I have a JavaScript application on a page in Joomla which generates a graphic (png). I want to save this image to the image directory. Doing this with JavaScript is not possible for safety reasons. Is there in Joomla a PHP call which can be used to get this done?
You should look into the Joomla media manager file.json.php (for ajax use) or file.php controllers (from administrator/components/com_media/controllers)
Either will do, but you need to fulfill the requirements i.e.
having a valid login
passing along a security token
giving the user or user group privileges to upload (in media manager - options - permissions tab).
This should be enough to get you started.
Related
I have files stored in the server with the Plesk panel, currently, any person with the link of my site can access the file and download it.
Is there any way to prevent the download for all the users?
The general approach is to create a folder that is not in the root folder of the web site. In other words, you don't allow nor have valid URL's to a folder as a result. This does mean then you have to build some type of web page that can say list out some files and a button to click to download such files.
In other words, no valid url's exist. This tends to suggest that you have some type of grid or display of files. often even a database table to drive such a display is used.
When the user clicks on say a button on that grid row, then code behind can fetch the file, and "stream" it down to the user. The end result is thus no valid url's or resolvable path to the files exists.
Also, from IIS, turn off directory browsing. and thus again no valid URL's to the files exists.
The other approach? You can build a custom http handler. This approach is quite common. That way, any url that ends in .pdf will be trapped, and thus not allowed. As noted, this again means you have to provide a "list" of files, and a button to download - and again you can then stream the file from the server.
So there is quite a few ways, but ultimate, I as a general rule don't allow files to be downloaded or even accessed by URL's. I always provide some kind of web page, and a list of choices for the user. The code behind is what actually fetches the file, and then streams it down to the browser.
So, you can
Search for how to build a custom http handler for pdf files in asp.net
Search for how to stream a file to users in asp.net
how to turn off directory browsing in IIS.
There are a truckload of options here - in fact too many to really post and explain in Stack Overflow answer.
Is there a way to integrate elfinder with my current user permissions system? I would need some kind of hook which would be triggered before e.g. a file gets deleted. There I should be able to abort the delete command and return some kind of response if the logged in user doesn't have enough permissions.
Closest thing I found until now is this: Connector Configuration options - Bind
But it doesn't look like I'm able to abort the current action there....
It all depends on the way you implemented the server-side connector.
For example, I have a custom connector for PHP backend which saves and returns the files / folders based on a database table. This way, I can set the read and write options for each file / folder (check the Client-Server API docs).
To answer your question, you'll need to tweak the server side connector to set the read and write attributes, like stated in this wiki page.
There are different user for my website, and for each user there are separate PDF files, I want to give users privilege to download their files(but should not see the files of others users). Now I have created a login and I have the user-id in SESSION (I am using PHP for backend). So what is the secure way of accomplishing this task? Also how should I manage many of these PDFs on my server? (currently I have kept all the PDFs in one folder, but this seems insecure and I think these can easily be extracted by the un-authenticated user)
At a high level:
Store your PDFs outside of your webserver document root. Make them completely inaccessible to direct browser access.
Write a PHP script to handle download requests. This PHP page can check the session user ID to ensure the user is requesting a file that they are allowed to access.
Use header() calls and readfile() to then send the appropriate PDF file to the user.
Feel free to come back and post a question when you've researched and worked on this, and have a specific question with code.
I'm in the process of building a site that will help to organize my business. But I'm at a roadblock. Our site is coded in PHP and MySQL and as it currently stands, our contractors can upload images to our site, our site relabels the pictures and associates them with a work order (for ability to search later, if needed), then stores the images in our database.
However, what I want to do is have the images uploaded to their respective work order on our supplier's site. I have contacted our supplier and they will not allow us to access their server directly through the POST commands. So I'm curious if there is a way to still have our images uploaded from our site to our supplier's site. Their site is password protected. On their site, I find the work order associated to the work order and manually upload the images, but I'd like to find a way to do this automatically. The work order numbers between their site and ours are the same. Any ideas?
New Info
The comment I left below just states that I have to actually manually click the upload button, choose which photos to upload, then click "upload" to have the images uploaded. FTP is not allowed either.
If by "manually" you mean all by www after logging in, you can use CURL to simulate login session to their website (access login page to obtain session cookie, then post login data with that session cookie, and then with authorized session cookie you can GET/POST whatever you want from their website as authorized user). Use Firebug to track what requests are made and what data are passed from/to their website.
Since using CURL can be painfull (it's syntax is far from user friendly) you can try grab and extract Zend_Http from Zend Framework so you will have very easy syntax and it even work without CURL if you haven't it on your servers.
if they will grant you ftp access you can programatically transfer the images to them that way
or if they have some sort of api exposing methods to upload images
By "manually upload", you mean via FTP? You can do it with PHP. Here is the documentation.
For security reasons, I suggest you create an FTP user on your client's server which only has access to the images directory, and connect trough that account.
I have an application server, a database server and a file server, with the file server has its own subdomain name (i.e., file.myexample.com)
The file server stores all the images that are used in the application, the point is that I don't want the user to view those images without obtaining proper authentication first. So in a sense the access of these image resources must be properly authenticated, which means that only login users can access those images. If a anonymous user types in the URL of an image, the web application should redirect him to the login page.
I am looking for PHP and Symfony examples.
Use a PHP page to obtain you images, i.e. image.php?id=2345
WIthin the code for this page you can check the authentication of the user, then reutnr the image if they are allowed. You will need to specify the correct mime-type.