Secure Roxy FilemanFileman's PHP or .NET scripts will not manipulate files or folders that are outside the directory set in FILES_ROOT setting. Also Fileman script which is not set in the configuration cannot be executed - it will exit.
MOVEDIR is set to "your_script_to_move_dir.php", if the original Fileman "php/movedir.php" script is requested, it will check the configuration and exit, because the mismatch of it's own name and the value of MOVEDIR setting. The same mechanism is used in the .NET distribution.

However, it's up to you to implement application level access restriction! If you are using protected directory and Fileman resides in it, you are good to go.


.NET users can use web.config file to apply user authentication.


To implement your own security checks in PHP, you have to fill "checkAccess($action)" function located in fileman/php/ file. This function is executed in the beginning of each PHP script, and you can validate user or the action which is about to be performed ($action will contain the name of the setting i.e "MOVEDIR" when moving directory). Usually user login validation is pretty simple, it could be something like "if($_SESSION['is_admin_logged'] !== true)exit;".

You can also use HTTP Basic authentication or any other authentication mechanism you want.


User comments

Please see the FAQ page before ask a question.

I don't review comments very often, and I will NOT answer the questions asked here, please use the contact form.

L. Arsov

Author: lzmzz 04-01-2018 04:00:20 (GMT) ugg boots ray ban australia hermes outlet versace outlet prada outlet online Wave Prophecy 2 Shoes coach outlet Lunette Oakley michael kors bags black friday louis vuitton outlet Wholesale Outlet Sale Brighton Jewelry - Official handbags online sale chrome store ray ban polarized pandora australia nike factory outlet Green Cleaned burberry factory outlet China wholesale Nike Air Max Nike Air Max 1 coach outlet Wedding Rings- Official coach outlet online Nike Air Max Enfant ray-ban sunglasses pandora jewelry uk yeezy boots 350 prada outlet sale Ray Ban sunglasses michael kors outlet pandoracharms michael kors factory outlet tory burch rayban prescription glasses black friday michael kors ray ban sunglasses sale Air Max 90 puma shoes Family Name Research kate spade outlet store pandora bracelets charms canada goose outlet chaussure pas cher puma sneakers burberry outlet Premier Jewelry - Official jimmy choo australia pandora australia kate spade outlet sale kate spade outlet Nike Air Max Enfant rayban sunglasses pandora australia birkenstock sandals nike jordan shoes Nike Free Run mode damenschuhe Nike Air Max Chase armani outlet oakley outlet Nike Air Max 90 timberland outlet breitling watches coach outlet online sale jimmy choo shoes burberry sale pandora jewelry Nike Air Force 1 Homme under armour cheap ray bans coach outlet store backlink Air Jordan 11 Femme kate spade outlet Nike Air Jordan Enfants michael kors outlet online burberry outlet Louis Vuitton handbags shop mlb Nike Air Max Femme nike outlet online kate spade outlet kate spade outlet online tory burch nike outlet gucci watches Nike Air Jordan Enfants jimmy choo uk louis vuitton outlet clearance nike outlet coach outlet michael kors outlet Brighton Jewelry - Official Nike Air Max 2017 Jordan Fusion Femme Wholesale womens autumn winter clothing The Retail Compliance Association michael kors bags online michael kors michael kors handbags boulder shoes sew repair yeezy shoes burberry outlet sale Air Max Enfants payless shoes online rolex watch Adidas Outlet kate spade outlet online kate spade outlet online michael kors bags nike running Chaussures pour Femme ray ban australia Jewelry Armoire - Official school bags on sale prada outlet online Nike Free Run kate spade outlet bags coach outlet online
Author: zinchronize 29-12-2016 08:50:25 (GMT)
I inject a code inside the a code inside the main.ashx file under public method "ProcessRequest". Sample snippet below:

public void ProcessRequest (HttpContext context) {

//Custom code here
var auth = new SMIC_Intranet2.Models.AuthorizationGateway();
.UsersRepository credentials = auth.AuthorizeUser();

if (!(credentials.Role == SMIC_Intranet2.Models.UserRoles.ADMINISTRATOR || credentials.Role == SMIC_Intranet2.Models.UserRoles.PUBLISHER))
//here throws 401 if condition has met otherwise continue execution
context.Response.StatusCode = 401;

Author: Daniel Wiberg 23-09-2014 09:40:00 (GMT)
@Martin Curly
Sorry for late response.
Open the "Web.config" file in "fileman" directory
Add this three lines right under "<system.web>"
<deny users="?" />

When you do that you deny all users that are not logged in.
Author: Martin Curly 14-09-2014 10:15:20 (GMT)
".NET users can use web.config file to apply user authentication."

How this process?. Please helpme.

Add comment