#1858 Fle Cabinet file permissions

closed-works-for-me
None
5
2010-04-22
2009-02-17
Andrew Patterson
No

It seems that file permissions are being set based on file type not on whether a file is private or public. All documents are set as not being readable by the world. All images and video are set as being readable by the world.

I see the code in the write() function in File_common.php has the ability to set file permissions as 640 or 644. But as described above that ends up being set based on file type not on whether it is public or private.

What this means is that all images and video are available to the world, even when they are intended as private and public documents are only available to the world when a /filecabinet/n reference is used to address the document. Those using the fckeditor to browse files and build a link are unable build a link to public documents.

File Cabinet version 2.2.2.

Discussion

  • Private and public folder status aren't really clearly defined in File Cabinet. For documents, a private folder's files can not be accessed via the system url (e.g. index.php?module=filecabinet&doc_id=1).
    A private image folders, on the other hand, doesn't restrict user interaction. Instead, it prevents admins from making random or carousel folders. Images can't be made private like documents because they have to be accessible to the browser when you use them on a page. Documents can be made inaccessible because they are served up on download, not by browsing. This is the reason you can set the document directory out of the web root in settings. To make images truly private, I would have to prevent direct access and instead process them via code. This seemed like unnecessary overhead.
    So maybe I should rename the folder status? I'll leave this open for discussion.

     
    • assigned_to: nobody --> stardog
    • status: open --> open-works-for-me
     
  • Matt,

    My work around for this has been to default all files uploaded through File Cabinet to 0640, regardless of whether it is going in to a public or private folder. That allows a user to maintain documents, images or media as private or public. The problem, as you point out, is that images and other file types are not available to a browser. The solution to that has been for the user to upload images that they want to include on a web page through fckeditor, and that is configured to put images in it's own space, not the File Cabinet.

    I like the idea of public and private folders. It allows an organization to decide whether files are for public consumption or internal to the organization. Where it is such a predominant choice when folders are created, it is natural to assume that status has an effect when uploading and accessing files.

    I would argue that there will be times when an organization will want to maintain some images and media as private, for internal consumption only. And there will be times when a user will want to provide a physical link to a document (.doc, .pdf, etc.) from a web page. This will happen if we allow access to the file cabinet via the fckeditor browse feature. So I believe there is a need for all six combinations (three file types times two statuses).

    I don't know what it will take to determine the folder status when uploading a file, but it is being done when a file is viewed through phpwebsite so it is possible. Making public files 0644 and private files 0640 allows for all combinations.

    Andrew P.

     
  • Changing to pending

     
    • status: open-works-for-me --> pending-works-for-me
     
    • status: pending-works-for-me --> closed-works-for-me
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).