Jump to content

Strange 403 Forbidden calling the assets/files folder


Luis
 Share

Recommended Posts

Howdie folks,

i´m setting up a multisite with global module and global template folder. 

Most of the page render depends on $input->get, templates are delegated via 

<?php if($page->template){$t = new TemplateFile($config->paths->templates . "views/view_{$page->route}.php");} echo $t->render(); ?>

Template delegation happens in a controller.php named file on which this piece of code:

<img src="<?= $user->userimage->url ?>" class="img-circle" />

returns the 403 Forbidden, but only if i´m on the homepage and no other page data is called based on a get variable. 

Short overview regarding the multisite setup:

Index.php in root:

$siteDir = 'clientspaces/site-admin';

  $config = new Config();
  $config->urls = new Paths($rootURL);
  $config->urls->wire = "$wireDir/";
  $config->urls->site = "$siteDir/";
  $config->urls->modules = "$wireDir/modules/";
  $config->urls->siteModules = "modules/";
  $config->urls->core = "$coreDir/";
  $config->urls->assets = "$assetsDir/";
  $config->urls->cache = "$assetsDir/cache/";
  $config->urls->logs = "$assetsDir/logs/";
  $config->urls->files = "$assetsDir/files/";
  $config->urls->tmp = "$assetsDir/tmp/";
  $config->urls->templates = "application/";
  $config->urls->adminTemplates = is_dir("$siteDir/$adminTplDir") ? "$siteDir/$adminTplDir/" : "$wireDir/$adminTplDir/";
  $config->paths = clone $config->urls;
  $config->paths->root = $rootPath . '/';
  $config->paths->sessions = $config->paths->assets . "sessions/";

index.config.php:

function ProcessWireHostSiteConfig() {

        return array(
                 'foo.example.de' => 'clientspaces/foo',

                  '*' => 'clientspaces/site-admin',

                );

}

I started with deleting all restrictions in .htacces, but this wasnt a success. :(

EDIT: 

Creating the url by hand will serve the file, but without the abillity to access the imageClass methods

<img src="<?= $config->urls->assets ?>files/<?= $user->id ?>/<?= $user->userimage ?>" />
Link to comment
Share on other sites

Ok, this is the request made by $image->url 

41/
/projectplaner/clientspaces/site-admin/assets/files
GET
403
Forbidden

and this is the request made by <?= $config->urls->files . $user->id ?>/<?= $user->userimage ?>

koala.jpg
/projectplaner/clientspaces/site-admin/assets/files/41
GET
304
Not Modified

Does PW just try to get the folder by accident, or is this request blocked directly on the folder?

Link to comment
Share on other sites

After playing Sherlock Holmes again, the riddle grows.

I placed <?= $user->userimage->url ?> in various places inside my controller.php to find out under which circumstances the url method grabs the appropiate image file.

After placing it right before the closing body tag, it gives me the right file. Now I figured out that after doing this right before:

<?php foreach($users as $member): ?>
  <?php if($member->hasRole('projectmanager')): ?>
    <option value="<?= $member->id  ?>"><?= $member->membername ?></option>
  <?php endif ?>
<?php endforeach ?>

the $user->userimage is present. 

Link to comment
Share on other sites

Are you iterating through users or something and echoing $user->something?

Just wondering because $user by default returns data for the user viewing the page.

If that's the case you want to do something like your last post and do forearm $users as $member and Echo $member->userimage

Of course I've probably completely misunderstood :)

Link to comment
Share on other sites

The next bit found. 

After calling a page, a script on top checks if the $user is allowed to do this or that action like so:

if(!$project->staff->has($user)){
    header('Location: '.$pages->get(1)->url);
    die();
  }

and now $user->userimage->url is available.

@pete: no i`m not iterating through my users :) 

I just want to access the userimage from this user, who is actually accessing the page. 

So, You are looking into your profile and you get your userimage. 

Link to comment
Share on other sites

Yeah you´re right, but I think the risk is minimal, i´m just replacing the $user with an returned $user from $users->get. So the new $user should have all the same methods and properties. 

So $user === $user. Correct me if I´m wrong

Link to comment
Share on other sites

$user by default is always the user viewing the page. You should never overwrite that for stuff like this - instead use something like $myuser = $users->get(... and then you won't cross-contaminate your $user variables.

I marked your workaround as "unsolved" purely because it's unwise and not an ideal solution - please don't be offended but we don't want people using this as a solution.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...