File Manager

How to add file upload/management in wikka


I've setup a wikka site for my company in order to store the knoweldge base and allow every users to read/write doc without leaving their workstations to find an old doc in the company's archives.
My problem was quite simple, I need users to add screenshots in wiki pages. Letting them doing so by ftp would be a loss of time for them, they need something quick and simple. I also had less than 1hr to add this feature.


I want a file manager, with upload, rename, move, directory support and so on. Once gently asked for that, google pointed me on a script called webadmin
This script is a single file doing everything a file manager is supposed to do. Now let's add it to wikka to allow my users to work more efficiently.


First, I want to add a 4th button in the edit handler, right after the textbox. Here is what i've modified in /handlers/page/edit.php :
$output .=
    "<input type=\"hidden\" name=\"previous\" value=\"".$previous."\" />\n".
     "<textarea onKeyDown=\"fKeyDown()\" id=\"body\" name=\"body\" style=\"width: 100%; height: 500px\">".htmlspecialchars($body)."</textarea><br />\n".
    //note add Edit
     "<input size=\"40\" type=\"text\" name=\"note\" value=\"".htmlspecialchars($note)."\" /> Please add a note on youredit.<br />\n".
    "<input name=\"submit\" type=\"submit\" value=\"Store\" accesskey=\"s\" /> <input name=\"submit\" type=\"submit\" value=\"Preview\" accesskey=\"p\" /> <input type=\"button\" value=\"Cancel\" onclick=\"document.location='".$this->href("")."';\" /> ".
    //ChiWaWa's little FileManagerHack
    "<input type=\"button\" value=\"Manage Files\" onclick=\"'/handlers/3rdparty/webadmin.php','FileManagement','height=600,width=800,toolbar=yes,location=1')\" />\n".

Notes :

Next step : add the script on wikka's tree
  1. Create the /handlers/3rdparty directory
  1. copy webadmin.php in it
  1. Important (i've lost a lot of time trying to fix that) : copy /images/.htaccess in /handlers/3rdparty/
not doing so will result in wikka trying to access to a page named handler/3rdparty/webadmin.php.php, I still don't understand why :p

Finally edit webadmin.php to change some parameters :
 $lang = 'auto';
//this is probably what you want, although setting $lang to 'en' is closer to wikka's way to handle I18N

$homedir = '../../images';
//this is intended to use webadmin as an image uploader. It still able to go to wikka's root directory... ouch

And.. that's it. Now edit a page, click on the button, and if the webserver has write access to the images directory, you're able to upload and manage files.


This hack is an awfull security threat for a public site
webadmin.php is able to get up to the site root, and also allow anyone to download (and read) wikka.config.php, with your database password in clear text in it. Guess what could happend... once the 3v1l H4cK3R has uploaded PHPMyAdmin to dump and modify your database...

This was not an issue to me as the hack was first intended to work only on a intranet site. But using it on a public site is impossible for a non-brainless admin. So here's what we can do :

According to some user feedback on wikka's crowded IRC channel (irc://, the use of a file manager on a public site would be interesting for administrative purpose. It is not necessary to let every users uploading files (and actually it's more likelly a very bad idea to let unregistered / not trusted users upload anything). Restricting access to webadmin for administrative tasks is a piece of cake thanks to apache's .htaccess/.htpasswd. (What? you're running Microsoft IIS? oh so you don't even know what security is? ;o) )

So here is the simpliest way to get an admin authentification system to access to 3rdparty scripts :
AuthName "Section Name"
AuthType Basic
AuthUserFile /full/path/to/your/.htpasswd
Require valid-user

htpasswd -c /full/path/to/your/.htpasswd AdminUserName

The .htpasswd file should not be in your webserver's root. It's better to not even give write access to it by apache. It also can have another name, some use httpasswd or passwords
this procedure is to run on a Unix/Linux system, I don't know how does it works on a windows server. I've heard of some .htpasswd generators online, google for that if you didn't yet switch to Linux or MacOs X.

And now?

This thing is just an ugly hack to add file management capabilities to wikka. It cannot handle ACL and is a security threat. So please use it with caution.
In the future, I'd try to work on integrating a file management system in WikkaCore to handle ACL and user rights. This would be a page attachement more than a file manager imho.

The End
For more information, ask in comments or come and idle on IRC ;o)


thanks to JavaWoman and DarTar for their help on the (noisy) IRC channel ;o)

There is one comment on this page. [Display comment]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki