[GH-ISSUE #1038] Exclude files for Users Only (reply fast !important) #665

New issue

Closed

opened 2026-03-02 16:00:40 +03:00 by kerem · 5 comments

kerem commented 2026-03-02 16:00:40 +03:00

Owner

Copy link

Originally created by @xololunatic on GitHub (May 7, 2023).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1038

Can anyone tell me a way to exclude files only for user and not the admin account? If there is please tell me what to do to set it up and if not I request the admin @prasathmani to implement that, which will be much useful and should also be easy to implement I think ...

Originally created by @xololunatic on GitHub (May 7, 2023). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1038 Can anyone tell me a way to exclude files only for user and not the admin account? If there is please tell me what to do to set it up and if not I request the admin @prasathmani to implement that, which will be much useful and should also be easy to implement I think ...

kerem closed this issue 2026-03-02 16:00:40 +03:00

kerem commented 2026-03-02 16:00:41 +03:00

Author

Owner

Copy link

@ner00 commented on GitHub (May 27, 2023):

It's relatively easy, although an experienced user could still mess around if he knows the name of the files being hidden.

Anyway, this is the current code that checks if excluded files should be visible in the file manager:
github.com/prasathmani/tinyfilemanager@f380478197/tinyfilemanager.php (L2572-L2575)

The code above obviously is as direct as possible since it never intended for distinctions other than the excluded items, regardless if the user is admin or read-only. If we invert the logic, make it either/or, wrap it around parenthesis and add a check for read-only user, then it would work like this:

    if ((in_array($file, $exclude_items) || in_array("*.$ext", $exclude_items)) && FM_READONLY) {
        return false;
    }
    return true;

I didn't think about this thoroughly, so it may be that this breaks something, although it shouldn't.
Give it a try and leave some feedback, please.

<!-- gh-comment-id:1565508801 --> @ner00 commented on GitHub (May 27, 2023): It's relatively easy, although an experienced user could still mess around if he knows the name of the files being hidden. Anyway, this is the current code that checks if excluded files should be visible in the file manager: https://github.com/prasathmani/tinyfilemanager/blob/f3804781979cc6f755915be9931b6e6ceeee8875/tinyfilemanager.php#L2572-L2575 The code above obviously is as direct as possible since it never intended for distinctions other than the excluded items, regardless if the user is admin or read-only. If we invert the logic, make it either/or, wrap it around parenthesis and add a check for read-only user, then it would work like this: ```php if ((in_array($file, $exclude_items) || in_array("*.$ext", $exclude_items)) && FM_READONLY) { return false; } return true; ``` I didn't think about this thoroughly, so it may be that this breaks something, although it shouldn't. Give it a try and leave some feedback, please.

kerem commented 2026-03-02 16:00:41 +03:00

Author

Owner

Copy link

@xololunatic commented on GitHub (May 28, 2023):

@ner00 I will try that and will update you soon .... But what I really wanted is let's say i added 2 users (except admin) (readonly) (user1 and user2) and specifically i want to exclude a file let's say login.php for user2 and not for user1 .. that means user2 should not be able to see login.php but user1 can.. In short can we separately exclude different files for each user... It would be best if it may be done in config section... If i succeeded to make you understand then tell me what could be done, if you don't then tell me.....I can explain again

<!-- gh-comment-id:1565991021 --> @xololunatic commented on GitHub (May 28, 2023): @ner00 I will try that and will update you soon .... But what I really wanted is let's say i added 2 users (except admin) (readonly) (user1 and user2) and specifically i want to exclude a file let's say login.php for user2 and not for user1 .. that means user2 should not be able to see login.php but user1 can.. In short can we separately exclude different files for each user... It would be best if it may be done in config section... If i succeeded to make you understand then tell me what could be done, if you don't then tell me.....I can explain again

kerem commented 2026-03-02 16:00:41 +03:00

Author

Owner

Copy link

@ner00 commented on GitHub (May 28, 2023):

It would be best if it may be done in config section.

I don't understand what you mean by that, if you mean to add/remove users with access in the settings menu then I don't think it is worth the extra work to implement that. Because you still need to add users and passwords manually, you still need to add excluded files and extensions manually, so in the end that's too much work for little to no gain at all.

A simpler and general solution requires a bit more code than the previous example but works in essentially the same way, just create a new array named something like $exclude_items_users and put inside the names of the users that you don't want to be able to view the excluded files, then instead of checking for read-only, check for current user.

