brabant / django-ckeditor-filemanager Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/django-ckeditor-filemanager
Automatically exported from code.google.com/p/django-ckeditor-filemanager
Hi,
This is not a bug report per se.
I've just implemented Core Five Labs' FileManager, using your Django
connector. I found several issues:
- One issue was with the FileManager itself. It's that you had to change
their main JavaScript file to plug in the URLs for your connector. I wonder
if this issue can be fixed upstream, in Core Five Labs' FileManager.
- In your urls.py for the connector, you reference 'vendor.filemanager...'.
I wonder if there is a more robust way. Like referencing 'filemanager...'
without the 'vendor' part, which means that the 'filemanager' folder has to
be on the python path.
- In the dirlist view, you're using the print statement but apparently
mod_wsgi (which is the preferred deployment solution for Django according
to the docs) doesn't allow this.
- The list of folder names to ignore is hardcoded. Could be an option.
What's more, it could be a list of patterns rather than full names. I've
seen this used by other apps, it's probably not hard to do.
- Quite a few things could be options, and options could be in a
settings.py file for this app, which would try to pull values from
django.conf.settings before using a default. There's a pattern to do that
with Django.
- In filemanager/views.py, you're importing "settings" directly, instead of
using "from django.conf import settings".
- If i'm not mistaken, any user going to the filemanager/index.html public
file can then see files, delete them, and upload new files. Sounds like a
big security breach. My solution for now was to use the @user_passes_test
decorator for the dirlist and handler views, checking that the file manager
was called by a logged in user.
I've tweaked my way through these issues. I don't have time right now but
i'll try to show my changes or contribute patches if you're interested. The
goal would be to offer a stand-alone connector Django application, with
installation instructions.
Original issue reported on code.google.com by fverschelde
on 7 Mar 2010 at 10:45
I took the existing code and added a few features that I needed - not sure
if they are all worth integrating, but I thought I'd throw them out there.
#1. removed "vendor" pathing so that the app could function with an "apps"
or any other kind of directory using python path.
#2. added user directory based sandboxing, superusers are not limited.
#3. added ckeditor direct uploading handling.
#4. added some path checking to prevent "../../../" type hacking.
#5. forked out a settings file.
#6. changed download to read binary so the images are not transferred as ascii.
The updates are attached.
Thanks.
Ben
Original issue reported on code.google.com by [email protected]
on 16 Apr 2010 at 2:05
Attachments:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.