[geeklog-devel] FCKeditor integration

Tom websitemaster at cogeco.net
Sun Aug 30 19:01:41 EDT 2009

>> Not security-related: I'd also like to see an option to enable/disable
FCKeditor on a per-user basis

I like this idea. As an admin I prefer the simple text boxes for editing but
always wanted the rest of the users to be able to use the Editor.

>> But why exactly did we allow to upload archive files

I agree. These type of files should be handled by the File Management
plugin. In some ways I also think images should be handled by a similar
management tool. I tend to use the same image multiple times in blog posts
and/or staticpages, some of my clients do as well. 

-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Dirk Haun
Sent: August-30-09 4:50 PM
To: geeklog-devel
Subject: [geeklog-devel] FCKeditor integration

Okay, after that recent FCKeditor-related debacle (our fault, not
theirs) it's about high time that we reconsider how we integrate
FCKeditor and why.

So users want to use images and other media (sound, video) in their
posts and may need a way to upload those first. I can understand that.

But why exactly did we allow to upload archive files (.zip, etc.)? I
can't really think of a use case for those inside an _editor_. If at
all, those should be uploaded through a separate plugin, e.g. File

Same with the various text documents (including Word, Excel, PowerPoint
and others) that are still allowed now (in 1.6.0sr2).

In other words: I can't really see a good reason to continue to support
uploads to FCKeditor's generic "File" directory. I'd suggest to drop
that and only keep the other three (Image, Media, Flash) and only allow
the file types that go into those.

Next: Permissions. Anonymous users should never have been allowed to
upload something without approval. That was a big mistake there.

A common request is to allow image uploads in story submissions. Should
we offer this through FCKeditor? I'd say no, at least not to "normal"
registered users. A story will go through moderation, but an image (or
video) would be available immediately. That is asking for trouble.

So I guess the way around this is to introduce separate .upload
permissions (story.upload, staticpage.upload, etc.) and a plugin API
function that checks if the current user does have that permission.
Actually - it doesn't work that way. We would need a callback or
FCKeditor would need to be made aware of where it is currently (in a
story editor, static pages editor, etc.) so that it can check that.
Anyone more familiar with the internals of FCKeditor's PHP connector who
would like to make a better suggestion?

What I mean is: The part of Geeklog that's integrating FCKeditor needs
to decide whether to show the upload option to the current user, but
then the actual upload function has to be able to check if it's really
okay to perform the upload.

In any case, the goal should be to only allow uploads for users who have
specifically been given the permission.

Not security-related: I'd also like to see an option to enable/disable
FCKeditor on a per-user basis. Obviously, if it's disabled in the
Configuration, you shouldn't be able to enable it. But if enabled, I'd
like to have the option to disable it for me.

Anything else?

bye, Dirk


geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4382 (20090830) __________

The message was checked by ESET NOD32 Antivirus.


More information about the geeklog-devel mailing list