Front End File Uploader

Permalink Browser Info Environment
Hi, The Front End File Uploader does not allow non-registered users to upload a file for reasons that I fully understand, eg. spam and such. However I would like to allow any user to upload a file as part of my ordering process. I'm sure I could dig through the addon and figure this out but it would be easier if you could let me know if there is an easy way to do this.

Thanks!

Type: Pre-Sale
Status: Resolved
View Replies:
JohntheFish replied on at Permalink Reply
JohntheFish
I am pleased that you are realistic about the security implications. Circumventing the security that FEFU integrates is theoretically possible, but as you obviously realise, I cant provide any support for the consequences or knock-on issues.

So, to get you started, there are 3 functional areas to circumvent.
1. Who can see and click the FEFU icon
2. Access to the FEFU popup
3. Saving the uploaded file.


1. The library JlFrontendAccess function confirm_access. You can short circuit this to return true so anyone has access.

2. Without digging in deeper, I think (not sure) this is covered by (1), so again by short-circuiting the check in library JlFrontendAccess.

3. This is the difficult part. when a file is uploaded, it needs user to own it. In FEFU as it stands, that is already take care of because a user is already logged in and validated by 1 and 2. You will need to modify either the tool do_the_upload or the library JlUplaodAndImport to make the concrete5 request think a user is logged in and can be the owner of the file. Its not something I have ever done, but if you search back through the forums ( a few years ago) @mkly posted some notes on how to run a job while pretending a user was logged in. Perhaps a similar trick could be used here to provide a user to own the file. If you do that, I suggest creating a user with minimal access just for this purpose. Don't pretend to be an admin or super admin!

Good luck and pleas post back how you get on. I am curious. But obviously I cant get involved any further than I have already done.

John
johnmajersky replied on at Permalink Reply
Awesome, Thanks so much John for your prompt reply. I will let you know how I make out with this or if I have any additional questions.

concrete5 Environment Information

# concrete5 Version
5.6.3.2

# concrete5 Packages
eCommerce (2.8.12), Front End File Uploader (2.2.2), Gallery (1.8.1), Slate Theme (1.5.3.1), Xclydes OAuth (1.0.1).

# concrete5 Overrides
blocks/dr_login_indicator, blocks/dr_object_uploader, controllers/api, controllers/archive, controllers/logs, controllers/install.tar, controllers/register.php, elements/product, helpers/x_o_auth_consumer.php, helpers/x_o_auth_provider.php, jobs/clear_tokens.php, js/controls, js/loaders, js/three.js, js/three.min.js, css/avatar_viewer.css, models/object_files, single_pages/api, single_pages/privacy_policy.php, single_pages/register.php, single_pages/terms.php, single_pages/obj_viewer.php, single_pages/ad-tester.php, single_pages/obj_uploader.php, themes/apitheme, themes/core, tools/attributestest.php, tools/authrequest.php, tools/aws.zip, tools/Aws, tools/aws-autoloader.php, tools/CHANGELOG.md, tools/GuzzleHttp, tools/JmesPath, tools/LICENSE.md, tools/NOTICE.md, tools/Psr, tools/README.md

# concrete5 Cache Settings
Block Cache - Off
Overrides Cache - Off
Full Page Caching - Off

# Server Software
Apache

# Server API
cgi-fcgi

# PHP Version
5.6.24

# PHP Extensions
bcmath, bz2, calendar, cgi-fcgi, Core, ctype, curl, date, dom, ereg, exif, filter, ftp, gd, gettext, hash, iconv, imagick, imap, json, libxml, mbstring, mcrypt, memcached, mhash, mysql, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, pdo_sqlite, posix, pspell, Reflection, session, SimpleXML, soap, sockets, SPL, sqlite3, standard, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib.

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - -1
max_input_vars - 1000
memory_limit - 90M
post_max_size - 65M
sql.safe_mode - Off
upload_max_filesize - 64M
memcached.sess_lock_max_wait - 0
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - nocache
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5

Browser User-Agent String

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You may not request a refund that is not currently owned by you.