Front End File Uploader

Permalink Browser Info Environment
Hi, The Front End File Uploader does not allow non-registered users to upload a file for reasons that I fully understand, eg. spam and such. However I would like to allow any user to upload a file as part of my ordering process. I'm sure I could dig through the addon and figure this out but it would be easier if you could let me know if there is an easy way to do this.


Type: Pre-Sale
Status: Resolved
View Replies:
JohntheFish replied on at Permalink Reply
I am pleased that you are realistic about the security implications. Circumventing the security that FEFU integrates is theoretically possible, but as you obviously realise, I cant provide any support for the consequences or knock-on issues.

So, to get you started, there are 3 functional areas to circumvent.
1. Who can see and click the FEFU icon
2. Access to the FEFU popup
3. Saving the uploaded file.

1. The library JlFrontendAccess function confirm_access. You can short circuit this to return true so anyone has access.

2. Without digging in deeper, I think (not sure) this is covered by (1), so again by short-circuiting the check in library JlFrontendAccess.

3. This is the difficult part. when a file is uploaded, it needs user to own it. In FEFU as it stands, that is already take care of because a user is already logged in and validated by 1 and 2. You will need to modify either the tool do_the_upload or the library JlUplaodAndImport to make the concrete5 request think a user is logged in and can be the owner of the file. Its not something I have ever done, but if you search back through the forums ( a few years ago) @mkly posted some notes on how to run a job while pretending a user was logged in. Perhaps a similar trick could be used here to provide a user to own the file. If you do that, I suggest creating a user with minimal access just for this purpose. Don't pretend to be an admin or super admin!

Good luck and pleas post back how you get on. I am curious. But obviously I cant get involved any further than I have already done.

johnmajersky replied on at Permalink Reply
Awesome, Thanks so much John for your prompt reply. I will let you know how I make out with this or if I have any additional questions.

concrete5 Environment Information

# concrete5 Version

# concrete5 Packages
eCommerce (2.8.12), Front End File Uploader (2.2.2), Gallery (1.8.1), Slate Theme (, Xclydes OAuth (1.0.1).

# concrete5 Overrides
blocks/dr_login_indicator, blocks/dr_object_uploader, controllers/api, controllers/archive, controllers/logs, controllers/install.tar, controllers/register.php, elements/product, helpers/x_o_auth_consumer.php, helpers/x_o_auth_provider.php, jobs/clear_tokens.php, js/controls, js/loaders, js/three.js, js/three.min.js, css/avatar_viewer.css, models/object_files, single_pages/api, single_pages/privacy_policy.php, single_pages/register.php, single_pages/terms.php, single_pages/obj_viewer.php, single_pages/ad-tester.php, single_pages/obj_uploader.php, themes/apitheme, themes/core, tools/attributestest.php, tools/authrequest.php, tools/, tools/Aws, tools/aws-autoloader.php, tools/, tools/GuzzleHttp, tools/JmesPath, tools/, tools/, tools/Psr, tools/

# concrete5 Cache Settings
Block Cache - Off
Overrides Cache - Off
Full Page Caching - Off

# Server Software

# Server API

# PHP Version

# PHP Extensions
bcmath, bz2, calendar, cgi-fcgi, Core, ctype, curl, date, dom, ereg, exif, filter, ftp, gd, gettext, hash, iconv, imagick, imap, json, libxml, mbstring, mcrypt, memcached, mhash, mysql, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, pdo_sqlite, posix, pspell, Reflection, session, SimpleXML, soap, sockets, SPL, sqlite3, standard, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib.

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - -1
max_input_vars - 1000
memory_limit - 90M
post_max_size - 65M
sql.safe_mode - Off
upload_max_filesize - 64M
memcached.sess_lock_max_wait - 0
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - nocache
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5

Browser User-Agent String

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You may not request a refund that is not currently owned by you.