Home Communication board WiKi Get Quote

A safe way to integrate CKfinder editor with X-Cart

A well-known WYSIWYG CKfinder or FCKeditor allows to upload files into the store via UI. Usually that is achieved by setting the responsible variable to True value within a configuration file what enables the upload feature. However enabling of the upload function is not secure at all, since that allows any internet user to upload any files to your host.

There is a secure way to enable the upload function in X-Cart software. You should insert the following code into the config file of the editor:

define('CWD', getcwd());
$xcart_dir = realpath(dirname(__FILE__));
$xcart_dir = implode('/', array_slice(explode('/', $xcart_dir), 0, -5));
chdir($xcart_dir);
include $xcart_dir.'/admin/auth.php';
x_session_register('identifiers');
global $is_enabled;
$is_enabled = false;
if ($identifiers['A']['login']) $is_enabled = true;
chdir(CWD);

As you can see, the default X-Cart auth file is included, and then the session is checked. The editor would work only in case of an admin session opened. You can simply change it to use with a special admin login only, or enable the editor for some of your customers only.

Please note that the code would work in case of skin1/modules/HTML_Editor/editors/ckfinder/ edit path. In other case you should modify the following line:

$xcart_dir = implode('/', array_slice(explode('/', $xcart_dir), 0, -5));

and change the ”-5” to your own value. This number means the depth level of the editor subcategory taking into consideration X-Cart root directory. In the example above, the editor is located 5 levels deeper (“skin1” + “modules” + “HTML_Editor” + “editors” + “ckfinder”).

When the code is inserted, you can use the $is_enabled variable to enable the upload function, for example in this way:

function CheckAuthentication() {
    global $is_enabled;
    return $is_enabled;
}

Should you have any questions about the changes mentioned above please contact us.

 
Home About us Privacy statement Terms & Conditions Refund policy © 2007–2024 ArsCommunity