File Upload in v5

About

There is a new and nifty feature in v5: Users may upload local files to their own enCore folder and organize them from inside the MOO without additional password. This new upload function is more secure than the upload in VASE, and thus replaces that part. The scripts should work with any SQL server supported by PEAR::DB. SQL queries have been tested on MySQL 4.1.12 and MySQL 5.0 using Latin-1 as default charset. Please let us know if they fail on other SQL servers.

The upload system is cowritten by Daniel Jung (MOO code) and Trond K. Pettersen (PHP/SQL + MOO code), inspired by and partly based on earlier work by Fredrik Kavli (all of them working @ LINGO, Bergen).

T.O.C.

License and Warranty

License: Refer to your enCore installation's license.

Warranty: There is no warranty. Not even implied. Use at own risk.

Download

Download the latest version of the File Uploader available at enCore Learning Environment's SourceForge.net project page.

Users

When a new file is successfully uploaded, the user is informed of its location, and a URL-MOO-object is created which holds the URL-information. This URL object can be dropped and moved, and will open the link if clicked.

From within the MOO, the user may browse his uploaded files and delete them. (This is really an external PHP-page, but shares the the user's authentication, language and CSS.)

Updating a file and associated URL-MOO-objects:

Deleting a file and associated URL-MOO-objects:

Here, two different $uploaded_file or $url objects whose url_address property equaled the URL of the deleted file were deleted.

Administrators

In order to be able to keep an eye on user's number and size of uploaded files, wizards can browse (and sort) users' statistics in the Administration Module. This screenshot only shows zeros, this is due to these users having uploaded zero files each.

Do we have to use it?

No. This feature ships with the main distribution, but whether or not it will be available in your local MOO depends on several conditions. It may be switched on/off globally, and on/off for individual users of user classes. In order to use this feature,

Note: This is installed and working in High Five MOO. Feel free to conduct tests.

Security

We have implemented several measures to prevent exploitation of the system. For instance, users can't upload code files, and a new negociation/authentication token between the MOO and the PHP/SQL-database-system is exchanged hiddenly, in addition to a few hidden user tokens which must match. However, as with the entire enCore package, using this system is entirely at your own risk, and we won't take any responsability nor be liable in any way for any damage done to user files, or your server. We programmed this according to the best of our knowledge, and that's it.

Installation

Requirements

See also Do we have to use it?.

Setting it up

  1. You may need or want to create a new database.
    For most SQL server's this is done through executing a statment like

    CREATE DATABASE mydatabase;

    while logged onto the database. Stuff like this can also be done through Web GUIs like phpMyAdmin, if you're familiar with that.

    Please refer to your database's manual for additional help with this step.

  2. Create and open /upload/includes/config.php (copy from, or rename, config.default.php) in a text editor and edit it to fit your needs (set database name, username, password, upload-folder, etc.)

    See also: comments in /upload/includes/config.default.php

  3. Copy all files to a web-accessible folder on your web server (e.g. Apache), preferrably to a folder named upload (this) inside the encore folder, e.g. a sibling of the images, mootcan, etc. folders.

  4. Open a web browser and move to install.php in the folder above, e.g. http://example.com/encore/upload/install.php. Fill out the form, and hit the Install-button. You're supposed to be notified if anything is, or goes, wrong.

  5. Delete install.php (scripts wont work if not).

  6. Set the ownership of the userfiles folder to your Web Server. For Apache on Linux, while standing in the /encore/upload folder, this is done through executing a chown command like

    chown nobody:nobody userfiles/*

    or, if you're not logged in as super user, add sudo to that command:

    sudo chown nobody:nobody userfiles/*

    Enter your password if you're prompted to. If you wish, feel free to also chown the rest of the files (although this is not necessary, and probably not wanted). E.g. by executing something similar to:

    sudo chown -R nobody:nobody upload/*

    when standing in the encore directory.

    Note that whether you're using a Linux server or not, if the scripts do not run with the right set of permissions, the upload function will not work because your server wont be able to write / save files to the userfiles directory.

  7. Go to your MOO and set $uploader.moo_username and $uploader.moo_password to equal the values entered in step 4.

  8. Enable the upload extension by setting

  9. That's it. Have fun :)

Changes

Will there be changes?

I have no idea when or if these changes will be implemented.

Last updated November 15 2006 by Trond K. Pettersen.

End of file