starred/tinyfilemanager

Fork 0

mirror of https://github.com/prasathmani/tinyfilemanager.git synced 2026-04-26 10:55:56 +03:00

[GH-ISSUE #1325] Advanced Search not working for read-only users #845

New issue

Closed

opened 2026-03-02 16:01:46 +03:00 by kerem · 4 comments

kerem commented

2026-03-02 16:01:46 +03:00

Owner

Originally created by @leonardooyama on GitHub (Jun 10, 2025).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1325

When I am logged as read-only user, the Advanced Search doesn't return the expected results.

When I try the search with 0, 1 or 2 characters, it displays "minimum 3 characters required", which is okay.
In the other cases, it should return either "No result found" or the files that were found, but I am getting nothing.

For admin users, the Advanced Search works correctly. I am using the latest version (2.6). Any hints?

Originally created by @leonardooyama on GitHub (Jun 10, 2025). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1325 When I am logged as read-only user, the Advanced Search doesn't return the expected results. - When I try the search with 0, 1 or 2 characters, it displays "minimum 3 characters required", which is okay. - In the other cases, it should return either "No result found" or the files that were found, but I am getting nothing. For admin users, the Advanced Search works correctly. I am using the latest version (2.6). Any hints?

kerem closed this issue

2026-03-02 16:01:46 +03:00

kerem commented

2026-03-02 16:01:47 +03:00

Author

Owner

@prasathmani commented on GitHub (Jun 11, 2025):

appreciate the report of the issue and will fix it in a future release.

@prasathmani commented on GitHub (Jun 11, 2025): appreciate the report of the issue and will fix it in a future release.

kerem commented

2026-03-02 16:01:47 +03:00

Author

Owner

@leonardooyama commented on GitHub (Jun 13, 2025):

appreciate the report of the issue and will fix it in a future release.

Hi! If possible, I would like to contribute, but I couldn't find the error in the code. Do you have any idea where is it?

@leonardooyama commented on GitHub (Jun 13, 2025): > appreciate the report of the issue and will fix it in a future release. Hi! If possible, I would like to contribute, but I couldn't find the error in the code. Do you have any idea where is it?

kerem commented

2026-03-02 16:01:47 +03:00

Author

Owner

@smalos commented on GitHub (Jun 19, 2025):

I asked copilot:

Why Advanced Search Doesn't Work for Read-Only Users in TinyFileManager

Problem Description

Admin users: Advanced Search works as expected.
Read-only users: For 0–2 characters, "minimum 3 characters required" is shown (this is correct).
For 3+ characters, the search returns nothing (no files, no "No result found", just blank).
Version: TinyFileManager v2.6

Technical Cause

In tinyfilemanager.php (v2.6), the PHP backend only processes the Advanced Search request if the user is NOT a read-only user.

Relevant code excerpt:

if (
    (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']]) || !FM_USE_AUTH)
    && isset($_POST['ajax'], $_POST['token'])
    && !FM_READONLY
) {
    // ...
    if (isset($_POST['type']) && $_POST['type'] == "search") {
        // executes search and returns JSON
    }
    // ...
}

The !FM_READONLY part means:

Read-only users cannot access this code block.
As a result, when a read-only user submits a search, the server returns nothing, leading to a blank result in the frontend.
Why Is This By Design?

Security: Advanced Search recursively lists all file/folder names. The authors restricted this for read-only users, possibly to prevent information leakage or heavy resource use.
Consistency: Most actions are limited for read-only users to keep the permission model simple and secure.
How to Enable Advanced Search for Read-Only Users
If you want read-only users to have access to Advanced Search, you’ll need to modify the code:

Steps:

Open tinyfilemanager.php in your editor.

Find this line:

&& !FM_READONLY
Remove && !FM_READONLY so the condition becomes:

if (
    (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']]) || !FM_USE_AUTH)
    && isset($_POST['ajax'], $_POST['token'])
) {
    // ...
}

Save and upload the file.

Now, read-only users will also be able to use Advanced Search.

Security Note:
This change allows all authenticated users (including read-only) to recursively search for files and folders.
Make sure this is acceptable for your use case before deploying.

@smalos commented on GitHub (Jun 19, 2025): I asked copilot: ## Why Advanced Search Doesn't Work for Read-Only Users in TinyFileManager ### Problem Description - **Admin users:** Advanced Search works as expected. - **Read-only users:** For 0–2 characters, "minimum 3 characters required" is shown (this is correct). For 3+ characters, the search returns nothing (no files, no "No result found", just blank). - **Version:** TinyFileManager v2.6 --- ### Technical Cause In `tinyfilemanager.php` (v2.6), the PHP backend only processes the Advanced Search request if the user is NOT a read-only user. **Relevant code excerpt:** ``` if ( (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']]) || !FM_USE_AUTH) && isset($_POST['ajax'], $_POST['token']) && !FM_READONLY ) { // ... if (isset($_POST['type']) && $_POST['type'] == "search") { // executes search and returns JSON } // ... } ``` The !FM_READONLY part means: Read-only users cannot access this code block. As a result, when a read-only user submits a search, the server returns nothing, leading to a blank result in the frontend. Why Is This By Design? Security: Advanced Search recursively lists all file/folder names. The authors restricted this for read-only users, possibly to prevent information leakage or heavy resource use. Consistency: Most actions are limited for read-only users to keep the permission model simple and secure. How to Enable Advanced Search for Read-Only Users If you want read-only users to have access to Advanced Search, you’ll need to modify the code: Steps: Open tinyfilemanager.php in your editor. Find this line: `&& !FM_READONLY` Remove && !FM_READONLY so the condition becomes: ``` if ( (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']]) || !FM_USE_AUTH) && isset($_POST['ajax'], $_POST['token']) ) { // ... } ``` Save and upload the file. Now, read-only users will also be able to use Advanced Search. Security Note: This change allows all authenticated users (including read-only) to recursively search for files and folders. Make sure this is acceptable for your use case before deploying.

kerem commented

2026-03-02 16:01:47 +03:00

Author

Owner

@ValerioLyndon commented on GitHub (Nov 12, 2025):

I was wondering why this issue was happening and thanks to smalos's comment it was a quick fix. Only change I made was an extra if() check to prevent affecting other code, because without reading the rest of the codebase I have to assume this check is in place to prevent the other AJAX features (such as file uploads) from being used by a conniving readonly user.

This way the only part affected should be the search.

Difference visible in this commit.

@ValerioLyndon commented on GitHub (Nov 12, 2025): I was wondering why this issue was happening and thanks to smalos's comment it was a quick fix. Only change I made was an extra if() check to prevent affecting other code, because without reading the rest of the codebase I have to assume this check is in place to prevent the other AJAX features (such as file uploads) from being used by a conniving readonly user. This way the only part affected *should* be the search. Difference visible in [this commit](https://github.com/ValerioLyndon/tinyfilemanager/commit/3477cf1d60a36cdc68ea5922621e3cc5e0ccdaba).

kerem referenced this issue

2026-03-02 16:03:04 +03:00

[PR #848] [MERGED] Removes some php ext installs as they are already installed in base #1072