Only admin can upload files

Hi

First post! I was hoping I could get through Elgg without having to make one! 

I've spent a good 5hrs this evening trying to get to grips with restricting File uploads to Admins only. I managed to find the "Gatekeeper" workaround for creating pages, but I'm not having any joy with the files. 

I need the facility to be able to stop users uploading files of any description and for this facility just to be made available to the admin. I'm not too fussed about it looking pretty and removing the upload / zip boxes - I just need to stop them from actually doing it. 

Hope somebody can take the time to help me, My Elgg installation depends on this and I've come so far, this is my last issue before I can go live. 

Thanks in advance, 

Maritn

  • quikNderty = mod\file\actions\file\upload.php

     

  • And you can use the function elgg_is_admin_logged_in() to check if the user is an admin

  • ;-oO Matt.. we're 1/2 the time crossing tee hee.. hope (aint dozed & that) he realizesi merely gave really Quick N Dirty Solution - not *the proper way ! Sounded 2 2 deperate;P soo..

  • Hi

    I'm afraid I'm still having no joy with this. Not sure If I've misunderstood what I need to do. 

    I tried adding a admin_gatekeeper() line into the upload.php but this stopped me from uploading any files, even when logged in as the administrator. 

    Do you reckon you could spot me a step by step for me to follow to stop standard users from uploading files. Apologies - not a coder. 

    Cheers, 

    M

  • nope ;-) the answers are all above ;-P
    but if you wanna post here :-
    * exact fully qualified name of the php script file you are editing and
    * the exact code that's causing you grief..

    someone cud probably spot the problems quickish

    ++ What version of Elgg ?

     

  • Hi, don't know what you mean by "fully qualifed" but

    I'm editing

    xx\mod\file\actions\file\upload.php, as below - using 

    Release - 1.8.8, Version - 2012071100

    <?php
    /**
    * Elgg file uploader/edit action
    *
    * @package ElggFile
    */

    // Get variables
    $title = get_input("title");
    $desc = get_input("description");
    $access_id = (int) get_input("access_id");
    $container_guid = (int) get_input('container_guid', 0);
    $guid = (int) get_input('file_guid');
    $tags = get_input("tags");

    if ($container_guid == 0) {
    $container_guid = elgg_get_logged_in_user_guid();
    }

    elgg_make_sticky_form('file');

    // check if upload failed
    if (!empty($_FILES['upload']['name']) && $_FILES['upload']['error'] != 0) {
    register_error(elgg_echo('file:cannotload'));
    forward(REFERER);
    }

    // check whether this is a new file or an edit
    $new_file = true;
    if ($guid > 0) {
    $new_file = false;
    }

    if ($new_file) {
    // must have a file if a new file upload
    if (empty($_FILES['upload']['name'])) {
    $error = elgg_echo('file:nofile');
    register_error($error);
    forward(REFERER);
    }

    $file = new FilePluginFile();
    $file->subtype = "file";

    // if no title on new upload, grab filename
    if (empty($title)) {
    $title = $_FILES['upload']['name'];
    }

    } else {
    // load original file object
    $file = new FilePluginFile($guid);
    if (!$file) {
    register_error(elgg_echo('file:cannotload'));
    forward(REFERER);
    }

    // user must be able to edit file
    if (!$file->canEdit()) {
    register_error(elgg_echo('file:noaccess'));
    forward(REFERER);
    }

    if (!$title) {
    // user blanked title, but we need one
    $title = $file->title;
    }
    }

    $file->title = $title;
    $file->description = $desc;
    $file->access_id = $access_id;
    $file->container_guid = $container_guid;

    $tags = explode(",", $tags);
    $file->tags = $tags;

    // we have a file upload, so process it
    if (isset($_FILES['upload']['name']) && !empty($_FILES['upload']['name'])) {

    $prefix = "file/";

    // if previous file, delete it
    if ($new_file == false) {
    $filename = $file->getFilenameOnFilestore();
    if (file_exists($filename)) {
    unlink($filename);
    }

    // use same filename on the disk - ensures thumbnails are overwritten
    $filestorename = $file->getFilename();
    $filestorename = elgg_substr($filestorename, elgg_strlen($prefix));
    } else {
    $filestorename = elgg_strtolower(time().$_FILES['upload']['name']);
    }

    $file->setFilename($prefix . $filestorename);
    $mime_type = ElggFile::detectMimeType($_FILES['upload']['tmp_name'], $_FILES['upload']['type']);

