✏ Need community help to integrate ContentTools with image insertion through KCFinder

1

Hello friends, this message was originally written in Russian, the translation through Google Translate is published here. For this, I apologize for my English.

I am a big fan of CMS Grav, and not so long ago I started using the Fred plugin (https://github.com/BugHunter2k/grav-plugin-fred) is an excellent plugin which unfortunately the function of inserting images into recordings does not work.

In attempts to restore image loading through the plugin, I found a great solution for inserting images through KCFinder (https://github.com/wotta/ContentTools.KCFinder.js).

Friends, this is a great solution, and it allows you to conveniently interact with the content and images of the page. But I was unable to block access for unauthorized users to the bootloader page. And now in more detail.

In order to make fred plugin friends with KCFinder, I rewrote part of the fred plugin code, and placed KCFinder (http://github.com/sunhater/kcfinder/releases/latest) in the root of the site. In order to implement image loading.

For clarity, I created a local test site (gravfredkcfinder.test) on which my plugin edits and the use of KCFinder have already been applied.

You can download my assembly at this link:

https://drive.google.com/file/d/14yvD5PPgR9XEI1BSVbvlTU46s2TgcpXF/view?usp=sharing

Unpack the archive into the “folder ofgravfredkcfinder”your local server (I use Laragon for Windows 10).

To access the admin panel, use:

Login:
gravfredkcfinder

Password:
!@Gravfredkcfinder1

Go to any blog page (for example, this http://gravfredkcfinder.test/blog/2014-01-08-a-quotation) and try to edit the content after pressing the blue button with a pencil. And you will be able to not only edit the content, but also add an image that will be saved in the “\ main \ kcfinder \ upload \ images” folder of the site. In principle, the plugin works as needed. But if you enter incognito mode by the link:

http: //gravfredkcfinder.test / main / kcfinder / browse.php? Type =images & dir= images / public

, any user will have the opportunity to add or delete images on the server. Which is a completely unsafe fact and can lead to hacking of the whole site.

How can I block access to this page if an unauthorized user is on the site? I really hope for your help, and I look forward to any answers with patience. Thanks to everyone who answers in this thread.

And if Grav developers can tell how it is possible to implement image loading in the recording folder and not in a separate folder. I will be very happy.

2

To hide a content in your page, like the little “pencil” that triggers the use of the plugin, you just have to add this around its HTML :slight_smile:

{% if grav.user.authenticated %}

{% endif %}

so the button won’t appear in the page in case of the user isn’t loggued.

I don’t know if that’s what you need.

3

Thank you for your answer, but this is not at all what you need. I need to deny access not just to the page but to the php script at the php level.
Please use the archive that I attached. And you will immediately become clear. I need to block access to the file manager for everyone except the site administrator. Thank.

It turns out that you need to apply the script in the main \ kcfinder \ conf \ config.php file
which allows you to display the file manager only for the administrator.

4

If you can’t get into the admin panel of the DEV site, use https: // protocol

5

So let me quote yourself :

is an excellent plugin which unfortunately the function of inserting images

That means that you’re talking about a plugin adding the possibility to edit pages directly in the frontend, by displaying a little button, and clicking on it activate the edition. You even told about that button :

and try to edit the content after pressing the blue button with a pencil.

Then, you told about the problem of accessing that function. So we don’t talk about the PHP files of th eplugin, but about the button :

But if you enter incognito mode by the link:

, any user will have the opportunity to add or delete images on the server.

So we’re not talking about an admin page, wich would have no sense because we’re talking about a frontend plugin and the little button :

How can I block access to this page if an unauthorized user is on the site?

You’re clearly talking about the access of the frontend, from a non-logued user point of view.

Then, I answered you, based on those facts and making the logical deductions, and now, you say me that my answer “isn’t what you need at all”.

And you make the following assertion :

I need to deny access not just to the page but to the php script at the php level.

So now, my intuition says me that you just ignored my solution because you were already going into the PHP files to find something where it was purely a frontend/template problem, and you simply can’t listen to me and deny the evidences.