1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 

<?php

require_once(dirname(dirname(dirname(dirname(__FILE__)))) . '/admin-globals.php');
XSRFdefender('elFinder');

include_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/elFinder/php/elFinderConnector.class.php';
include_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/elFinder/php/elFinder.class.php';
include_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/elFinder/php/elFinderVolumeDriver.class.php';
include_once SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/elFinder/php/elFinderVolumeLocalFileSystem.class.php';
// Required for MySQL storage connector
// include_once SERVERPATH.'/'.ZENFOLDER.'/'.PLUGIN_FOLDER.'/elFinder/php/elFinderVolumeMySQL.class.php';
// Required for FTP connector support
// include_once SERVERPATH.'/'.ZENFOLDER.'/'.PLUGIN_FOLDER.'/elFinder/php/elFinderVolumeFTP.class.php';
// Required for Dropbox.com connector support
// include_once dirname(__FILE__).DIRECTORY_SEPARATOR.'elFinderVolumeDropbox.class.php';
// # Dropbox volume driver need "dropbox-php's Dropbox" and "PHP OAuth extension" or "PEAR's HTTP_OAUTH package"
// * dropbox-php: http://www.dropbox-php.com/
// * PHP OAuth extension: http://pecl.php.net/package/oauth
// * PEAR�s HTTP_OAUTH package: http://pear.php.net/package/http_oauth
//  * HTTP_OAUTH package require HTTP_Request2 and Net_URL2
// Dropbox driver need next two settings. You can get at https://www.dropbox.com/developers
// define('ELFINDER_DROPBOX_CONSUMERKEY',    '');
// define('ELFINDER_DROPBOX_CONSUMERSECRET', '');

/**
 * Simple function to demonstrate how to control file access using "accessControl" callback.
 * This method will disable accessing files/folders starting from  '.' (dot)
 *
 * @param  string  $attr  attribute name (read|write|locked|hidden)
 * @param  string  $path  file path relative to volume root directory started with directory separator
 * @return bool|null
 * */
function access($attr, $path, $data, $volume) {
    return strpos(basename($path), '.') === 0   // if file/folder begins with '.' (dot)
                    ? !($attr == 'read' || $attr == 'write') // set read+write to false, other (locked+hidden) set to true
                    : null;              // else elFinder decide it itself
}

function accessImage($attr, $path, $data, $volume) {
    //  allow only images
    if (access($attr, $path, $data, $volume) || (!is_dir($path) && !Gallery::validImage($path))) {
        return !($attr == 'read' || $attr == 'write');
    }
    return NULL;
}

function accessAlbums($attr, $path, $data, $volume) {
    //  restrict access to his albums
    $base = explode('/', str_replace(getAlbumFolder(SERVERPATH), '', str_replace('\\', '/', $path) . '/'));
    $base = array_shift($base);
    $block = !$base && $attr == 'write';
    if ($block || access($attr, $path, $data, $volume)) {
        return !($attr == 'read' || $attr == 'write');
    }
    return NULL;
}

$opts = array();

if ($_REQUEST['origin'] == 'upload') {

    if (zp_loggedin(FILES_RIGHTS)) {
        $opts['roots'][0] = array(
                        'driver'                 => 'LocalFileSystem',
                        'startPath'          => SERVERPATH . '/' . UPLOAD_FOLDER . '/',
                        'path'                   => SERVERPATH . '/' . UPLOAD_FOLDER . '/',
                        'URL'                        => WEBPATH . '/' . UPLOAD_FOLDER . '/',
                        'alias'                  => sprintf(gettext('Upload folder (%s)'), UPLOAD_FOLDER),
                        'mimeDetect'         => 'internal',
                        'tmbPath'                => '.tmb',
                        'utf8fix'                => true,
                        'tmbCrop'                => false,
                        'tmbBgColor'         => 'transparent',
                        'accessControl'  => 'access',
                        'acceptedName'   => '/^[^\.].*$/'
        );
    }