For simplicity, here is a commit with the needed changes: github.com/prasathmani/tinyfilemanager@571e0ddfa7

...or a diff view:

@@ -100,6 +100,10 @@ $favicon_path = '';
 // e.g. array('myfile.html', 'personal-folder', '*.php', ...)
 $exclude_items = array();

+// Users excluded from listing excluded files and folders
+// e.g. array('user', 'user2', ...)
+$exclude_items_users = array();
+
 // Online office Docs Viewer
 // Availabe rules are 'google', 'microsoft' or false
 // Google => View documents using Google Docs Viewer
@@ -419,6 +423,7 @@ defined('FM_LANG') || define('FM_LANG', $lang);
 defined('FM_FILE_EXTENSION') || define('FM_FILE_EXTENSION', $allowed_file_extensions);
 defined('FM_UPLOAD_EXTENSION') || define('FM_UPLOAD_EXTENSION', $allowed_upload_extensions);
 defined('FM_EXCLUDE_ITEMS') || define('FM_EXCLUDE_ITEMS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items) : $exclude_items));
+defined('FM_EXCLUDE_ITEMS_USERS') || define('FM_EXCLUDE_ITEMS_USERS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items_users) : $exclude_items_users));
 defined('FM_DOC_VIEWER') || define('FM_DOC_VIEWER', $online_viewer);
 define('FM_READONLY', $global_readonly || ($use_auth && !empty($readonly_users) && isset($_SESSION[FM_SESSION_ID]['logged']) && in_array($_SESSION[FM_SESSION_ID]['logged'], $readonly_users)));
 define('FM_IS_WIN', DIRECTORY_SEPARATOR == '\\');
@@ -2566,13 +2571,15 @@ function fm_is_exclude_items($file) {
     }

     $exclude_items = FM_EXCLUDE_ITEMS;
+    $exclude_items_users = FM_EXCLUDE_ITEMS_USERS;
     if (version_compare(PHP_VERSION, '7.0.0', '<')) {
         $exclude_items = unserialize($exclude_items);
+        $exclude_items_users = unserialize($exclude_items_users);
     }
-    if (!in_array($file, $exclude_items) && !in_array("*.$ext", $exclude_items)) {
-        return true;
+    if ((in_array($file, $exclude_items) || in_array("*.$ext", $exclude_items)) && (empty($exclude_items_users) || in_array($_SESSION[FM_SESSION_ID]['logged'], $exclude_items_users))) {
+        return false;
     }
-    return false;
+    return true;
 }

 /**

<!-- gh-comment-id:1566186718 --> @ner00 commented on GitHub (May 28, 2023): > It would be best if it may be done in config section. I don't understand what you mean by that, if you mean to add/remove users with access in the settings menu then I don't think it is worth the extra work to implement that. Because you still need to add users and passwords manually, you still need to add excluded files and extensions manually, so in the end that's too much work for little to no gain at all. A simpler and general solution requires a bit more code than the previous example but works in essentially the same way, just create a new array named something like `$exclude_items_users` and put inside the names of the users that you don't want to be able to view the excluded files, then instead of checking for read-only, check for current user. For simplicity, here is a commit with the needed changes: https://github.com/prasathmani/tinyfilemanager/commit/571e0ddfa7768807f28cd7ccd32b8f4435f5ffd3 ...or a diff view: ```diff @@ -100,6 +100,10 @@ $favicon_path = ''; // e.g. array('myfile.html', 'personal-folder', '*.php', ...) $exclude_items = array(); +// Users excluded from listing excluded files and folders +// e.g. array('user', 'user2', ...) +$exclude_items_users = array(); + // Online office Docs Viewer // Availabe rules are 'google', 'microsoft' or false // Google => View documents using Google Docs Viewer @@ -419,6 +423,7 @@ defined('FM_LANG') || define('FM_LANG', $lang); defined('FM_FILE_EXTENSION') || define('FM_FILE_EXTENSION', $allowed_file_extensions); defined('FM_UPLOAD_EXTENSION') || define('FM_UPLOAD_EXTENSION', $allowed_upload_extensions); defined('FM_EXCLUDE_ITEMS') || define('FM_EXCLUDE_ITEMS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items) : $exclude_items)); +defined('FM_EXCLUDE_ITEMS_USERS') || define('FM_EXCLUDE_ITEMS_USERS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items_users) : $exclude_items_users)); defined('FM_DOC_VIEWER') || define('FM_DOC_VIEWER', $online_viewer); define('FM_READONLY', $global_readonly || ($use_auth && !empty($readonly_users) && isset($_SESSION[FM_SESSION_ID]['logged']) && in_array($_SESSION[FM_SESSION_ID]['logged'], $readonly_users))); define('FM_IS_WIN', DIRECTORY_SEPARATOR == '\\'); @@ -2566,13 +2571,15 @@ function fm_is_exclude_items($file) { } $exclude_items = FM_EXCLUDE_ITEMS; + $exclude_items_users = FM_EXCLUDE_ITEMS_USERS; if (version_compare(PHP_VERSION, '7.0.0', '<')) { $exclude_items = unserialize($exclude_items); + $exclude_items_users = unserialize($exclude_items_users); } - if (!in_array($file, $exclude_items) && !in_array("*.$ext", $exclude_items)) { - return true; + if ((in_array($file, $exclude_items) || in_array("*.$ext", $exclude_items)) && (empty($exclude_items_users) || in_array($_SESSION[FM_SESSION_ID]['logged'], $exclude_items_users))) { + return false; } - return false; + return true; } /** ```

