Symphony.

this is my first post here so big hello to all.

recently i decided to finally put up a new version of an old website - something i was supposed to do long time ago but just couldn't get to it for the lack of free but sensible CMS. Wordpress was quite close but not close enough :-). a month ago or so i've stumbled upon Symphony and started to play with it. it turned out to be a great piece of software; finally something one didn't feel bound to hack to get things as they should be. so, i'd like to express my gratitude to the developer team for their good work :-).

what i think Symphony lacks is a comfortable way to deal with images. i've tried SSM extension but, aside from it's limitations, i don't really need database-driven image management. i just care for the ability to easily upload multiple images and embed them directly into articles. as i decided to use TinyMCE, i've gone through various image manager type plugins but, again, haven't found anything not-commercial that i would like.

so i decided to write my own image browser for TinyMCE and today i'm more or less done. if anyone's interested, i've attached the code to this post. it's a simple AJAX/jQuery app that lets the user upload images, create directories etc. images can be inserted into text either in their full size or as JIT thumbnails of given dimensions. it utilizes SWFUpload, so multiple files can be sent at once. in order to install it, you need to: (1) put the files somewhere inside the Symphony directory, (2) edit the config.inc.php file, (3) edit the richtext_tinymce.publish.js file belonging to the TinyMCE extension (example attached). the browser has been tested under Opera 11, FF 3.5 and latest Chrome. it probably won't work with Flash older than 10.x.

now, as far as the topic of the post is concerned :-). one thing i don't know how to properly accomplish is the security check inside my PHP scripts. ok, i have the session ID but no other session data. are there "header" files in Symphony source that i can utilize in order be able to check user state, privileges etc.? or should i refer directly to the database?

Michal

Attachments:

imagebrowser.tgz and richtext_tinymce.publish.js

@Michal: First of all, Hi and welcome fellow Symphonist.

Second of all, you should consider putting your work into GitHub and submit your extension on this website. Your work seems to be nice, and I would love to look at it on my Ipad (can't open zip on it!)

Finally, as for your question, I am pretty sure image are send to client without ever asking anything to PHP. What are you trying to do ? Preventing user to download an particular image ? If so, you need a authentication process (user/password or captcha maybe). HTTP is STATELESS, so each request are independent. That said, Sessions variable are available because browser resend a particular piece of info to the server (a cookie).

If you really need to do a check of security before sending an image, you will need to build a PHP script that 1- Check security 2- Return the image if access is granted. To to that, you need to read the image on disk and send it to the client

You will now be able to access you image via image.php?file=myimage.png

Remember to NOT allow .. in the path, and check if the extension is really an image. If not hackers will be able to download file they should not.

Hope I made myself clear... Please ask other question if I was not.

hi,

what i'd like to accomplish is to prevent unauthorized guests from using the image browser. currently anyone can open it if only the right URL is known to him/her. the script allows not only to browse directories but also to upload files and delete them, and it's undesired for random users to have such capability. that's why i need a way to check user state (ie. is he/she logged in to the backend or not), from "outside" of Symphony so to speak. the access to images themselves should remain unrestricted.

as for adding the browser to Github, i'm not quite sure it qualifies as a Symphony extension. besides, being not secure, it's not yet ready for production use.

@hauru: Is your image browser a php script ? If so, you should consider using the AdministrationPage class, that won't allow un-authorized access.

As for GitHub, your project needs a repro from the start up. You will be able to track changes and see how it evolves. You will be able to share your code and maybe some people will try to help you in the dev process. It is really a good thing. I was like you when I started playing with Symphony and now I cannot live without Git.

@Nitriques

thanks for answering. yes, it's a PHP-based script (what else could it be?). i've already solved the issue by connecting to the DB and simply checking if sym_sessions table contains a record for the given PHPSESSID. it also works well for the SWFUpload "receiver" script.

i'll add the image browser to the Github repo but not today. as for now, i've attached the updated version to this post.

Attachments:

imagebrowser.zip

@hauru: Ok nice but you should really consider sign the AdministrationPage as a parent class for your content page as this will ensure all security measures are check, and will prevent breaking your extension if this changes in the core.

Can't wait for the git repro, has I will probably would like to extend it to the WMD editor.

hi again,

i've put up a Github repository for the image browser:

https://github.com/hauru/Image-Browser

not sure if i should submit it as an extension.

as for extending it to other editors, it would probably be a good idea to put editor-specific code into separate .js files.