    if (zp_loggedin(THEMES_RIGHTS)) {
        $zplist = getSerializedArray(getOption('Zenphoto_theme_list'));
        $opts['roots'][1] = array(
                        'driver'                 => 'LocalFileSystem',
                        'startPath'          => SERVERPATH . '/' . THEMEFOLDER . '/',
                        'path'                   => SERVERPATH . '/' . THEMEFOLDER . '/',
                        'URL'                        => WEBPATH . '/' . THEMEFOLDER . '/',
                        'alias'                  => sprintf(gettext('Zenphoto themes (%s)'), THEMEFOLDER),
                        'mimeDetect'         => 'internal',
                        'tmbPath'                => '.tmb',
                        'utf8fix'                => true,
                        'tmbCrop'                => false,
                        'tmbBgColor'         => 'transparent',
                        'accessControl'  => 'access',
                        'acceptedName'   => '/^[^\.].*$/',
                        'attributes'         => $attr = array(
                        array(
                                        'pattern'    => '/.(' . implode('$|', $zplist) . '$)/', // Dont write or delete to this but subfolders and files
                                        'read'       => true,
                                        'write'      => false,
                                        'locked'     => true
                        ),
                        array(
                                        'pattern'    => '/.(' . implode('\/|', $zplist) . '\/)/', // Dont write or delete to this but subfolders and files
                                        'read'       => true,
                                        'write'      => false,
                                        'locked'     => true
                        )
                        )
        );
    }

    if (zp_loggedin(UPLOAD_RIGHTS)) {
        $opts['roots'][2] = array(
                        'driver'             => 'LocalFileSystem',
                        'startPath'      => getAlbumFolder(SERVERPATH),
                        'path'               => getAlbumFolder(SERVERPATH),
                        'URL'                    => getAlbumFolder(WEBPATH),
                        'alias'              => sprintf(gettext('Albums folder (%s)'), basename(getAlbumFolder())),
                        'mimeDetect'     => 'internal',
                        'tmbPath'            => '.tmb',
                        'utf8fix'            => true,
                        'tmbCrop'            => false,
                        'tmbBgColor'     => 'transparent',
                        'uploadAllow'    => array('image'),
                        'acceptedName' => '/^[^\.].*$/'
        );
        if (zp_loggedin(ADMIN_RIGHTS)) {
            $opts['roots'][2]['accessControl'] = 'access';
        } else {
            $opts['roots'][0]['uploadDeny'] = array('text/x-php', 'application');
            $opts['roots'][2]['accessControl'] = 'accessAlbums';
            $opts['roots'][2]['uploadDeny'] = array('text/x-php', 'application');
            $_managed_folders = getManagedAlbumList();
            $excluded_folders = $_zp_gallery->getAlbums(0);
            $excluded_folders = array_diff($excluded_folders, $_managed_folders);
            foreach ($excluded_folders as $key => $folder) {
                $excluded_folders[$key] = preg_quote($folder);
            }

            $maxupload = ini_get('upload_max_filesize');
            $maxuploadint = parse_size($maxupload);
            $uploadlimit = zp_apply_filter('get_upload_limit', $maxuploadint);
            $all_actions = $_not_upload = $_not_edit = array();

            foreach ($_managed_folders as $key => $folder) {
                $rightsalbum = newAlbum($folder);
                $modified_rights = $rightsalbum->albumSubRights();
                if ($uploadlimit <= 0) {
                    $modified_rights = $modified_rights & ~MANAGED_OBJECT_RIGHTS_UPLOAD;
                }
                $_not_edit[$key] = $_not_upload[$key] = $folder = preg_quote($folder);
                switch ($modified_rights & (MANAGED_OBJECT_RIGHTS_UPLOAD | MANAGED_OBJECT_RIGHTS_EDIT)) {
                    case MANAGED_OBJECT_RIGHTS_UPLOAD:      // upload but not edit
                        unset($_not_upload[$key]);
                        break;
                    case MANAGED_OBJECT_RIGHTS_EDIT:        // edit but not upload
                        unset($_not_edit[$key]);
                        break;
                    case MANAGED_OBJECT_RIGHTS_UPLOAD | MANAGED_OBJECT_RIGHTS_EDIT: // edit and upload
                        unset($_not_edit[$key]);
                        unset($_not_upload[$key]);
                        $all_actions[$key] = $folder;
                        break;
                }
            }

            $opts['roots'][2]['attributes'] = array();
            if (!empty($excluded_folders)) {
                $opts['roots'][2]['attributes'][0] = array(//   albums he does not manage
                                'pattern'    => '/.(' . implode('$|', $excluded_folders) . '$)/', // Dont write or delete to this but subfolders and files
                                'read'       => false,
                                'write'      => false,
                                'locked'     => true
                );

