A File Manager that works!

Discussion in 'Tips/Tricks/Mods' started by JohnK42, Mar 2, 2020.

Tags:
  1. JohnK42

    JohnK42 New Member

    This is my first day and first post on the forum. Like many others, I've avoided ISPConfig because it lacks a file manager. Please don't use this thread to discuss the pros and cons of having a file manager, but please do share your enthusiasm or concerns about the solution I'm listing here.

    I've just installed ISPConfig and I'll continue to use it provided this filemanager solution works flawlessly. I've only tested it for a short time, but it's working fine so far. I did have problems when uploading a 30meg Zip file, but further tests indicated it was also a problem on another working server with a different panel.

    So far, this file manager is proving to do everything I want and it takes one minute to install. I have nothing to do with the development project, I just discovered it by accident a couple of days ago.

    As a new member I'm unable to post a link, but just enter Help Documentation - Tiny File Manager in your favourite browser.

    If you try the demo, the username is admin and the password is admin@123

    The file manager is a single PHP file weighing in at around 170kb You may also need an additional supplied file for translation to another language.

    How to install.
    1. Create a directory in your root. I called mine "filemanager"
    2. Upload tinyfilemanager.php to that directory and rename the file index.php
    3. Run yoursite/filemanager
    4. Use the password above.
    5. Bingo, you now have a file manager for your site running with ISPConfig and you can supply this feature to your clients as well.
    Because modern browsers use Tabs, you can open the file manager in one tab and ISPConfig in another. However, I'm sure it won't be long before someone explains how to integrate it with ISPConfig.

    I'm amazed to see how much 170kb of can do. Please post here if you have problems or discover useful tips.
     
    CCP Programmers likes this.
  2. corto

    corto Member

    hello @JohnK42,
    Just tried the demo, it's nice!
    in the doc: https://tinyfilemanager.github.io/docs/
    There is a part talking about integration:
    Code:
    Embedding #back to top
    
    Include file manager in another script. Just define FM_EMBED and other necessary constants.
    
    
    class SomeController
    {
        public function actionIndex()
        {
            define('FM_EMBED', true);
            define('FM_SELF_URL', UrlHelper::currentUrl()); // must be set if URL to manager not equal PHP_SELF
            require 'path/to/tinyfilemanager.php';
        }
    }
    
    OR
    
    
    define('FM_EMBED', true);
    define('FM_SELF_URL', $_SERVER['PHP_SELF']);
    require 'path/tinyfilemanager.php';
    
    I agree with you, should be a good idea to integrate it on ispconfig.
    Thx for sharing this
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    TinyFileManager uses an incompatible license, so it can not be integrated into ISPConfig. While ISPConfig uses a liberal and free BSD style licensing, TinyFileManager uses a copyleft enforcing license GPL V3 which means it can not be integrated into ISPConfig without affecting the license of the current ISPConfig code.
     
    ahrasis and corto like this.
  4. corto

    corto Member

    Didn't thought about that.
    Thx till
     
  5. elmacus

    elmacus Active Member

    corto likes this.
  6. s.dmitry

    s.dmitry New Member

    I'm using net2ftp
     
    corto and budgierless like this.
  7. budgierless

    budgierless Member HowtoForge Supporter

    +1
     
  8. CCP Programmers

    CCP Programmers New Member

    I'm the core contributor/managing Tinyfilemanager, I don't have any issue to ISPConfig using/customizing file manager. I'll update the licence in feature releases.
     
    corto, webguyz, Farsus and 4 others like this.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    That would be great if you would consider e.g. Dual licensing with e.g. a BSD style license as the second license.
     
  10. JohnK42

    JohnK42 New Member

    @CCP Programmers. I stopped using Tiny File Manager because it was unable to handle large zip or tar uploads on my system. Unfortunately any Zip file larger than 10 meg failed because of a timeout error. Other than that I was very impressed. Oddly, it could bulk upload the same files provided they weren't zipped or Tarred.
     
