/
Hardcoded url building in kUploadFormatter class
Hardcoded url building in kUploadFormatter class
There are 2 ways of exposing uploaded file content:
- insecure - location of uploaded file on server is exposed in the url
- secure - only upload filename is exposed, but
OnViewFile
event is used to check access permissions to that file
By default insecure
mode is used, because usually information, that is uploaded by users should be accessible to other users as well. However in some cases secure
mode is preferred. Here is how both mode can be set from a unit config:
'Fields' => array( // secure 'FieldName' => array('type' => 'string', 'direct_links' => false, 'default' => ''), // insecure (default, when 'direct_links' no specified) 'FieldName' => array('type' => 'string', 'direct_links' => true, 'default' => ''), ),
Problem with secure mode is in fact, that developer can't change the way how link to a file is build and this code is hardcoded in kUploadFormatter
class:
upload_formatter.php
$url_params = Array ( 'no_amp' => 1, 'pass' => 'm,'.$object->Prefix, $object->Prefix . '_event' => 'OnViewFile', 'file' => rawurlencode($value), 'field' => $field_name ); return $this->Application->HREF('', '', $url_params);
Need to ponder on how we can extract this logic and move it into more appropriate place, like EventHandler class.