    // hack for Microsoft zipped formats
    $info = pathinfo($_FILES['upload']['name']);
    $office_formats = array('docx', 'xlsx', 'pptx');
    if ($mime_type == "application/zip" && in_array($info['extension'], $office_formats)) {
    switch ($info['extension']) {
    case 'docx':
    $mime_type = "application/vnd.openxmlformats-officedocument.wordprocessingml.document";
    break;
    case 'xlsx':
    $mime_type = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
    break;
    case 'pptx':
    $mime_type = "application/vnd.openxmlformats-officedocument.presentationml.presentation";
    break;
    }
    }

    // check for bad ppt detection
    if ($mime_type == "application/vnd.ms-office" && $info['extension'] == "ppt") {
    $mime_type = "application/vnd.ms-powerpoint";
    }

    $file->setMimeType($mime_type);
    $file->originalfilename = $_FILES['upload']['name'];
    $file->simpletype = file_get_simple_type($mime_type);

    // Open the file to guarantee the directory exists
    $file->open("write");
    $file->close();
    move_uploaded_file($_FILES['upload']['tmp_name'], $file->getFilenameOnFilestore());

    $guid = $file->save();

    // if image, we need to create thumbnails (this should be moved into a function)
    if ($guid && $file->simpletype == "image") {
    $file->icontime = time();

    $thumbnail = get_resized_image_from_existing_file($file->getFilenameOnFilestore(), 60, 60, true);
    if ($thumbnail) {
    $thumb = new ElggFile();
    $thumb->setMimeType($_FILES['upload']['type']);

    $thumb->setFilename($prefix."thumb".$filestorename);
    $thumb->open("write");
    $thumb->write($thumbnail);
    $thumb->close();

    $file->thumbnail = $prefix."thumb".$filestorename;
    unset($thumbnail);
    }

    $thumbsmall = get_resized_image_from_existing_file($file->getFilenameOnFilestore(), 153, 153, true);
    if ($thumbsmall) {
    $thumb->setFilename($prefix."smallthumb".$filestorename);
    $thumb->open("write");
    $thumb->write($thumbsmall);
    $thumb->close();
    $file->smallthumb = $prefix."smallthumb".$filestorename;
    unset($thumbsmall);
    }

    $thumblarge = get_resized_image_from_existing_file($file->getFilenameOnFilestore(), 600, 600, false);
    if ($thumblarge) {
    $thumb->setFilename($prefix."largethumb".$filestorename);
    $thumb->open("write");
    $thumb->write($thumblarge);
    $thumb->close();
    $file->largethumb = $prefix."largethumb".$filestorename;
    unset($thumblarge);
    }
    }
    } else {
    // not saving a file but still need to save the entity to push attributes to database
    $file->save();
    }

    // file saved so clear sticky form
    elgg_clear_sticky_form('file');


    // handle results differently for new files and file updates
    if ($new_file) {
    if ($guid) {
    $message = elgg_echo("file:saved");
    system_message($message);
    add_to_river('river/object/file/create', 'create', elgg_get_logged_in_user_guid(), $file->guid);
    } else {
    // failed to save file object - nothing we can do about this
    $error = elgg_echo("file:uploadfailed");
    register_error($error);
    }

    $container = get_entity($container_guid);
    if (elgg_instanceof($container, 'group')) {
    forward("file/group/$container->guid/all");
    } else {
    forward("file/owner/$container->username");
    }

    } else {
    if ($guid) {
    system_message(elgg_echo("file:saved"));
    } else {
    register_error(elgg_echo("file:uploadfailed"));
    }

    forward($file->getURL());
    }

  • yew did post the qualified filename ;-P
    but
    you did not post the badd code !;(
    anyways - if you change this file to

    <?php
    admin_gatekeeper();
        /**
        * Elgg file uploader/edit action
        * @package ElggFile
        */
        // Get variables

    should block any non-Admin from executing a file-upload;
    although other will still see the 'upload a new..' button.

     



  • or you can do it without modifying the action file

    elgg_unregister_action('file/upload');

    elgg_register_action('file/upload', elgg_get_plugins_path() . 'file/actions/file/upload.php', 'admin');

  • thanks matt, that helped me too. :)

  • Another easier option is create a plugin hook for the 'file/upload' action and return false, if the current user is not an admin.

    Single problem, multiple options, selection is yours. :)