Xataface Forums

Hi Steve,
I am building an application to prepare materials (pictures, texts, MP3...) for public machines in a library. There are 14 categories (books, music, cinema...) and 14 directories to receive texts and pictures for the interface.

Code: Select all

function init($table='interfaces'){
$auth =& Dataface_AuthenticationTool::getInstance();
$user = $auth->getLoggedInUser();
if ($user){
$pole=$user->val('identifiant');
        $myfield =$table->getField('image');
        $myfield['savepath'] = '/interfaces/lesinterfaces/'.$pole.'/images/';
    }
}

So I have a different login for each category and I change dynamically the savepath according to the user. You gave me an answer http://xataface.com/forum/viewtopic.php?f=4&t=6732.
But now I have an error message about the permissions in the target directory. The error message speaks about the savepath in the fields.ini and not the $myfield['savepath'] in the table DelegateClass.

I did what I could to correct the permissions (Xampp+ Windows) but the message is still the same (sorry it is in French) :

Fatal error: N'a pas pu sauvegarder le champ 'image' à cause des permissions insuffisantes vers le répertoire de sauvegarde '/lesinterfaces/'. S'il vous plaît, vérifiez les permissions dans le répertoire '/lesinterfaces/' pour être sûr qu'il est accessible en écriture par le serveur web.On line 80 of file C:\xampp\htdocs\xataface-1.3.2\Dataface\FormTool\file.php in function printStackTrace()

Thank you

Jean

A couple of comments:

1. Your save path is pointing to an absolute path from the root of your file system: /interfaces/lesinterfaces/. Is this correct? Or was it supposed to be relative to your application root?
2. Before including the $pole value in a path, you should probably test it to make sure it isn't empty and to make sure that it doesn't contain anything malicious (just in case someone manages to put some malicious path in the $pole value for a user record. E.g.
if ( !trim($pole) ) throw new Exception("User identifier is empty... etc....");
$pole = basename($pole);


-Steve

Thank you Steve for your smart and quick answer as usual.
I'll test again on Monday, when I go back to my job. I don't have security problems because the app is in a small intranet but anyway, better to have good habits
Yes I'll change my path and see and add this small bit of program in the wiki with some others...
Jean

Hi Steve,

In fact, it seems the app does not take into account the savepath inside the init method code but still use the data from the fields.ini.

Jean

Well I found an answer here http://www.xataface.com/forum/viewtopic.php?f=4&t=4753&p=23271&hilit=filename

Thank you Steve

Jean