Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

FileUpload 1.4.0 Released

2»

Comments

  • judgejjudgej
    edited November 2010
    phpthumb, I think, is the "defacto standard" for any PHP application. It is reliable, easy to used, and flexible.

    I have used it in a small script that gets invoked automatically if a thumbnail does not exist, in order to create one (and cache it) on-the-fly.

    A directory can be set up through htaccess so that if you try to access MyFile-icon-small.gif and it does not exist, then phpthumb can be invoked to look for MyFile.gif and then create a thumbnail from it and write it to MyFile-icon-small.gif. That will only get called up once, since the second time the "icon-small" file is accessed, it already exists. What size "icon-small" represents is up to your application.
  • This release fixes a number of issues with Internet Explorer, which I could not get to work at all in previous versions (the "Attach a file" link being unresponsive to mouse clicks, for a start).

    Thank you :-)
  • judgejjudgej
    edited November 2010
    Another problem with using the original images for the thumbnails, is that it means direct HTTP access must be given to those images.

    At the moment, downloading an image - or any file for that matter - goes through the FileUpload module and so it is possible to check whether a user has permissions to download the file. If the user has view privileges on a category in which the file is attached to a post, then the user is permitted to download the file; if not, the the user is not permitted to download the file (I would consider files attached to a post to be a part of that post, so should only be accessible through that post, taking into account the access rights a user has to that post). At least, I hope it works this way.

    The site owner should be able to block all direct access to uploads/FileUpload/ to prevent people scanning those folders (using numeric filenames) to see what has been uploaded there. If that is done, the thumbnails from the source images cannot be accessed.

    -- Jason

    Edit: but with a little trickery, perhaps attempting to access images directly in uploads/FileUpload/ could actually just return the thumbnail by default? A bit of mod_rewrite and phpthumb would do it. It does not hide them completely from unprivileged prying eyes, but it's better than allowing free access to the World to download the original uploaded documents and files.
  • TimTim Operations Vanilla Staff
    I'm working on this plugin today and have already implemented most of what you say. I was trying to figure out how to block access to uploads/FileUpload/ but I guess I *can* just leave that up to the site administrator.

    Vanilla Forums COO [GitHub, Twitter, About.me]

  • TimTim Operations Vanilla Staff
    All files will be served indirectly.

    Vanilla Forums COO [GitHub, Twitter, About.me]

  • I was trying to figure out how to block access to uploads/FileUpload/
    .htaccess
    DenyFromAll
  • TimTim Operations Vanilla Staff
    Obviously. But what I meant is, a way that works for everyone who meets our current minimum requirements, one of which is *not* htaccess.

    Vanilla Forums COO [GitHub, Twitter, About.me]

  • Cool. I agree, leave it up to the administrator to block the folder, but it may be worth throwing in a htaccess just for completeness, along with a note in the readme for people using other platforms and to tell people where to copy the htaccess to.
  • raykrayk New
    edited November 2010
    Nice update, insert image is very welcome!

    There is no insert image button when you go to edit a post...?

    The other nitpick is when you insert an image into the post the attached images thumbnails still appear - makes post look a little messy for an image heavy/art site.

    Cheers.
  • Awesome update, great ideas. Looking forward to improvements as well, like the ones @rayk mentioned
  • Hi Tim,
    Unfortunately I can't find a way to make FileUplaod work on my website. When I activate the plugin and go to the Manage Plugins page, then click on Settings, a page appears that says:

    "Permission Problem
    You do not have permission to access the requested resource."

    Any idea on how to fix this? I am sure it has to do with my server; I have both WordPress and Vanilla installed on it, with two different mySQL databases.
    Well, any suggestion would be great!
  • don't know where to config the max file size ....... can anyone help me ?
  • I have a problem regarding the upload plugin - when i try to activate it on my dashboard (freshly installed Vanilla, Version 2.0.17.6), I only get an error message:

    The addon could not be enabled because it generated a fatal error:
    Fatal error
    Class 'MediaModel' not found in myhbasedirectory/vanilla.mydomain.xx/plugins/FileUpload/class.fileupload.plugin.php on line 34

    Since the plugin requires Vanilla 2.0.9 - do i have to downgrade my vanilla? Or am i doing anything wrong?

    Thanks in advance
    Jan
  • This can be related ini files in cache folder, as Vanilla stores paths to models files in this files.
  • I have installed the plugin but It doesnt seem to be uploading files. I have checked the uploads folder and dont see a FileUpload directory. Permissions on uploads appear to be correct. Any help appreciated.
Sign In or Register to comment.