instantiate Session class outside of EE
Development and Programming
Hello,
I am trying to find some info on EE’s session class. I need to instantiate it outside of EE to authorize tinymce and the tinymce filemanager. I need to check if the user is logged in and has cp access before allowing them to do stuff in the file manager.
The default way for authentication is via a simple session. See here: http://wiki.moxiecode.com/index.php/MCFileManager:Authentication
I need a create a custom authenticator for EE but to do so I am going to have to get an instance of the session class in the tiny mce authenticator.
I looked at the session class and there seems to be a lot of dependencies on other EE core files.
What would be the easiest way to get info on EE’s logged in users?
Or has this been done before? I haven’t been able to find one. If you don’t secure the tinymce file manager or image manager in this way anyone can simply go to http://domain.com/js/tiny_mce/plugins/filemanager/index.php and go to town.
Hi Imagize,
I’ve moved this to the extension development forums since you’ll likely get better help here.
imagize,
I would start in the session class documentation. That will show you what is available to you there.
As you discovered the class relies on at least 7 other classes within EE and thats going to make it a bit difficult to just pull out and use outside of EE.
It may be easier to see if you can get the the file manager to run within EE than the other way around especially if you don’t really need it to be a portable solution. This would be why memberships systems are so often not compatible with each other.
Or, you could create you own mini authentication setup outside of EE. It wouldn’t be able to do everything the EE class does likely but if all you need to do is confirm a user is valid, logged in, and in the right membership group it wouldn’t be that complex. You would just check the exp_sessionid cookie compare that to the session_id column in the exp_sessions table to get the member_id of the current member and then work back from there.
Jamie
The easiest way would to be do it the default way. If I could create a php session when ee logs in and then destroy it when the user logs out I could easily do the integration. This type of integration is supported by tinymce out of the box.
Edit** I just found two hooks cp_member_login cp_member_logout
I should be able to use them to start a php session and set/destroy the simple session needed to secure tinymce.
Update: I wrote a simple extension and it works.
Good to hear Greg.
Sometimes the simplest solution is best.
And sometimes that simple solution doesn’t even occur to me. 😊
Jamie
Hey Greg,
Just installed Moxiecode’s Filemanager, and running into the same issue, and can’t figure out which authentication approach is needed for EE integration.
Would it be possible to post your extension, extension code, or at least the method you used? Is the extension just setting the basic session variables for Filemanager:
$_SESSION['MyIsLoggedInState'] = true;
$_SESSION['MyRootPath'] = "/www/myroot";?
It’s a very very simple extension that simply creates a session that the default moxiecode authenticator checks to see if the user should be allowed to use the file/image manager. It creates the session at the hook cp_member_login and destroys it at cp_member_logout.
As you said it simply sets the session variables that moxiecode requires by default. It’s the simplest and easiest way to secure it and it’s very effective. i.e you can make moxiecode redirect to your ee login page if the session is not set.
This could easily be made into a fully configurable extension i.e being able to set the root path of the file/image manager by EE member group (this would be handy to a lot of people, just set the root path session variable for each group). I haven’t had the need for it so far though.
I can post it if you want but it really is not that complex, I consider it more trivial then anything but it works! I made as it basic as possible so that it does what I need it to do.
I gave the simple code to LG a while ago and I believe he was planning to use it in his tinymce extension.
I am reluctant to do a big mod for EE, tinymce and the file/image managers because EE 2.0 might have it’s own RTE and a good manager for images/files. It would end up as a waste of time.
Thanks for pointing me in the right direction.
This might be a good chance for me to learn about building extensions. Cheers!
It’s a very very simple extension that simply creates a session that the default moxiecode authenticator checks to see if the user should be allowed to use the file/image manager. It creates the session at the hook cp_member_login and destroys it at cp_member_logout. … I can post it if you want but it really is not that complex, I consider it more trivial then anything but it works! I made as it basic as possible so that it does what I need it to do. …
Hi Greg,
I also have the same problem. Actually I realized that I have the same problem after reading this thread 😊
Could you please post me your extension? I think it will be the solution for me too. Maybe it is simple but a very good solution for a big problem.
Thanks!
