Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Folder permissions for uploading images into surveys

  • jeskiv
  • jeskiv's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
6 years 11 months ago #152920 by jeskiv
Hi,

I had problems with uploading images into surveys (Edit question and from the WYSIWYG editor choose the image logo and then click "Browse server" which takes you to the KCFinder uploader). I was able to find a solution to the problems, but since I am not sure if it is a server issue or a bug, I thought I would explain it here:

I was able to upload images to the server, but they would not show in the survey. I found out that this was due to
1. KCFinder adds a .htaccess-file into the new upload/SURVEYID-folder it creates. By editing the third_party/kcfinder/conf/config.php and changing '_check4htaccess' to false I was able to prevent it from creating those .htaccess-files.
2. KCFinder created the folder only with full owner permissions, no permissions for group or user. It was supposed to be 0755, but it actually created 0700-permissions. I found out that this was due to wrong umask-setting, and I was able to fix the issue by adding into the file third_party/kcfinder/core/class/uploader.php around the mkdir() commands (found at least in lines 285 and 306) the reset for umask:
$old = umask(0);
mkdir();
umask($old);
After those lines the KCFinder creates the folder permissions correctly and viewing files works in surveys.

I am running version 2.63.1 (build 170305) with Apache, PHP5 and PostgreSQL.

I also tried to test this in demo.limesurvey.org, but it throws error "You don't have permissions to browse server." when I click "Browse server". Although, it doesn't seem to be running the latest version either (its 2.64.0 atm).

So basicly if this is a server issue I hope it helps someone else with similar issues and if this is universal issue, I hope it will be fixed in later versions. I don't have enough understanding about the umask to understand if it is server related or not.
The topic has been locked.
  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
6 years 11 months ago #152990 by tpartner
I don't know if it is server related either but, just in case it is a bug, please file a bug report with all of the server details.

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The topic has been locked.
  • jeskiv
  • jeskiv's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
6 years 11 months ago #153102 by jeskiv
Ok, reported!
The topic has been locked.
More
6 years 6 months ago - 6 years 6 months ago #158377 by blocka
I also just encountered this issue. Changes @jeskiv suggested didn't resolve issue for me.

I changed line 24 of /third_party/kcfinder/conf/config.php from:

'disabled' => true,
to
'disabled' => false,

And this resolved the issue. But I think this opens a security hole, so I'm not keen to do that.

I'm using most recent LS release as of Sept 6, 2017.
Last edit: 6 years 6 months ago by blocka.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
6 years 6 months ago #158387 by DenisChenu
This setings allow anyone to upload files with just the link to kcfinder.
It's set to enable according to session. I think the default session didn't have the same behaviour the LimeSUrvey.
Can you test with DBsession ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
6 years 6 months ago #158402 by blocka
Hi Denis, I found the steps to recreate the problem, and posted to issue:

bugs.limesurvey.org/view.php?id=12279#c44400

Appears to be a repeatable bug.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
6 years 6 months ago #158404 by DenisChenu
Great catch \o/ we set session in some admin page but not in the helper (maybe/surely/who knows)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose