Support

Admin Tools

#12854 Pro Tools denying access to the JCK Editor - is there a better way?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 04 July 2012 13:15 CDT

Monday, 02 July 2012 11:13 CDT

webxsolution
Dear Akeeba,

Thank you for your work.

I am one of the developers for the JCK Editor and was wondering if you have any ideas on how we could circumvent an issue with Pro Tools denying access to two files which is used by our editor.

1.) plugins/editors/jckeditor/plugins/jfilebrowser/core/connector/php/connector.php
2.) plugins/editors/jckeditor/plugins/jtreelink/dialogs/initialize.php

When these files are denied its breaks both the editors file browsers and internal content linking plug-in.

We have had quite a few reports of users having issues like this and although I am aware that the user can add an exception, it is not something that everyone would seem to be capable of doing.

I am wondering if we could come up with something better that adding an exception each and every time the JCK Editor is used with Aebka Pro Tools?

Kindest regards,

Paul Franklin
http://www.joomlackeditor.com

webx.solutions

Monday, 02 July 2012 11:58 CDT

nicholas
No, you can't do anything except adding the exceptions to the .htaccess Maker. I have decided not to add default exceptions for a very good reason. Let's say I add an exception for component X which is not installed on a user's site. A hacker may be able to upload a malicious PHP file which has the same location/name as the default rule and hack the site. So I prefer not to add such default rules because they might introduce a security hole.

The best approach is documenting which files of your software need to be added in exceptions and how to do that. That said, I consider it very wrong having direct entry point files. The only case you can't avoid them is when overwriting core J! files, i.e. during backup restoration and Joomla! updates. In all other cases you should be passing your input through J!'s index.php file, probably with tmpl=component or format=raw. Use of direct entry point files is architecturally incorrect.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 03 July 2012 03:48 CDT

webxsolution
Dear Nicholas,

Thank you for your reply.

The best approach is not always the best approach. I am sure you are aware, you can only use the index.php file to access components! To access a plug-in (which the JCK Editor is), one would then need to setup a system plug-in to catch the call in addition to the other code. This would causes PHP to do additional and unnecessary checks when accessing the website normally.

While this may not be too much of a problem for website with only a few visitors, it is something that should be avoided for websites handling a large number of visitors!

The other point worth making is that we are integrating a third party application in to Joomla which has its own framework. This means that the key is to successfully marriaging the two together; gaining the benefits and advantages of both!

So our solution is to access the connector file and to load up the sections of Joomla that are required, including its 'user authentication' and process the information.

Thus maintaining both speed and safety to all of our users!

Kindest regards,


Paul Franklin
http://www.joomlackeditor.com

webx.solutions

Tuesday, 03 July 2012 04:09 CDT

nicholas
Of course I know that only components can be accessed via index.php. This is exactly what I meant. JCE is also an editor based on a third party application (TinyMCE) and they solved the problem by creating a shell component. So there's no question about this being possible; JCE is marrying a foreign application (TinyMCE) with Joomla! just like you're marrying a foreign application (FCK Editor) with Joomla!. I understand that you don't want to go there. No problem, that's your prerogative. I just told you how I see the proliferation of access points.

Which brings us back to what you can do. The only thing you can do is document exactly what is required to make JCKEditor work with Admin Tools Professional. Since .htaccess Maker works with relative paths the documentation will apply to all sites. Will users read it? Probably not. They tend to never read anything unless you give 'em a link when they ask for support. But if it's documented at least you defuse any arguments about your software being dysfunctional or having unresolved issues.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 03 July 2012 06:03 CDT

webxsolution
Dear Nicholas,

Again thank you for your reply.

The editor comes shipped with a number of language and files plugins. As such we cannot combine it with our component as may exceed the maximum upload limit hence we keep them separated.

I guess this means that this is a limitation of Admin Tools in that it only caters for Component and not bridge based plug-ins however, please dont here us being critical as we are a great fan of your component and your work.

The point tension for us is that Admin Tools is becomes a problem for our Joomla users! I realise that you have, on your part gone to some lengths in giving the ability to add an exception, however the problem is that this is beyond the scope of many Joomla users!

* Suggested solution for Admin Tools:

You could consider adding a helper class so that when 3rd party extension is installed it is capable of adding exception to Admin Tools?

* Possible for us (JCK Editor) solution:

We could add an .htaccess file of our own but then I understand that Go Daddy doesn’t support .htaccess files in their sub-directories.

Or we could detect for Admin Tools upon installation and get our install wizard to add an exception to the .htaccess file upon the user’s request.

We would welcome your feedback and other ideas?

Kindest regards,


Paul Franklin
www.joomlackeditor.com

webx.solutions

Tuesday, 03 July 2012 07:22 CDT

nicholas
Actually, Admin Tools caters for all extensions whatsoever. However I do mention in the documentation (in several places) that the defaults are designed to be ultra-tough and extremely strict. It's the responsibility of the user to relax them up to the point that he feels comfortable. I could have followed the inverse policy: ship the software with lax defaults. This is what I was doing in version 1.x. Do you know what the result was? People got hacked and accused me. So I reversed my policy to shipping Admin Tools with default settings set to "very tough", just a notch below "paranoid".

Regarding your suggestions:
You could consider adding a helper class so that when 3rd party extension is installed it is capable of adding exception to Admin Tools?

No, for two reasons. First, it doesn't solve your problem. The problem is caused by .htaccess Maker. Unless this class is present at the time of the .htaccess generation (which is most likely before the user installs your plugin) it won't have any effect. Secondly, it would require me to scan the entire site for such classes, leading to potential timeout issues.

We could add an .htaccess file of our own but then I understand that Go Daddy doesn’t support .htaccess files in their sub-directories.

Ugh, of course not! But you just have to think out of the box:
  • Create a file named, for example, test.php inside your plugin's folder, doing only echo json_encode(true);
  • When the editor loads, try loading the test.php file
  • If you get a 403 or otherwise the load fails and administrator/components/com_admintools/admintools.php exists, issue a nice, big, fat banner with instructions regarding configuring Admin Tools.

See? It's not even half as hard as you think it is.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 03 July 2012 07:58 CDT

webxsolution
Dear Nicholas,

Your point "Do you know what the result was? People got hacked and accused me" made smile! I kind of know what you mean on that point? Lol

We will try to do something on our side. I think we should be able to do something with out install wizard and add the exception to the .htaccess file.

Best of luck with the project.

Kindest regards,



Paul Franklin (o:b
www.joomlackeditor.com

webx.solutions

Tuesday, 03 July 2012 08:08 CDT

nicholas
If you'd like, I can prepare a small .php file which will hook into Admin Tools 2.2.x and later's API, detect if .htaccess Maker is enabled, check if some directories/files are added in the exceptions and if they're not it will add them and regenerate the .htaccess file. It won't be bulletproof (the detection of whether the user is using .htaccess Maker part, at least, won't be bulletproof) but it will be a good start, no?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 03 July 2012 08:20 CDT

webxsolution
Yes, thank you that would help!

Kindest regards,

Paul Franklin
www.joomlackeditor.com

webx.solutions

Wednesday, 04 July 2012 13:15 CDT

nicholas
I am attaching the function which can add missing files/folders to the exceptions list in .htaccess Maker and regenerate the .htaccess. You just need to configure the array at the top of the function, the rest works automagically :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!