<?php
if (!defined('EXT'))
{
exit('Invalid file request');
}
class Moxie_code_auth
{
var $settings = array();
var $name = 'Moxiecode Authentication';
var $version = '0.1.0';
var $description = 'Restricts Access to TinyMCE File Manager and Image Manager';
var $settings_exist = 'n';
var $docs_url = '';
var $_sess_name = 'moxiecode_auth';
function Moxie_code_auth($settings = '')
{
}
function create_moxiecode_session()
{
$this->_start_session();
$_SESSION[$this->_sess_name] = true;
}
function destroy_moxiecode_session()
{
$this->_start_session();
if (isset($_SESSION[$this->_sess_name]))
{
unset($_SESSION[$this->_sess_name]);
if (empty($_SESSION))
{
session_destroy();
}
}
}
function activate_extension()
{
global $DB;
$DB->query($DB->insert_string('exp_extensions',
array(
'extension_id' => '',
'class' => __CLASS__,
'method' => 'create_moxiecode_session',
'hook' => 'cp_member_login',
'settings' => '',
'priority' => 10,
'version' => $this->version,
'enabled' => 'y'
)
)
);
$DB->query($DB->insert_string('exp_extensions',
array(
'extension_id' => '',
'class' => __CLASS__,
'method' => 'destroy_moxiecode_session',
'hook' => 'cp_member_logout',
'settings' => '',
'priority' => 10,
'version' => $this->version,
'enabled' => 'y'
)
)
);
}
function update_extension($current='')
{
global $DB;
if ($current == '' OR $current == $this->version)
{
return FALSE;
}
$DB->query("UPDATE exp_extensions
SET version = '".$DB->escape_str($this->version)."'
WHERE class = '" . __CLASS__ . "'");
}
function disable_extension()
{
global $DB;
$DB->query("DELETE FROM exp_extensions WHERE class = '" . __CLASS__ . "'");
}
function _start_session()
{
if (!isset($_SESSION))
{
session_start();
}
}
}Simply change the sess_name property to the name of the session key in the moxiecode file/image manager config file. (I called mine moxiecode_auth)
Like I said, very simple. There is plenty of room for improvement. i.e you could make the sess_name value an EE setting but I like to keep things as straight forward as possible when making small scripts for myself.
Hi Greg,
Thanks for the help 😊
Great extension to integrate MCFilemanager to EE. I am sure many users will come across the same authentication issue here. While the problem is trivia enough, it is nice to get it done quick without reinventing the wheel. This extension should really be posted and go with the first-party TinyMCE extension download page so users can incorporate TinyMCE w MCFile/MCImage Manager more easily.
Thanks guys, it is important that you use something like this if you plan to use the file manager or image manager to prevent unauthorized people uploading and deleting files. This could be improved to allow you to limit which directories certain users and groups can upload too to make it even more useful.
I am hesitant to work on this as EE2.0 might have more in built functionality to handle this though.
I believe LG was planning on incorporating this straight into his tinymce extensions anyway.
Greg
This is exactly what I’m trying to do, but can’t seem to figure it out. Hopefully someone can tell me what I’m doing wrong. Right now I’m:
- copying your posted extension code
- sticking it in a file called ext.mc_authenticator.php inside my extensions folder
- In my mcFileManager config.php, setting:
$mcFileManagerConfig['SessionAuthenticator.logged_in_key'] = "moxiecode_auth";- $_sess_name from extension and SessionAuthenticator.logged_in_key now match
That’s as far as I’ve gotten. Do I need to enable the extension? It doesn’t seem to show up in my extensions list. Am I changing the right thing in the FileManager config?
Help is appreciated!
This is exactly what I’m trying to do, but can’t seem to figure it out. Hopefully someone can tell me what I’m doing wrong. Right now I’m: * copying your posted extension code * sticking it in a file called ext.mc_authenticator.php inside my extensions folder * In my mcFileManager config.php, setting:* $_sess_name from extension and SessionAuthenticator.logged_in_key now match That’s as far as I’ve gotten. Do I need to enable the extension? It doesn’t seem to show up in my extensions list. Am I changing the right thing in the FileManager config? Help is appreciated!$mcFileManagerConfig['SessionAuthenticator.logged_in_key'] = "moxiecode_auth";
If it doesn’t show up in your extension list, it indicates something is wrong with your extension. EE doesn’t like it. Chance is a typo or your filename doesn’t match your class. If all is well, you should see it and you need to enable it. Good luck.
PS. If you just use the example codes, the filename should be ‘ext.moxie_code_auth.php’.