kerem commented 2026-03-02 16:00:41 +03:00

Author

Owner

Copy link

@ner00 commented on GitHub (May 28, 2023):

In short can we separately exclude different files for each user...

If I understand that correctly, then yes. You will need a multidimensional array to map excluded files to specific users. Here's a commit with the needed changes: github.com/prasathmani/tinyfilemanager@21d6a134b7 github.com/prasathmani/tinyfilemanager@1301b27e0e

...or a diff view:

@@ -100,6 +100,12 @@ $favicon_path = '';
 // e.g. array('myfile.html', 'personal-folder', '*.php', ...)
 $exclude_items = array();

+// Users excluded from listing excluded files and folders
+// e.g. 'username' => array('myfile.html', 'personal-folder', '*.php', ...)
+$exclude_items_users = array(
+    'username' => array(),
+);
+
 // Online office Docs Viewer
 // Availabe rules are 'google', 'microsoft' or false
 // Google => View documents using Google Docs Viewer
@@ -419,6 +425,7 @@ defined('FM_LANG') || define('FM_LANG', $lang);
 defined('FM_FILE_EXTENSION') || define('FM_FILE_EXTENSION', $allowed_file_extensions);
 defined('FM_UPLOAD_EXTENSION') || define('FM_UPLOAD_EXTENSION', $allowed_upload_extensions);
 defined('FM_EXCLUDE_ITEMS') || define('FM_EXCLUDE_ITEMS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items) : $exclude_items));
+defined('FM_EXCLUDE_ITEMS_USERS') || define('FM_EXCLUDE_ITEMS_USERS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items_users) : $exclude_items_users));
 defined('FM_DOC_VIEWER') || define('FM_DOC_VIEWER', $online_viewer);
 define('FM_READONLY', $global_readonly || ($use_auth && !empty($readonly_users) && isset($_SESSION[FM_SESSION_ID]['logged']) && in_array($_SESSION[FM_SESSION_ID]['logged'], $readonly_users)));
 define('FM_IS_WIN', DIRECTORY_SEPARATOR == '\\');
@@ -2566,13 +2573,19 @@ function fm_is_exclude_items($file) {
     }

     $exclude_items = FM_EXCLUDE_ITEMS;
+    $exclude_items_users = FM_EXCLUDE_ITEMS_USERS;
     if (version_compare(PHP_VERSION, '7.0.0', '<')) {
         $exclude_items = unserialize($exclude_items);
+        $exclude_items_users = unserialize($exclude_items_users);
     }
-    if (!in_array($file, $exclude_items) && !in_array("*.$ext", $exclude_items)) {
-        return true;
+    if (in_array($file, $exclude_items) || in_array("*.$ext", $exclude_items) || (
+        isset($exclude_items_users[$_SESSION[FM_SESSION_ID]['logged']]) && (
+        in_array($file, $exclude_items_users[$_SESSION[FM_SESSION_ID]['logged']]) ||
+        in_array("*.$ext", $exclude_items_users[$_SESSION[FM_SESSION_ID]['logged']])))
+    ){
+        return false;
     }
-    return false;
+    return true;
 }

