Protect Responsive FileManager from direct access

Question

I am using responsive FileManager 9.14.0 with TinyMCE 5.0.16 and Laravel 6 running on Nginx 1.16.1

I have the following folder structure:

| public
|    |- uploads
|    |- thumbs
|    |- filemanager
|    |- js
|    |   |- tinymce
|    |   |   |- plugins
|    |   |   |   |- responsivefilemanager
|    |   |   |   |   |- plugin.min.js

I use laravel authentication to protect a 'create' page where the user can add text using tinyMCE and upload images using RFM as tyniMCE plugin.

But RFM is accessible directly if with the following URL

http://www.myhost.test/filemanager/dialog.php

How can I prevent this behavior. I want RFM to be accessible only from the tinyMCE editor.

Answer 1

If it's still relevant, I can show you how I did it in Laravel 8

I proceeded from the opposite - if the user logged in under the admin, then there is no need to check it and therefore USE_ACCESS_KEYS do FALSE, otherwise - TRUE

And therefore, if he is NOT authenticated as an administrator, then he will NOT get access to the ResponsiveFileManager.

To do this, add such a function in the responsive_filemanager / filemanager / config / config.php file somewhere at the beginning of the file.

( Specify your own paths to the files '/vendor/autoload.php' and '/bootstrap/app.php' )

function use_access_keys() {
    require dirname(__DIR__, 4) . '/vendor/autoload.php';
    $app = require_once  dirname(__DIR__, 4) . '/bootstrap/app.php';
    $request = Illuminate\Http\Request::capture();
    $request->setMethod('GET');
    $app->make('Illuminate\Contracts\Http\Kernel')->handle($request);
    if (Auth::check() && Auth::user()->hasRole('admin')) {
        return false;
    }
    return true;
}

and then this line:

define('USE_ACCESS_KEYS', false);

replace with this:

define('USE_ACCESS_KEYS', use_access_keys());

And one moment. If after that, when opening the FileManager, the following error suddenly pops up: "Undefined variable: lang"

then open responsive_filemanager / filemanager / dialog.php

find the array $get_params and in it change like this:

'lang' => 'en',

Answer 2

im not familier with laravel but ...

in Responsive File Manager 9.0 there is a folder called config that contain config.php

| public
|    |- uploads
|    |- thumbs
|    |- filemanager
|    |   |- config
|    |   |   |- config.php
|    |- js
|    |   |- tinymce
|    |   |   |- plugins
|    |   |   |   |- responsivefilemanager
|    |   |   |   |   |- plugin.min.js

1. open config.php and change define('USE_ACCESS_KEYS', false); // TRUE or FALSE -------- to ------> define('USE_ACCESS_KEYS', true); // TRUE or FALSE

this force Responsive File Manager to use Aaccess Key to prevent all attempt from being accessed to your files and folders.

2. in same file at line 190 add your users auth_key for whom they need to use file-manager . for example :

   username: jim auth_key: a1s2d3f4g5h6j7k8l9mm
username: lisa auth_key: zqxwd3f4vrbth6j7btny

so line 190 should rewrite like line below:

'access_keys' => array( "a1s2d3f4g5h6j7k8l9" , "zqxwd3f4vrbth6j7btny"),

3. go to your form and add a button/link to access RESPONSIVE FILE MANAGER

   <a href="https://www.example.com/admin/responsive-filemanager/filemanager/dialog.php?akey=<?php echo {{{your authenticated user AUTH_KEY}}}; ?> </a>

if there is no {{{your authenticated user AUTH_KEY}}} there is 2 way: 1)) add a column auth_key to your users table and generate auth_key that should be equal for users they want to access to responsive file manager in both database and config.php file. 2)) use username instead of auth_key so your config at line 19 will be: 'access_keys' => array( "jim" , "lisa"),

and now your responsive file manager access link will be like this:

<a href="https://www.example.com/admin/responsive-filemanager/filemanager/dialog.php?akey=jim ></a>

jim is static here u should make it dynamic by call function to return authenticated user USERNAME and put it after &akey= in link

now if akey value in link find in access_key array the responsive file manager page will be work otherwise it show you ACCESS DENIED!!!