-
Notifications
You must be signed in to change notification settings - Fork 349
Security concern
Since the Filemanager is able to manipulate files on your server, it is necessary to secure safely your application.
By default, everyone is able to use the Filemanager. This is because you want you to be able to fix your own rules with your own authentication mechanism.
Deploying the Filemanager in a production environment, copy/paste the /connectors/php/default.config.php file to /connectors/php/user.config.php and implement your own auth()
function to be sure only wanted users can use it.
If /connectors/php/user.config.php exists, the default configuration file will simply be ignored.
The user.config.php file should at least :
- declare the
auth()
function - instantiate the Filemanager, named as follow :
$fm = new Filemanager();
Here comes an example of a user defined config file :
<?php
function auth() {
session_start();
return isset($_SESSION['authenticated']) && $_SESSION['user_type'] == 'admin';
}
$fm = new Filemanager();
?>
Please refer to the security section on the configuration page.
We encourage you to use the default uploadPolicy (DISALLOW_ALL
) and specify the allowed files extension.
By default, all server scripts execution are disabled in the default userfiles
folder. See .htaccess and IIS files content.