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    I've looked at tinyfilemanager, pydio, net2ftp, and elfinder.
    I like tinyfilemanager, but I think it's missing a few features, online file editing being a big one.
    elfinder, i'm just not sure about it. or how secure it is.
    pydio 8 is nice, definitely looks the part, best/most accomplished ui of this list, but it don't work on php7.4 (probably just MySQL connections need changing in all the code), it's discontinued, and the replacement pydio-cells, I'm not sure will work as needed. there are serious security issues with pydio 8 as well, i'm definitely getting file/folder lists from the wrong accounts, although I can't edit those files. new files are created in the correct users folders, with the correct ownership though.
    net2ftp is nice, works well, is fast. maybe needs some tweaking - the open link for files defaults to https://localhost/* rather than the relevant domain name, may be a simple fix, may just be a config/setup thing. would be nice if ssh login allowed for ssh keys instead of passwords. it looks like it would be simple to theme/skin so it fitted in with the ispconfig ( or any other ) ui.
    it also looks like autologin is possible:
    Code:
    https://example.com/admin/ftp/index.php?protocol=FTP&ftpserver=ftp.localhost&ftpserverport=21&sshfingerprint=&username=[username]&password_encrypted=[encrypted_password]&language=en&skin=shinra&ftpmode=automatic&passivemode=no&viewmode=list&sort=&sortorder=&state=browse&state2=main&directory=%2Fpublic_html%&entry=
    would be good if the ftp url link in the ispconfig control panel automatically retrieved the login details from the database and embedded them into the link url, that way, if they just go to <domainname.com>/webftp in a browser, they need to type in user details, if they use the ispconfig ftp link button, they're automatically logged in and viewing their ftp root folder.

    i'd have to say, at this point in time, my preference would definitely be net2ftp
     
  12. JohnK42

    JohnK42 New Member

    I gave up using TinyFilemanager after my initial post because it kept timing out when trying to upload zip files greater than 10 meg. I then tried using PHPFileManager which has a nice interface, but 1.7.8 wouldn't zip or unzip. 7.1.9 did, but only on some servers.
    I've since gone back to TinyFileManager and it has no problems uploading very large files. I decided it was a bandwidth issue at the time, but now everything is okay. It does everything I want and it does it well. That includes editing files. It does take a little time to work out how to do things, but once you find out, navigation is easy. I like it especially compared to ELFilemanager, which may have been an older version I was using.
     
    nhybgtvfr likes this.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    This would require to store the real passwords in cleartext or with 2way encryption, which is not what one would want from a security standpoint, in my opinion. Currently, all passwords are hashed with salt (sha256 if I remember correctly), so it's nearly impossible to decrypt them, at least not in a reasonable amount of time.
     
  14. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ah, ok, been a while since I've looked at tinyfilemanager actually installed on one of my pc's. I was looking at their demo, and I guess the user account was readonly.
    I can find file editing under the admin user on the demo, was expecting an edit icon on the right. view is open file readonly as well. got to actually click on the filename to open it for editing. might be slightly confusing for some (most :rolleyes:) of my clients.
    looks like it should be a simple enough change to create an edit button though, it's only a slight url change between edit and view:
    Code:
    https://tinyfilemanager.eu-gb.mybluemix.net/Demo/index.php?p=&view=index.php
    https://tinyfilemanager.eu-gb.mybluemix.net/Demo/index.php?p=&view=index.php&quickView=1
    i guess that puts it back on par with net2ftp then. :cool:
     
  15. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    it allows you to pass the encrypted password in the url:
    &username=[username]&password_encrypted=[encrypted_password]
    obviously you'd want the link to be https only....
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    I doubt that this solves the issue I mentioned that the password must be stored in cleartext or reversible (2-way) encryption by ISPConfig.
     
  17. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ha, of course. I was thinking getting the encrypted ftp password from the ispconfig database as it is now, and passing that into the net2ftp url.
    course that won't bloody work.. should have seen that straight away, I've been watching too much daytime tv. can almost feel my brain melting and iq dropping.... :confused: bloody lockdown.... hope it ends before I reach trump's level of idiocy. :eek:
     
  18. webguyz

    webguyz Active Member HowtoForge Supporter

    Another possibility is to use a known username and something like crc32 with a secret suffix or prefix only you know for the password.
    Find a way to get the siteid of the website and then use api to get uid and gid and use that as a username: i.e _c21_w489
    For password use the $sitename and a secret prefix or suffix: i.e. acme.com + xyz crc32("$sitename"."xyz") which = 573119561
    $username= "_c21_w489";
    $password="57319561";
    Use api to create an ftp user with the credentials above for the siteId
    Have a link for the customer to click and it goes to a script that creates the ftp login user URL. here is an example using POST but your could create a GET string also and then auto execute


