starred/tinyfilemanager

Fork 0

mirror of https://github.com/prasathmani/tinyfilemanager.git synced 2026-04-26 10:55:56 +03:00

[GH-ISSUE #61] Read-only access without login #45

New issue

Closed

opened 2026-03-02 15:55:14 +03:00 by kerem · 10 comments

kerem commented

2026-03-02 15:55:14 +03:00

Owner

Originally created by @fn-ix on GitHub (Sep 21, 2018).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/61

Hi!

I'd like to request the creation of a 'guest mode' - i.e. one where visitors can automatically view the files without logging in, but without write permissions, which would require authentication before becoming available. Such a feature has been incorporated into another PHP file manager, which however is quite outdated by this point.

Originally created by @fn-ix on GitHub (Sep 21, 2018). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/61 Hi! I'd like to request the creation of a 'guest mode' - i.e. one where visitors can automatically view the files without logging in, but without write permissions, which would require authentication before becoming available. Such a feature has been incorporated into [another](https://github.com/marekrei/encode-explorer) PHP file manager, which however is quite outdated by this point.

kerem

2026-03-02 15:55:14 +03:00

closed this issue
added the
enhancement

Feature

Request
labels

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@wmerfalen commented on GitHub (Oct 4, 2018):

@prasathmani I can start on this, if you'd like.

@wmerfalen commented on GitHub (Oct 4, 2018): @prasathmani I can start on this, if you'd like.

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@alecos71 commented on GitHub (Oct 13, 2018):

Guest that can read htaccess and htpasswd??? This is insane!!! Nobody should access to private folders and files... give the opportunity to hackers to read private and secret files is the right way to have the site compromised by malware!!! or even worse give read access to files containing security data such as user and pass in clear text!!! It is too dangerous!!! Don't release this feature!!!

@alecos71 commented on GitHub (Oct 13, 2018): Guest that can read htaccess and htpasswd??? This is insane!!! Nobody should access to private folders and files... give the opportunity to hackers to read private and secret files is the right way to have the site compromised by malware!!! or even worse give read access to files containing security data such as user and pass in clear text!!! It is too dangerous!!! Don't release this feature!!!

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@fn-ix commented on GitHub (Oct 13, 2018):

Well, this could be easily circumvented by making an option to blacklist certain files from showing up in the file browser. Excluding folders from listing is already a possibility, so extending this feature to files should be a quick matter.

@fn-ix commented on GitHub (Oct 13, 2018): Well, this could be easily circumvented by making an option to blacklist certain files from showing up in the file browser. Excluding folders from listing is already a possibility, so extending this feature to files should be a quick matter.

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@alecos71 commented on GitHub (Oct 13, 2018):

I think it's too dangerous, for example, if you oversee to exclude the db.php file that contains login credentials, anyone with read access to that file can access sensitive and reserved areas of their website, who has more of 500 files like me, you can understand that it would become really difficult and quite annoying to exclude all the folders or files from the configuration of the filemanager ... no one should have read access to private files, it would take an inattention to compromise an entire website ... we think about security ...

@alecos71 commented on GitHub (Oct 13, 2018): I think it's too dangerous, for example, if you oversee to exclude the db.php file that contains login credentials, anyone with read access to that file can access sensitive and reserved areas of their website, who has more of 500 files like me, you can understand that it would become really difficult and quite annoying to exclude all the folders or files from the configuration of the filemanager ... no one should have read access to private files, it would take an inattention to compromise an entire website ... we think about security ...

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@fn-ix commented on GitHub (Oct 13, 2018):

Well the whole feature should be optional, so that the people who want can just keep the auth for read access too and not use the guest mode. No need to worry man, I'm sure we can find some solution that can work for everyone ;)

@fn-ix commented on GitHub (Oct 13, 2018): Well the whole feature should be optional, so that the people who want can just keep the auth for read access too and not use the guest mode. No need to worry man, I'm sure we can find some solution that can work for everyone ;)

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@wmerfalen commented on GitHub (Oct 15, 2018):

There should probably be a ToS or protective license guarding against mis-use of this script (if one doesn't already exist).

@wmerfalen commented on GitHub (Oct 15, 2018): There should probably be a ToS or protective license guarding against mis-use of this script (if one doesn't already exist).

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@wmerfalen commented on GitHub (Oct 15, 2018):

Would it make sense to have an array of sensitive file names that we can compare against and not show those if read-only access is granted?

@wmerfalen commented on GitHub (Oct 15, 2018): Would it make sense to have an array of sensitive file names that we can compare against and not show those if read-only access is granted?

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@prasathmani commented on GitHub (Oct 18, 2018):

Well, this could be easily circumvented by making an option to blacklist certain files from showing up in the file browser. Excluding folders from listing is already a possibility, so extending this feature to files should be a quick matter.

@hfel Now can hide folder and files both, check with latest.

@prasathmani commented on GitHub (Oct 18, 2018): > Well, this could be easily circumvented by making an option to blacklist certain files from showing up in the file browser. Excluding folders from listing is already a possibility, so extending this feature to files should be a quick matter. @hfel Now can hide folder and files both, check with latest.

kerem commented

2026-03-02 15:55:15 +03:00

Author

Owner

@fn-ix commented on GitHub (Nov 25, 2018):

Thanks! I wonder though if it would be possible to include a mode where the file manager is visible by default with only read access, with the option to sign in as a user with heightened privileges. At the moment, when I want to direct a guest to the file manager, they have to sign in with a guest account, which just seems like an unnecessary move as it doesn't really confer them any more powers anyway.

@fn-ix commented on GitHub (Nov 25, 2018): Thanks! I wonder though if it would be possible to include a mode where the file manager is visible by default with only read access, with the option to sign in as a user with heightened privileges. At the moment, when I want to direct a guest to the file manager, they have to sign in with a guest account, which just seems like an unnecessary move as it doesn't really confer them any more powers anyway.

kerem commented

2026-03-02 15:55:16 +03:00

Author

Owner

@17500mph commented on GitHub (Apr 3, 2021):

Old thread but this will make that work. If you want to have admin functions too, just use a second version of the script as normal with a different, perhaps obscure filename..

diff --git a/tinyfilemanager.php b/tinyfilemanager.php
index ec5cb72..4e6d8a4 100644
--- a/tinyfilemanager.php
+++ b/tinyfilemanager.php

@@ -208,6 +208,7 @@ if (defined('FM_EMBED')) {
}
set_error_handler('session_error_handling_function');
session_start();

$_SESSION[FM_SESSION_ID]['logged'] = 'user';
restore_error_handler();
}

@17500mph commented on GitHub (Apr 3, 2021): Old thread but this will make that work. If you want to have admin functions too, just use a second version of the script as normal with a different, perhaps obscure filename.. ---------------------------------- diff --git a/tinyfilemanager.php b/tinyfilemanager.php index ec5cb72..4e6d8a4 100644 --- a/tinyfilemanager.php +++ b/tinyfilemanager.php @@ -208,6 +208,7 @@ if (defined('FM_EMBED')) { } set_error_handler('session_error_handling_function'); session_start(); + $_SESSION[FM_SESSION_ID]['logged'] = 'user'; restore_error_handler(); }