elFinder override 'rm' PHP - javascript

I am using elFinder to manage assets for a web site and it's default functionality works great; however I need to add some additional logic to several of the PHP functions which resides in on of my Controllers.
The place that I would like the logic to be added is <elfinder_Dir>/PHP/elFinderVolumeLocalFileSystem.php specifically in the function _unlink($path) before a file is actually removed I would like to call out to another class to destroy the database entries for this asset.
The original function looks like this:
protected function _unlink($path) {
return #unlink($path);
}
When I try to add code like the following:
protected function _unlink($path) {
var_dump($path);
return #unlink($path);
}
OR
//top of file...
use controllers\ResourceManager;
//OR
//include <pathToResourceManager>
//...
protected function _unlink($path) {
ResourceManager::delteFromDB();
return #unlink($path);
}
I receive this alert on the screen:
I also noticed that when that message is given, the header in my "Network" tab shows a Response Header Content-type of text/html instead of application/json as expected by the JS portion of elFinder.
Why is the header Content-type being changed when I add custom logic?
Is there a better way to add this functionality to the project?

The answer to my question turned out to be pretty straight forward.
1) error_reporting(0); was squashing all of my errors related to using the proper namespace-ing for my files, I changed this to error_reporting(E_ALL) so I could see the real problem.
2) The files needed to be added to a namespace, since I used the same namespace I did not have any extra include_once() calls.
Next I had to add replace this line:
$class = 'elFinderVolume'.(isset($o['driver']) ? $o['driver'] : '');
With:
$class = __NAMESPACE__ . '\\elFinderVolume'.(isset($o['driver']) ? $o['driver'] : '');
Which allows the driver (which is now in the namespace) to be loaded properly.
Once these changes were made, all is well, I can add my own logic where I please.

Related

Ajax response from php is very strange. What's going on? [duplicate]

I'm using Kint via Composer in Laravel 4 by loading kint first in composer.json so that dd() is defined by kint, not laravel (suggested here).
I want to leave debug calls in my app, and disable Kint if not in the local environment. I'm successfully using config overrides for Anvard using the following structure:
/app/config/local/packages/provider/package_name/overridefile.php
Unfortunately, this is not working for Kint with the following structure:
/app/config/packages/raveren/kint/local/config.php or
/app/config/packages/raveren/kint/local/config.default.php
The Kint documentation states:
You can optionally copy the included config.default.php and rename to config.php to override default values…
…which works for me (/vendor/raveren/kint/config.php)
How do I achieve this:
without editing a file in the /vendor/ directory that will get overwritten by composer
so that kint is only enabled in the local envirnoment
I've also tried adding the following to a helpers.php file which is called before composer in /bootstrap/autoload.php as suggested here:
<?php
isset( $GLOBALS['_kint_settings'] ) or $GLOBALS['_kint_settings'] = array();
$_kintSettings = &$GLOBALS['_kint_settings'];
/** #var bool if set to false, kint will become silent, same as Kint::enabled(false) or Kint::$enabled = false */
$_kintSettings['enabled'] = false;
unset( $_kintSettings );
(but no dice :)
Any suggestions? TIA!
I'm not familiar with kint but checked the documentation and found that, to disable kint output, you may use (in runtime)
// to disable all output
Kint::enabled(false);
In Laravel you can check the environment using
$env = App::environment();
if($env == 'your_predefined_environment') {
Kint::enabled(false);
}
To configure your environment, you may check the documentation.
Update : I've setup my local environment as givel below (in bootstrap/start.php)
$env = $app->detectEnvironment(array(
'local' => array('*.dev'),
));
And in my local machine, I've setup a virtual mashine which has laravel4.dev as it's base url, so if I visit the app using laravel4.dev or laravel4.dev/logon then I can check the environment in my BaseController.php and it detects the local environment because of .dev
public function __construct()
{
if(App::environment() == 'local') {
// do something
}
}
In your case, I don't know where is the first debug/trace you used to print the output, so you should keep the environment checking and disabling the Kint code before you use any debug/trace but you may try this (if it works for you) but you can check the environment in your filter/routes files too.
Hmm.. I'm not sure if this is the ideal way to do it, but this works, and seems Laravel'ish:
// top of app/start/global.php
Kint::enabled(false);
and
// app/start/local.php
Kint::enabled(true);
(assuming you've got a local environment defined: see #TheAlpha's answer for more info)
http://laravel.com/docs/lifecycle#start-files

Roxy Fileman remove part of URL in returnurl

I'm attempting to get Roxy Fileman to work in my environment, however running into a little hitch. I can see the directories for images (done via a symlink) however when returning from the Roxy UI via the "select" button I'm getting a url like this:
https://images.example.com/path/to/Uploads/symlink/123/logo.png
And what I really want is:
https://images.example.com/symlink/123/logo.png
I've already put in the RETURN_URL_PREFIX, however I'm still getting the extended path whether I use a session_path_key or just the regular root (and then browse to the correct directory via the symlink).
My code for the session_path_key looks like:
<?php $_SESSION['dynamic-user-folder'] = "/path/to/Uploads/symlink/"; ?>
and my config.json:
"FILES_ROOT": "",
"RETURN_URL_PREFIX": "https://images.example.com/",
"SESSION_PATH_KEY": "dynamic-user-folder",
Ok, I found the answer. In the plugin php folder there is a file called filelist.php. In here I simply added a
$fullPath = str_replace('/path/to/Uploads/', '', $fullPath);
And this returns the path variable p with all of the stuff I don't want removed back to the UI, so when you do a select it uses the correct URL with the RETURN_URL_PREFIX in front and then the symlink and file name.

