-
Notifications
You must be signed in to change notification settings - Fork 0
Security concern
Since the Filemanager is able to manipulate files on your server, it is necessary to secure safely your application.
By default, everyone is able to use the Filemanager. This is because you want you to be able to fix your own rules with your own authentication mechanism.
After deploying the Filemanager in a production environment you should declare the auth() function in /connectors/php/filemanager.php file with your own implementation to be sure only wanted users can use it.
Here comes an example of filemanager.php file where session variables are used for authentication:
require_once('BaseHelper.php');
function auth() {
session_start();
return isset($_SESSION['authenticated']) && $_SESSION['user_type'] == 'admin';
}
$fm = BaseHelper::getInstance();
$fm->handleRequest();Please refer to the security section on the configuration page.
We encourage you to use the default uploadPolicy (DISALLOW_ALL) and specify the allowed files extension.
By default, all server scripts execution are disabled in the default userfiles folder. See .htaccess and IIS files content.