search

Laravel-Backpack / FileManager

Admin interface for files & folders, using elFinder.
Other
97 stars 21 forks source link

Access forbidden on BackpackElfinderController->showPopup() (browse Crud Field) #65

Open filcius opened 2 days ago

filcius commented 2 days ago

I am still using Backpack 5.0 and "backpack/pro" 1.1.3, but I doubt that would change anything.

After updating to filemanager 2.0.2, the Crud Field browse type popup generates a 403 http error. This error is generated by BackpackElfinderController->showPopup(), even if the mime type is not submitted in the query.

Is the mime type required in /elfinder/popup/image request? How do we configure it?

The Crud form: image

The broken file browser popup: image

The error in the log file : staging.ERROR: Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.

If the mime type is indeed optional, I temporarily changed my version of BackpackElfinderController->showPopup like this. Remember, this is for 2.0.2

  public function showPopup($input_id)
    {
        $mimes = request('mimes');

        if (isset($mimes)) {
            try {
                $mimes = Crypt::decrypt(urldecode(request('mimes')));
            } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
                Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
                abort(403, 'Unauthorized action.');
            }
            request()->merge(['mimes' => urlencode(serialize($mimes))]);
        }

        if (!empty($mimes)) {
            request()->merge(['mimes' => urlencode(serialize($mimes))]);
        } else {
            request()->merge(['mimes' => '']);
        }

        return $this->app['view']
            ->make($this->package . '::standalonepopup')
            ->with($this->getViewVars())
            ->with(compact('input_id'));
    }
backpack-ai-bot[bot] commented 2 days ago

🚨 Bot is not sure about this answer. Please verify. 🚨

Based on the information provided in the knowledge sources, I don't have enough specific details to fully address your issue with Backpack 5.0 and FileManager 2.0.2. However, I can provide some insights based on related issues and potential solutions:

  1. Mime type filtering: The mime_types parameter is used in Backpack to filter file types in elFinder. There have been issues reported with mime type filtering in previous versions Github Issue #2480.

  2. ElFinder configuration: Make sure your elFinder configuration is correct, especially the route and middleware settings. Check your config/elfinder.php file to ensure it matches the expected configuration Github Issue #575.

  3. Middleware: Ensure that the correct middleware is applied to the elFinder routes. The default configuration should include both 'web' and 'admin' middleware Github Issue #575.

  4. Route prefix: Verify that the elFinder route prefix is correctly set in your configuration. It should match your Backpack admin prefix Github Issue #191.

As for your temporary solution, while it might work, it's not recommended to modify core files directly. Instead, you could try to extend the BackpackElfinderController and override the showPopup method in your own controller.

If the issue persists, I recommend:

  1. Checking for any JavaScript errors in the browser console when trying to open the popup.
  2. Verifying that all necessary assets for elFinder are being loaded correctly.
  3. Ensuring that your Backpack and FileManager versions are compatible.

If none of these suggestions help, you may want to open an issue on the Backpack GitHub repository with detailed steps to reproduce the problem, as the specific issue you're encountering is not directly addressed in the provided knowledge sources.

ℹ️ Please note our AI Bot does not reply to follow-ups, this will be the only AI answer in this thread. If the AI helped you find the answer, please mark it as answered or write details below so it can learn. Then close the conversation. If not, please give more information for when a human reads this. ℹ️

Relevant sources:

Github Issue (closed): [4.0][Bug] Multiple images upload to the File Manager Github Issue (closed): addField type browse file restriction Github Issue (closed): [Feature request] Allow mime_types filter on browse field Github Issue (closed): [Bug] elFinder integration for CKEditor not working as documented Github Issue (open): [Feature Request] Browser field: restrict to subdirectories Github Issue (closed): Elfinder known vulnerabilities [4.0][Bugfix] Elfinder mime type filter. Github Issue (closed): Browse field type and wrong iframe URL to elFinder Github Issue (closed): [Bug] export buttom and browse field Github Issue (closed): Cant access elfinder after fresh install Github Issue (closed): Elfinder working great in local but not in server Github Issue (closed): Auth::check() returns false on ElFinder Github Issue (closed): [4.0][BUG] Unable to prepare route for serialization. [4.1-beta][Bug] Browse multiple field with latest elfinder

filcius commented 2 days ago

The bot seems to have useful insight, let me try it.

filcius commented 2 days ago

I tried some solutions without success. I keep my issue open. I did not see any mime_types option on the browse field type

$this->crud->addField(
    [ // image
      'label' => 'Photo (ex: 1600 x 635)',
      'name'  => "image",
      'type'  => 'browse',
      'mime_types' => ['image'],
      'tab'   => trans('cms.general-content'),
    ]
);