[geeklog-devel] FCKeditor integration
dirk at haun-online.de
Sun Aug 30 16:49:36 EDT 2009
Okay, after that recent FCKeditor-related debacle (our fault, not
theirs) it's about high time that we reconsider how we integrate
FCKeditor and why.
So users want to use images and other media (sound, video) in their
posts and may need a way to upload those first. I can understand that.
But why exactly did we allow to upload archive files (.zip, etc.)? I
can't really think of a use case for those inside an _editor_. If at
all, those should be uploaded through a separate plugin, e.g. File Management.
Same with the various text documents (including Word, Excel, PowerPoint
and others) that are still allowed now (in 1.6.0sr2).
In other words: I can't really see a good reason to continue to support
uploads to FCKeditor's generic "File" directory. I'd suggest to drop
that and only keep the other three (Image, Media, Flash) and only allow
the file types that go into those.
Next: Permissions. Anonymous users should never have been allowed to
upload something without approval. That was a big mistake there.
A common request is to allow image uploads in story submissions. Should
we offer this through FCKeditor? I'd say no, at least not to "normal"
registered users. A story will go through moderation, but an image (or
video) would be available immediately. That is asking for trouble.
So I guess the way around this is to introduce separate .upload
permissions (story.upload, staticpage.upload, etc.) and a plugin API
function that checks if the current user does have that permission.
Actually - it doesn't work that way. We would need a callback or
FCKeditor would need to be made aware of where it is currently (in a
story editor, static pages editor, etc.) so that it can check that.
Anyone more familiar with the internals of FCKeditor's PHP connector who
would like to make a better suggestion?
What I mean is: The part of Geeklog that's integrating FCKeditor needs
to decide whether to show the upload option to the current user, but
then the actual upload function has to be able to check if it's really
okay to perform the upload.
In any case, the goal should be to only allow uploads for users who have
specifically been given the permission.
Not security-related: I'd also like to see an option to enable/disable
FCKeditor on a per-user basis. Obviously, if it's disabled in the
Configuration, you shouldn't be able to enable it. But if enabled, I'd
like to have the option to disable it for me.
More information about the geeklog-devel