I'm trying to use KCFinder with CKEditor and Kohana. I need each user to have access to their own individual upload folder. To do that I want to pass through the current users ID to KCFinder. To do it securely I can't pass it through the URL as a GET variable, so I need to do it through session.
I tried setting the variable in Kohana, and when I var_dump($_SESSION) in Kohana the variable is there. When I do that in KCFinder it's not there. I checked the session_id and noticed it changes from page to page, and so I passed the session_id to KCFinder using the URL as a GET variable and then set the session_id in KCFinder so it matched. However the variable is still not available when I var_dump($_SESSION).
Here is my Kohana action:
public function action_edit()
{
$this->template->javascripts[] = '/ckeditor/ckeditor.js';
$_SESSION['KCFINDER']['user_id'] = Auth::instance()->get('id');
var_dump(session_id(), $_SESSION['KCFINDER']);
$id = (int)$this->request->param('id');
$this->layout = Request::factory('document/update/'.$id)->execute()->body();
$this->template->js_custom .= "var phpsessionid = '".session_id()."';";
}
// document/update action
public function action_update()
{
$id = (int)$this->request->param('id');
if ( ! $id)
{
throw new HTTP_Exception_400('No document ID was specified. Please go back and try again.');
}
$document = ORM::factory('Document', $id);
if ( ! $document->loaded())
{
throw new HTTP_Exception_400('No valid document ID was specified.');
}
$layout = View::factory('layouts/documents/edit')
->bind('back_link', $back_link)
->bind('values', $values)
->bind('errors', $errors)
->bind('success', $success)
->bind('is_acp', $is_acp);
$is_acp = (strpos(Request::initial()->uri(), 'acp') !== FALSE);
if ( ! $is_acp AND Auth::instance()->get('id') != $document->user_id)
{
throw new HTTP_Exception_403('Unauthorised access. You do not have permission to edit this document.');
}
elseif ($document->is_published AND ! Auth::instance()->get('is_admin'))
{
throw new HTTP_Exception_403('Unauthorised access. You cannot edit a published document.');
}
$back_link = $is_acp ? '/acp/documents' : '/account';
$values = array();
$errors = array();
foreach ($document->table_columns() as $key => $null)
{
$values[$key] = $document->$key;
}
if (Request::initial()->method() == Request::POST)
{
// We assume that is_published and is_paid are unchecked. Later on we check to see if they are checked and change the values.
if ($document->is_published == 1 AND $is_acp)
{
$values['is_published'] = -1;
}
if ($document->is_paid == 1 AND $is_acp)
{
$values['is_paid'] = 0;
}
foreach (Request::initial()->post() as $key => $val)
{
if ($key == 'is_published')
{
// Check for a first time publish, and if it is run the publish method to save the PDF.
if ($document->is_published == 0)
{
Request::factory('document/publish/'.$document->id)->query(array('no_redirect' => TRUE))->execute();
}
$values[$key] = 1;
}
elseif ($key == 'is_paid')
{
$values[$key] = 1;
}
else
{
$values[$key] = $val;
}
}
$document->values(Request::initial()->post(), array('title', 'summary', 'category_id', 'content'));
if ($is_acp)
{
$document->is_published = $values['is_published'];
if ($document->is_published == 1)
{
$document->date_published = time();
}
$document->is_paid = $values['is_paid'];
}
try
{
$document->save();
$success = TRUE;
}
catch (ORM_Validation_Exception $e)
{
$errors = $e->errors('models');
}
catch (Exception $e)
{
throw new HTTP_Exception_500($e->getMessage);
}
}
$this->response->body($layout->render());
}
This is the top of my KCFinder config:
$session_id = @$_GET['phpsession'];
session_start();
session_id($session_id);
define('ROOT', str_replace('eshop/kcfinder', '', __DIR__), TRUE);
var_dump(session_id(), $_SESSION); exit;
When I open up KCFinder the session is empty (or has just the KCFinder default session) and has no bearing to the Kohana session. Can anyone please help me solve this?
Your problem is the order of function calls. You are starting your session (which will generate a new session with a new id if no id has been passed) before you are setting the session id that you passed as a parameter – it needs to be the other way around.
http://php.net/manual/en/function.session-id.php:
If
idis specified, it will replace the current session id.session_id()needs to be called beforesession_start()for that purpose.