Ajax inside wordpress security

Before I get to the question, let me explain how we have things set up.
We have a proxy.php file, in which class Proxy is defined with functions that call upon a rest for creating/editing/getting Wordpress posts, fields etc.
Then, we have a proxyhandler.php, in which Proxy class is initialized and serves as a handle between proxy.php and a javascript file.
In javascript file we have an ajax call to proxyhandler.php in which we send our secret and other data.
Now, the problem arises here:
We define the secret through wp_localize_script, by using md5 custom string + timestamp. We send the encripted string and timestamp through ajax to proxy handler, where we use the previous (hardcoded inside proxyhandler) string and timestamp to generate a md5 string again, and check the one sent against the one generated. If they are the same, we continue by doing whatever was requested, if they dont fit, we just return that the secret didn't match.
Now, the real issue comes here - by using wp_localize_script, the variable for the secret is global and as such, anyone can utilize it via dev tools and can send any ajax request to proxyhandler that they want.
What would be the proper procedure to make it more secure? We've thought of doing this:
Instead of using wp_localize_script, we put the script inside a php file, we define the secret using a php variable and then simply echo the secret file into ajax. Would this be viable, or are there any other ways?
Instead of sending an encrypted string in global scope, then check against it, you should use nonce in your AJAX request:
var data = {
action: 'your_action',
whatever_data: who_know,
_ajax_nonce: <?= wp_create_nonce('your_ajax_nonce') ?>
};
Then, use check_ajax_refer() to verify that nonce:
function your_callback_function()
{
// Make sure to verify nonce
check_ajax_refer('your_ajax_nonce');
// If logged in user, make sure to check capabilities.
if ( current_user_can($capability) ) {
// Process data.
} else {
// Do something else.
}
...
}
Depend on the AJAX METHOD, you can use $_METHOD['whatever_data'] to retrieve who_know data without needing to use wp_localize_script().
Also remember that we can allow only logged in users process AJAX data:
// For logged in users
add_action('wp_ajax_your_action', 'your_callback_function');
// Remove for none logged in users
// add_action('wp_ajax_nopriv_your_action', 'your_callback_function');
The final thing is to make sure NONCE_KEY and NONCE_SALT in your wp-config.php are secure.

Adding jQuery script to a single view in Yii2

I am working on the basic template of Yii2. I have got a jQuery script views/usuario/js/create.js that it's only going to be used in one view views/usuario/create.php.
I'd prefer not to use ...
public $jsOptions = array(
'position' => \yii\web\View::POS_HEAD
);
... in assets/AppAsset.php in order to mantain loading of scripts at the end of the page.
create.js it's only needed in the create.php view so I'd prefer to load it just for the create.php view.
So I've tried unsuccessfuly to follow ippi's instructions
Firebug keeps throwing me this error:
SyntaxError: expected expression, got '<'
http://www.example.com/usuario/js/create.js
Line 1
I guess there could be a problem with the route param of ...
$this->registerJsFile('js/create.js');
... but I can't find it out.
Any help would be appreciated.
registerJsFile() needs an url, you should simply publish (make it web accessible) your file before registering it, e.g. :
$pub = Yii::$app->assetManager->publish(__DIR__ . '/create.js');
$this->registerJsFile($pub[1], ['depends' => ['yii\web\JqueryAsset']]);
Or you could create an asset bundle and registering it in your view.
Read more about publish() and registerJsFile().
Try to use $this->registerScriptFile('views/usuario/js/create.js');

Jira Gadget: Configuration isn't saved for reconfiguration

I am writing a gadget for Jira with some configuration options. One of these configuration options is a "project or filter picker".
My problem lies in the part, when I want to reconfigure the gadget's preferences. I have read the code of the timesince-gadget as an example and I think the relevant part is the following:
if (/^jql-/.test(gadget.getPref("projectOrFilterId"))){
projectAndFilterPicker =
{
userpref: "projectOrFilterId",
type: "hidden",
value: gadgets.util.unescapeString(this.getPref("projectOrFilterId"))
};
} else {
projectAndFilterPicker = AJS.gadget.fields.projectOrFilterPicker(gadget, "projectOrFilterId", args.options);
}
Basicly I've copied the code from the timesince-gadget. Unfortunately even if already configured, the javascript always enters the else part.
A problem is, that I ve no experience with jql and don't totally understand the if clause.
But usually (e.g. when calling the rest api and processing the config infos)
gadget.getPref("projectOrFilterId")
returns a string containing the id of the picked project or filter.
Question is now: How can I make my gadget remember the last configuration like it's done with some many other Jira gadgets?
I really hope anyone can help me with that.
It turnes out, the answer is even simplier then I thought.
First: In the descriptor you can totally forget the if part from above. Just
var projectAndFilterPicker = AJS.gadget.fields.projectOrFilterPicker(gadget, "projectOrFilterId", args.options);
is needed.
Second: Retrieve the project's or filter's name in your rest resource, which shouldn't be a problem, since you already want to use the processed id. Then return this name back to the view part of your javascript and type in something like
this.projectOrFilterName = args.myrestclasskey.projectOrFilterName;
And tada: reconfiguration will display the old configured name!
I had this problem once when I forgot to specify the option in the Gadget XML file. I solved it by adding this to the XML:
<UserPref name="projectOrFilterId" datatype="hidden"/>

Categories