                $opts['roots'][2]['attributes'][1] = array(//   xmp for albums he does not manage
                                'pattern'    => '/.(' . implode('.xmp|', $excluded_folders) . '.xmp)/', // Dont write or delete to this but subfolders and files
                                'read'       => false,
                                'write'      => false,
                                'locked'     => true
                );
            }
            if (!empty($_not_upload)) {
                $opts['roots'][2]['attributes'][2] = array(//   albums he can not upload
                                'pattern'    => '/.(' . implode('$|', $_not_upload) . '$)/', // Dont write or delete to this but subfolders and files
                                'read'       => true,
                                'write'      => false,
                                'locked'     => true
                );
            }
            if (!empty($_not_edit)) {
                $opts['roots'][2]['attributes'][3] = array(//   albums content he not edit
                                'pattern'    => '/.(' . implode('\/|', $_not_edit) . '\/)/', // Dont write or delete to this but subfolders and files
                                'read'       => true,
                                'write'      => false,
                                'locked'     => true
                );
                $opts['roots'][2]['attributes'][4] = array(//   xmp for albums he can not edit
                                'pattern'    => '/.(' . implode('\/|', $_not_edit) . '.xmp)/', // Dont write or delete to this but subfolders and files
                                'read'       => true,
                                'write'      => false,
                                'locked'     => true
                );
            }
            if (!empty($all_actions)) {
                $opts['roots'][2]['attributes'][5] = array(//   albums he can not upload
                                'pattern'    => '/.(' . implode('$|', $all_actions) . '$)/', // Dont write or delete to this but subfolders and files
                                'read'       => true,
                                'write'      => true,
                                'locked'     => false
                );
            }
        }
    }

    if (zp_loggedin(ADMIN_RIGHTS)) {
        $opts['roots'][3] = array(
                        'driver'                 => 'LocalFileSystem',
                        'startPath'          => SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/',
                        'path'                   => SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/',
                        'URL'                        => WEBPATH . '/' . USER_PLUGIN_FOLDER . '/',
                        'alias'                  => sprintf(gettext('Third party plugins (%s)'), USER_PLUGIN_FOLDER),
                        'mimeDetect'         => 'internal',
                        'tmbPath'                => '.tmb',
                        'utf8fix'                => true,
                        'tmbCrop'                => false,
                        'tmbBgColor'         => 'transparent',
                        'accessControl'  => 'access',
                        'acceptedName'   => '/^[^\.].*$/'
        );
        $opts['roots'][4] = array(
                        'driver'                 => 'LocalFileSystem',
                        'startPath'          => SERVERPATH . '/' . DATA_FOLDER . '/',
                        'path'                   => SERVERPATH . '/' . DATA_FOLDER . '/',
                        'URL'                        => WEBPATH . '/' . DATA_FOLDER . '/',
                        'alias'                  => sprintf(gettext('Zenphoto data (%s)'), DATA_FOLDER),
                        'mimeDetect'         => 'internal',
                        'tmbPath'                => '.tmb',
                        'utf8fix'                => true,
                        'tmbCrop'                => false,
                        'tmbBgColor'         => 'transparent',
                        'accessControl'  => 'access',
                        'acceptedName'   => '/^[^\.].*$/'
        );
        $opts['roots'][5] = array(
                        'driver'                 => 'LocalFileSystem',
                        'startPath'          => SERVERPATH . '/' . BACKUPFOLDER . '/',
                        'path'                   => SERVERPATH . '/' . BACKUPFOLDER . '/',
                        'URL'                        => WEBPATH . '/' . BACKUPFOLDER . '/',
                        'alias'                  => sprintf(gettext('Backup files (%s)'), BACKUPFOLDER),
                        'mimeDetect'         => 'internal',
                        'tmbPath'                => '.tmb',
                        'utf8fix'                => true,
                        'tmbCrop'                => false,
                        'tmbBgColor'         => 'transparent',
                        'accessControl'  => 'access',
                        'acceptedName'   => '/^[^\.].*$/'
        );
    }
} else { // origin == 'tinyMCE
    if (zp_loggedin(FILES_RIGHTS)) {
        $opts['roots'][0] = array(
                        'driver'                 => 'LocalFileSystem',
                        'startPath'          => SERVERPATH . '/' . UPLOAD_FOLDER . '/',
                        'path'                   => SERVERPATH . '/' . UPLOAD_FOLDER . '/',
                        'URL'                        => WEBPATH . '/' . UPLOAD_FOLDER . '/',
                        'alias'                  => sprintf(gettext('Upload folder (%s)'), UPLOAD_FOLDER),
                        'mimeDetect'         => 'internal',
                        'tmbPath'                => '.tmb',
                        'utf8fix'                => true,
                        'tmbCrop'                => false,
                        'tmbBgColor'         => 'transparent',
                        'uploadAllow'        => array('image'),
                        'accessControl'  => 'access',
                        'acceptedName'   => '/^[^\.].*$/',
                        'uploadDeny' => array('text/x-php', 'text/html', 'application'),
        );
    }
}

// run elFinder
$connector = new elFinderConnector(new elFinder($opts));
$connector->run();