    <form method="post" action="https://my_ispconfig.com:8080/ftp/" target="_parent">

    <input type="hidden" name="MFTP_POST" value="true">
    <input type="hidden" name="MFTP_CONNECTION_TYPE" value="ftp">
    <input type="hidden" name="MFTP_HOST" value="<?=$ftpserver ?>">
    <input type="hidden" name="MFTP_PASSIVE" value="true">
    <input type="hidden" name="MFTP_USERNAME" value="<?=$username ?>">
    <input type="hidden" name="MFTP_PASSWORD" value="<?=$password ?>">

    </form>
    <SCRIPT LANGUAGE="JavaScript">
    document.forms[0].submit();
    </SCRIPT>

    The security is that only you know the secret suffix or prefix added to the sitename. Each is unique. and by using the uid and gid you can use ftp for a site before the DNS is even set up to upload files.
     
    ahrasis likes this.
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    But the secrets never change, which means the link (saved in browser history/cache) always grants access even when a user isn't logged in. This is easy to see with GET request (the name/ciphered password is visible in the request), but still happens frequently with POST parameters - browsers are very good at caching data for future requests. Or maybe they do change, say a cronjob updates the secrets/password once an hour(?) (separately for each site) so stored credentials aren't useful very long. (Of course that could wreak havoc on long-running file management sessions, depending on host the session is managed once logged in.)

    Where the purpose here is to provide a link for users logged into ISPConfig that works without requiring a username and password, another (a better?) solution would be to utilize the php session. Ie. modify the file manager to integrate with ISPConfig session management for authentication; if the user is logged in (to ISPConfig ui) and have access to the site, they can use the file manager.

    That of course requires the file manager to run on the control panel node, and use either FTP or (preferably) SFTP, which is probably not the case for all of the file managers being discussed (I'm not familiar with any of them myself); I would guess (and may be wrong :) that some of them might be native php implementations, and would require being run on the web server which hosts the files. You would still have to push some secret FTP/SFTP credentials to the web server, but they don't need to be sent to the users' browser. Though you still end up saving them in retrievable (if not plain) text on the control panel node, which I don't love...

    Anyways, just some further thoughts.
     
  20. webguyz

    webguyz Active Member HowtoForge Supporter

    Secrets do change. The filemanager is only available via ISPConfig while logged in. In the /sites/templates/web_vhost_domain_list.htm I added an extra icon to the link to get the siteid. When the user clicks it it goes to my script
    https://my_ispconfig_website:8080/sites/site_webftp.php?id=466
    and the script site_webftp.php in the /sites folder is below. I am not a programmer so it looks like crap but works. I use it with MonstaFTP but you have to get the professional version which costs $150/yr. While MonstaFTP does not fit within the desktop of ISPCONFIG I really don't care as its one of the best FTP managers out there IMHO. You can use the same method with any FTP filemanager out there
    PHP:
    <?php

    require_once('../../lib/config.inc.php');
    require_once(
    '../../lib/app.inc.php');
    $app->auth->check_module_permissions('sites');
    if (!isset(
    $_GET['id'])){
    die (
    "No site selected!");
    }

    $domainId intval($_GET['id']);

    $dbData $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = " $domainId);
    $serverId intval($dbData['server_id']);
    if (
    $serverId == 0){
    die (
    "No Server found!");
    }
    $serverData $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = " .$domainId);
    $domain $serverData['domain_id'];
    $website $serverData['domain'];
    $serverid $serverData['server_id'];

    $uid $serverData['system_user'];
    $gid $serverData['system_group'];

    $gid2 str_replace("client","c",$gid);  //shortened the gid for the username
    $uid2 str_replace("web","w",$uid);     //shortened the uid for the username
    $username "_".$gid2."_".$uid2;
    $pw2 crc32($website."xyz");   // Add your secret prefix or suffix here. I chose suffix "xyz"
    $password $pw2;
    $ftpdir '/var/www/clients/'.$gid.'/'.$uid;
    // check for ftp user.
    $dbData3 $app->db->queryOneRecord("SELECT ftp_user_id FROM ftp_user WHERE username = '" $username."'");
    $ftp_user_id intval($dbData3['ftp_user_id']);
    if (
    $ftp_user_id == 0){
          
