brabant / django-ckeditor-filemanager Goto Github PK

Hi,
This is not a bug report per se.

I've just implemented Core Five Labs' FileManager, using your Django
connector. I found several issues:
- One issue was with the FileManager itself. It's that you had to change
their main JavaScript file to plug in the URLs for your connector. I wonder
if this issue can be fixed upstream, in Core Five Labs' FileManager.
- In your urls.py for the connector, you reference 'vendor.filemanager...'.
I wonder if there is a more robust way. Like referencing 'filemanager...'
without the 'vendor' part, which means that the 'filemanager' folder has to
be on the python path.
- In the dirlist view, you're using the print statement but apparently
mod_wsgi (which is the preferred deployment solution for Django according
to the docs) doesn't allow this.
- The list of folder names to ignore is hardcoded. Could be an option.
What's more, it could be a list of patterns rather than full names. I've
seen this used by other apps, it's probably not hard to do.
- Quite a few things could be options, and options could be in a
settings.py file for this app, which would try to pull values from
django.conf.settings before using a default. There's a pattern to do that
with Django.
- In filemanager/views.py, you're importing "settings" directly, instead of
using "from django.conf import settings".
- If i'm not mistaken, any user going to the filemanager/index.html public
file can then see files, delete them, and upload new files. Sounds like a
big security breach. My solution for now was to use the @user_passes_test
decorator for the dirlist and handler views, checking that the file manager
was called by a logged in user.

I've tweaked my way through these issues. I don't have time right now but
i'll try to show my changes or contribute patches if you're interested. The
goal would be to offer a stand-alone connector Django application, with
installation instructions.

I took the existing code and added a few features that I needed - not sure
if they are all worth integrating, but I thought I'd throw them out there.

#1. removed "vendor" pathing so that the app could function with an "apps"
or any other kind of directory using python path.
#2. added user directory based sandboxing, superusers are not limited.
#3. added ckeditor direct uploading handling.
#4. added some path checking to prevent "../../../" type hacking.
#5. forked out a settings file.
#6. changed download to read binary so the images are not transferred as ascii.

The updates are attached. 

Thanks.
Ben