[Mohamed Alsemany]

I think The Uploading field function need some restrictions
the user can upload any kind of files so he can easily upload a php shell easily !!

I'm not sure if some one else know that , but I just like to found some extensions restrictions on the next version

my greatings

[web-johnny]

Yes I already know this issue and I have already change the uploader to a brand new one for the next version. You will also be able to choose which files the user will be able to upload.

Of course by default the user will not be able to upload php or other system files.

[Mohamed Alsemany]

[color=#333333][font=arial, sans-serif][size=6]Thanks Jonny [/size][/font][/color]
[color=#333333][font=arial, sans-serif][size=6]I appreciate your work[/size][/font][/color]

[Eliel]

[quote name='Mohamed Alsemany' timestamp='1329867649' post='566']
I think The Uploading field function need some restrictions
the user can upload any kind of files so he can easily upload a php shell easily !!

I'm not sure if some one else know that , but I just like to found some extensions restrictions on the next version

my greatings
[/quote]

Hey was thinking the same and googled for a solution and found this thread. Not sure if you've figured it out already or not but the current file uploader used (v1.1.8) has a built in restriction based on file extension, albeit not the most secure but it should be of use for the time being.

To achieve this you simply need to add the following to your configuration file:

allowedExtensions: ['jpg', 'jpeg', 'png', 'gif']

The file uploader configuration used is located at: assets/grocery_crud/js/other/fileuploader.config.js

So it should look similar to:

$(function(){

    $('.grocery-crud-uploader').each(function(){

        var uploader_id = $(this).attr('id');

        var unique_id  = $(this).attr('rel');

        var field_name  = $('#hidden_'+unique_id).attr('name');

        var upload_url  = $('#url_'+unique_id).attr('href');

        var delete_url  = $('#delete_url_'+unique_id).attr('href');



        var uploader = new qq.FileUploader({

            element: document.getElementById(uploader_id),

            action: upload_url,



            // Allowed extensions

            allowedExtensions: ['jpg', 'jpeg', 'png', 'gif'],



           onComplete: function(id, fileName, responseJSON){

               $('#file_'+unique_id).html(responseJSON.file_name);

               $('#file_'+unique_id).attr('href',responseJSON.full_url);

               $('#hidden_'+unique_id).val(responseJSON.file_name);

               $('#'+uploader_id).hide();

               $('#success_'+unique_id).fadeIn('slow');

               $('#delete_url_'+unique_id).attr('rel',responseJSON.file_name);

           },

           // etc

If for some reason it still doesn't work you might want to try replacing the fileuploader.js file with: https://raw.github.c...fileuploader.js

For more info on the file uploader: https://github.com/v...s/file-uploader

[web-johnny]

Thank you @Eliel for your post because I think it is a work around for the users till the new version.

Also I want to mention that this task (with both cilent-side[Javascript] and server-side[PHP] validation) is done. Whoever wants to download it, just download the last trunk version to use it from github (You can see how at: http://www.grocerycr...indpost__p__356 ) .
Take a taste of how the config file of grocery CRUD looks right now:

...

$config['grocery_crud_file_upload_allow_file_types']   = 'gif|jpeg|jpg|png|tiff|doc|docx|txt|odt|xls|xlsx|pdf|ppt|pptx|pps|ppsx|mp3|m4a|ogg|wav|mp4|m4v|mov|wmv|avi|mpg|ogv|3gp|3g2';

$config['grocery_crud_file_upload_max_file_size']	= '20MB'; //ex. '10MB' (Mega Bytes), '1067KB' (Kilo Bytes), '5000B' (Bytes)

...

Thanks again

[Amit Shah]

Well that thing is way to generic for allowing users to configure in the config file. What if for a function i want a user to upload only images and for other, i want the user to upload only pdf files and so on? This will be an issue with the same.

I got a simpler and easier way to incorporate this feature -

a tweak inside the grocery crud library itself

 

in 
class grocery_CRUD extends grocery_CRUD_States {
......
add a new protected variable
protected $allowed_types                        = null;


.........
then add a new function 
    function set_allowed_types($types) {
        $this->allowed_types = $types;
    }

this will allow the user to define @runtime what file types should be allowed and what not.

and in function _initialize_variables()
replace the following code
         $this->config->file_upload_allow_file_types    = $ci->config->item('grocery_crud_file_upload_allow_file_types');
with
        if(is_null($this->allowed_types))
            $this->config->file_upload_allow_file_types    = $ci->config->item('grocery_crud_file_upload_allow_file_types');
        else
            $this->config->file_upload_allow_file_types    =  $this->allowed_types;

This should do it.. it worked out for me very well..

 

I think this should be added up as part of grocery crud library itself so it will be very convinient and felxible for the developers to adopt to this easy workaround.

[davidoster]

Well [member=amit shah],

This might be easier for you but it is not the recommended approach.

Why don't you post it under the /forum/8-extra-coding-plugins/

or make a pull request for the development version under https://github.com/scoumbourdis/grocery-crud ?

This way we will all benefit from it!

 

P.S. The only thing that troubles me is if it conflicts with the session variables somehow... [member=web-johnny], will be able to enlight us on this issue.