 /**

<!-- gh-comment-id:1566208229 --> @ner00 commented on GitHub (May 28, 2023): > In short can we separately exclude different files for each user... If I understand that correctly, then yes. You will need a multidimensional array to map excluded files to specific users. Here's a commit with the needed changes: ~https://github.com/prasathmani/tinyfilemanager/commit/21d6a134b75e5b7b530a336b55c26577c828a6ec~ https://github.com/prasathmani/tinyfilemanager/commit/1301b27e0e95e54498f669fe8fe552063826ad07 ...or a diff view: ```diff @@ -100,6 +100,12 @@ $favicon_path = ''; // e.g. array('myfile.html', 'personal-folder', '*.php', ...) $exclude_items = array(); +// Users excluded from listing excluded files and folders +// e.g. 'username' => array('myfile.html', 'personal-folder', '*.php', ...) +$exclude_items_users = array( + 'username' => array(), +); + // Online office Docs Viewer // Availabe rules are 'google', 'microsoft' or false // Google => View documents using Google Docs Viewer @@ -419,6 +425,7 @@ defined('FM_LANG') || define('FM_LANG', $lang); defined('FM_FILE_EXTENSION') || define('FM_FILE_EXTENSION', $allowed_file_extensions); defined('FM_UPLOAD_EXTENSION') || define('FM_UPLOAD_EXTENSION', $allowed_upload_extensions); defined('FM_EXCLUDE_ITEMS') || define('FM_EXCLUDE_ITEMS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items) : $exclude_items)); +defined('FM_EXCLUDE_ITEMS_USERS') || define('FM_EXCLUDE_ITEMS_USERS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($exclude_items_users) : $exclude_items_users)); defined('FM_DOC_VIEWER') || define('FM_DOC_VIEWER', $online_viewer); define('FM_READONLY', $global_readonly || ($use_auth && !empty($readonly_users) && isset($_SESSION[FM_SESSION_ID]['logged']) && in_array($_SESSION[FM_SESSION_ID]['logged'], $readonly_users))); define('FM_IS_WIN', DIRECTORY_SEPARATOR == '\\'); @@ -2566,13 +2573,19 @@ function fm_is_exclude_items($file) { } $exclude_items = FM_EXCLUDE_ITEMS; + $exclude_items_users = FM_EXCLUDE_ITEMS_USERS; if (version_compare(PHP_VERSION, '7.0.0', '<')) { $exclude_items = unserialize($exclude_items); + $exclude_items_users = unserialize($exclude_items_users); } - if (!in_array($file, $exclude_items) && !in_array("*.$ext", $exclude_items)) { - return true; + if (in_array($file, $exclude_items) || in_array("*.$ext", $exclude_items) || ( + isset($exclude_items_users[$_SESSION[FM_SESSION_ID]['logged']]) && ( + in_array($file, $exclude_items_users[$_SESSION[FM_SESSION_ID]['logged']]) || + in_array("*.$ext", $exclude_items_users[$_SESSION[FM_SESSION_ID]['logged']]))) + ){ + return false; } - return false; + return true; } /** ```

kerem commented 2026-03-02 16:00:41 +03:00

Author

Owner

Copy link

@ner00 commented on GitHub (Jun 11, 2023):

Close this due to lack of response from OP.

<!-- gh-comment-id:1585872970 --> @ner00 commented on GitHub (Jun 11, 2023): Close this due to lack of response from OP.

kerem referenced this issue 2026-03-02 16:02:47 +03:00

[PR #665] [MERGED] Client IP behind proxy #1023

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

prasathmani-patch-1

offline

add-license-1

2.6

2.5.3

2.5.0

2.4.7

2.4.3

2.4.1

2.4.0

2.3.8

2.3.4

2.3

2.2.0

2.0.2

2.0.1

Labels

Clear labels   

Feature

  

Feature

  

Is It Really an Issue?

  

Need More Info

  

Request

  

Security

  

bug

  

duplicate

  

enhancement

  

enhancement

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

suggestion

  

wontfix

No labels

Feature

Feature

Is It Really an Issue?

Need More Info

Request

Security

bug

duplicate

enhancement

enhancement

help wanted

invalid

pull-request

question

suggestion

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tinyfilemanager#665

No description provided.