make sure it works and doesn't crash: // creating a test folder sys.FileSystem.createDirectory(openfl.utils.SystemPath.applicationStorageDirectory + "/testFolder"); var form:TextFormat = new TextFormat(null, 22, 0xFFFFFF); // getting contents of the storage dir var arr = sys.FileSystem.readDirectory(openfl.utils.SystemPath.applicationStorageDirectory); var tf:TextField = new TextField(); tf.defaultTextFormat = form; tf.width = Lib.current.stage.stageWidth; tf.height = Lib.current.stage.stageHeight; tf.multiline = true; tf.wordWrap = true; tf.text = arr.toString(); addChild(tf); as you'll see, the newly created folder is there. You can delete the line that creates the folder and you'll see it's safe. Oh, an don't forget to add Android permissions in the XML file: <android permission="android.permission.WRITE_EXTERNAL_STORAGE"/>
As far as I know there is no sqlite definitions in openfl. And the ones you use are just normal cpp target definition. I suppose the problem is they don't work on android. Even more: I'm quite sure the api definitions are ok, but it tries to load dll with a wrong name, which probably kills your app without even letting out an error. Try to look into implementation(it is short and easy to understand) and change the dll name.
Link to Sql Update Row
Ok i need to update field Active to True this is code
public static bool FirstLogin(Guid ActivationCode)
{
using (InfinityNightDataContext data = new InfinityNightDataContext())
{
User user = data.Users.Single(User => User.EmailActivation == ActivationCode);
if (user != null)
{
user.Active = true;
user.Exp = "i HAs here";
data.SubmitChanges();
InstallMembershipCookie(user.UserId, user.Email, user.Password, user.UserType, user.FirstName, user.UserImg, "", true);
return true;
}
else
{
return false;
}
}
}
and after data.SubmitChanges(); i can see the changes on the object user but not in DataBase in other function this works but in this case it's don't work ..
any one know what is the problem?
One possible option (as you haven't said much about your setup): Are you using a local database, or a user instance, i.e. does your connection string contain AttachDbFileName? If so is there another copy of the database in your active bin folder (bin\debug, for instance)? If there is can you attach that to SQL express and see if your change has appeared?
Asp.net File Upload Control
I Had a file upload control I want that file will attach only when it is below under some Memory Limit (8 Mb). I get the file size using Ajax and call it on the onchange event. But I am not able to restrict the attachment of files. Can any one Help me ?
This is the example code
function a(obj) {
if ($(obj).val() != '') {
var request;
var flag = false;
request = $.ajax({
type: "POST",
url: 'CheckFileSize.aspx',
data: "search=" + $(obj).val(),
success: function (size) {
if (parseFloat(size) < 8192) {
flag = true;
}
if (!flag) {
alert('File size is greater then 8 MB. The size of the file is ' + (parseFloat(size)) / 1024 + ' MB');
//Doing something that restrict user from upload enter code here
$(obj).val(null);
}
return flag;
}
});
}
return false;
}
In your server-side method where you process the uploaded file, add this code:
if (myFileUploadControl.HasFile)
{
int maxSize = Convert.ToInt32(ConfigurationManager.AppSettings.Get("MaxImageSize")); //MaxImageSize specified in web.config file to make it easy to change.
int imageSize = myFileUploadControl.PostedFile.ContentLength;
if (imageSize > maxSize)
{
string uploadImageError = "The selected file exceeds the maximum allowed size (" + maxSize / 1000 + "k)"; // Message to display to user.
}
else
{
// Code to process the file here.
}
}
Adding the following to the system.web section of the web.config file will also prevent over-large uploads from being accepted.
<!-- set max upload to 25 MB -->
<httpRuntime executionTimeout="300" maxRequestLength="25000"/>
You should be able to clear the value of the input - in jQuery it would look something like
$('#fileInputId').val('')
ckfinder wont recognize role?
if somebody could help with this please.
I am trying to incorporate ckeditor and ckfinder to an Asp.Net Mvc 1 project. SO far everything is working fine. The only thing I cann't get to work right is the Access Control for ckfinder.
For what I understand, in the file ckfinder/config.ascx, the variable string RoleSessionVar is used to assign the role to be restricted. The default value is:
RoleSessionVar = "CKFinder_UserRole";
I have tree roles in my project Administrators, Editors and Contributors. So in order to get my current user Role I replace it for:
string currentRole= "";
if(HttpContext.Current.User.IsInRole("Administrators"))
{
currentRole = "Administrators";
}
else
{
if (HttpContext.Current.User.IsInRole("Editors"))
currentRole = "Editors";
else
{
if (HttpContext.Current.User.IsInRole("Contributors"))
{
currentRole = "Contributors";
}
}
}
RoleSessionVar = currentRole;
The variable gets assigned with the correct Role for the current user. The next part in the config.ascx file are the ACL settings. The default one are:
AccessControl acl = AccessControl.Add();
acl.Role = "*";
acl.ResourceType = "*";
acl.Folder = "/";
acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;
acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;
With these settings there are not any problems the ckfinder, it lists all the folders and files, but there with full permissions for everyone. I want to restrict deleting permissions to different Roles. Anyway just as a test I tried to give full permissions to Administrators' Role
AccessControl acl = AccessControl.Add();
acl.Role = "Administrators";
acl.ResourceType = "*";
acl.Folder = "/";
acl.FolderView = true;
acl.FolderCreate = true;
acl.FolderRename = true;
acl.FolderDelete = true;
acl.FileView = true;
acl.FileUpload = true;
acl.FileRename = true;
acl.FileDelete = true;
But ckfinder will not show any folder or file even though RoleSessionVar = "Administrators".
I'll be very thankful for any ligh to the solution of this problem.
Byron
You need to do Session["RoleSessionVar"] = currentRole;
you should try: Session["CKFinder_UserRole"] = currentRole;