    //  api ftp add user who does not exist

            
    $remoteusername 'my_remote_user';  //<-  api remote user login
            
    $remotepassword 'Remote_User_pw';  //<- api remote user password

            
    $soap_location 'https://my_ispconfig_site:8080/remote/index.php';
            
    $soap_uri 'https://my_ispconfig_site:8080/remote/';

            
    $client = new SoapClient(null, array('location' => $soap_location,
                                         
    'uri'      => $soap_uri,
                             
    'trace' => 1,
                             
    'stream_context'=> stream_context_create(array('ssl'=> array('verify_peer'=>false,'verify_peer_name'=>false))),
                           
    'exceptions' => 1));
        try {
            if(
    $session_id $client->login($remoteusername,$remotepassword)) {
            
    //echo 'Logged successfull. Session ID:'.$session_id.'<br />';
            //fecho("<br><br><br><br><center>The first time you run this utility it can take up to 1 minute while the file manager account is created...        

            
    }
     
          
    //* Set the function parameters.
     
        
    $params = array(
                
    'server_id' => $serverid,
                
    'parent_domain_id' => $domain,
                
    'username' => $username,
                
    'password' => $password,
                
    'quota_size' => -1,
                
    'active' => 'y',
                
    'uid' => $uid,
                
    'gid' => $gid,
                
    'dir' => $ftpdir,
                
    'quota_files' => -1,
                
    'ul_ratio' => -1,
                
    'dl_ratio' => -1,
                
    'ul_bandwidth' => -1,
                
    'dl_bandwidth' => -1
                
    );
     
        
    $affected_rows $client->sites_ftp_user_add($session_id$client_id$params);

        if(
    $client->logout($session_id)) {

            
    //echo 'Logged out.<br />';
        
    }
            } catch (
    SoapFault $e) {
        
    //echo $client->__getLastResponse();
        
    die('SOAP Error: '.$e->getMessage());
           }
    }

    /* check if the ftp exists   */
     
            
    $serverData2 $app->db->queryOneRecord("SELECT * FROM server WHERE server_id = " .$serverId);
            
    $ftpserver $serverData2['server_name'];
            
    //echo "ftpserver name is: " . $ftpserver;

        
    $myftphost $_SESSION["ftp_host"];
        
    //echo "Connecting to ".$ftpserver;
         
    $con=mysqli_connect($ftpserver,"root","root_password") or die("\nUnable to connect database on ".$ftpserver.". Please notify support of a problem ...");
        
    mysqli_select_db($con,"dbispconfig")  or die("Unable to Select DB");

    // Check connection

    $query "SELECT * FROM ftp_user where username='$username'";
    //echo $query;
    global $ftpok;
    $ftpok 0;

    while (
    $ftpok != 1){  
    $result mysqli_query($con,$query) or die(mysqli_error($con));
     
    //$info = mysql_fetch_array( $data );

    $num_rows mysqli_num_rows($result);
     if (
    $num_rows 0) {
      
    $ftpok 1;
    }
    else {
      
    //echo "Sleeping 5";
      //echo "Please wait up to 1 minute for initial Filemanager setup";
      
    sleep(5);
    }
    }

    ?>

    <html>
    <body>

    <form method="post" action="https://my_ispconfig_site:8080/mftp/" target="_parent">
     
    <input type="hidden" name="MFTP_POST" value="true">
    <input type="hidden" name="MFTP_POST_LOGOUT_URL" value="https://my_ispconfig_website:8080/mftp/quit.html">
    <input type="hidden" name="MFTP_CONNECTION_TYPE" value="ftp">
    <input type="hidden" name="MFTP_HOST" value="<?=$ftpserver ?>">
    <input type="hidden" name="MFTP_PASSIVE" value="true">
    <input type="hidden" name="MFTP_USERNAME" value="<?=$username ?>">
    <input type="hidden" name="MFTP_PASSWORD" value="<?=$password ?>">
    </form>
    <SCRIPT LANGUAGE="JavaScript">
            document.forms[0].submit();
            </SCRIPT>
     
    </body>
    </html>
     
    Last edited: Apr 16, 2020
    Finco and ahrasis like this.

Share This Page