Skip to content
Félix Gagnon-Grenier edited this page Oct 15, 2015 · 9 revisions

Since the Filemanager is able to manipulate files on your server, it is necessary to secure safely your application.

Grant privileges to wanted users only.

By default, everyone is able to use the Filemanager. This is because you want you to be able to fix your own rules with your own authentication mechanism.

Deploying the Filemanager in a production environment, copy/paste the /connectors/php/default.config.php file to /connectors/php/user.config.php and implement your own auth() function to be sure only wanted users can use it.

If /connectors/php/user.config.php exists, the default configuration file will simply be ignored.

The user.config.php file should at least :

  1. declare the auth() function
  2. instantiate the Filemanager, named as follow : $fm = new Filemanager();

Here comes an example of a user defined config file :

<?php
function auth() {
  session_start();
  return isset($_SESSION['authenticated']) && $_SESSION['user_type'] ==  'admin';
}

$fm = new Filemanager();
?>

Configuration - security options

Please refer to the security section on the configuration page.

We encourage you to use the default uploadPolicy (DISALLOW_ALL) and specify the allowed files extension.

Server scripts execution disabled

By default, all server scripts execution are disabled in the default userfiles folder. See .htaccess and IIS files content.