Project website
Project wiki
Contact at jeremydev.ovh
just run yarn install and then yarn dev or yarn prod
for now :
-
add this to a laravel project with composer, you can use this as a local project, in your composer.json :
"repositories": { "kwaadpepper/laravel-omen": { "type": "path", "url": "pathTo/laravel-omen-git-pull-from-github.git", "options": { "symlink": true } } }, -
then
composer require kwaadpepper/laravel-omen -
navigate to vendor/kwaadpepper/laravel-omen and
run yarn prod, then access the url/omenfilemanagerwithin your laravel project
You can override --tag=config, --tag=assets, --tag=views, --tag=lang :
php artisan vendor:publish --provider="Kwaadpepper\Omen\Providers\OmenServiceProvider" --tag=assets
If you are using local storage and dont need to set files to private you can use this
sudo php artisan omen:link
Notes
-
About contributions
Please report any vulnerabilities found or make a PR at your convenience. Everyone is welcome. If you wish, you can appear on a list of contributors visible on the about page. Your GitHub information visible on the commit will be used (name and email, or just the name) If you explicitly declared it in your PR. You must agree to publish with the MIT license because the project license is defined as is. Your contribution will be reviewed first before the merger. Please refer to the PR section. If you want to report something, just open an issue ticket.
-
About CSRF
Use is made of the Laravel built-in CSRF system token. In addition, an Ajax CSRF token is used for every request (even if only write operation should require it).
-
About CSP policies
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
This lib uses a CSP strategy on all its assets requirements (CSS, JS) using nonce. This is configurable through the config file ('omen.csp')
-
About X-Frame-Options
X-Frame-Options is sent to the client to prevent click jacking (iframe embed) https://www.keycdn.com/blog/x-frame-options false => X-Frame-Options: deny true => X-Frame-Options: sameorigin
-
About X-Content-Type-Options
Used againts mime sniffing to prevent cross site scripting. Thus, any file served will be treated with the type declared by the server https://www.keycdn.com/support/x-content-type-options This is always set to no sniff, and is not configurable
-
About Referrer-Policy
https://openweb.eu.org/articles/referrer-policy
No tracking is needed by Omen, and it dont want to be tracked also BTW. So Referrer-Policy is set to no-referrer. This is not configurable since there is no need to.
-
About Feature-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
All enabled features are set to self, since Omen provides all the libs. No CDN is used for security purpose. Alose to enable the use on offlines networks. Only down side of this is Google Api to display docs wont be available. Only use is made of:
-
autoplay for video
-
fullscreen for multiple files type view
-
layout-animations for Omen interface to display
-
legacy-image-formats
This policy controls the ability of the document to render images in legacy image formats. These are defined as any format other than JPEG, PNG, GIF, WEBP, or SVG. TODO Inspect Display possibilities on images formats
-
midi
TODO can midi file be played ?
-
navigation-override
-
oversized-images
-
picture-in-picture for video play
-
sync-xhr For ajax queries
accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; layout-animations 'self'; legacy-image-formats 'self'; magnetometer 'none'; microphone 'none'; midi 'self'; navigation-override 'self'; oversized-images 'self; payment 'none'; picture-in-picture 'self'; publickey-credentials-get 'none'; sync-xhr 'self'; usb 'none'; vr 'none'; wake-lock 'none' xr-spatial-tracking 'none';
-
-
About max upload size
Because upload is ajax handled yt has to be changed on
php.inior.htaccess, two values needs to be changed: 'upload_max_filesize' and 'post_max_size'You can put this in
public/.htaccessphp_value post_max_size 2M php_value upload_max_filesize 2MBecause upload is ajax handled, it sends chunks of 2M size. Then if you want to set a limit just change maxUploadSize to something like
'3M'or3145728 -
About file names
File names are always lower cased on created, this is for Windows compatibility since windows file names are not case sensible which means windows will threat 'file.pdf' 'File.pdf' as the same file whereas on a Unix based it will not.
-
About unit tests
Include unit tests using Orchestra, just run
phpunitfrom project folder aftercomposer install -
About Tinymce
To use with tinymce you will have to set useXFrameOptions to true, in order to allow the display omen in a iframe
Here is an example, you must set
external_filemanager_pathwith directive@omenPath()and register the omen pluginexternal_pluginswith{ "omen": "@tinymcePluginPath()" }tinymce.init({ selector: "#tinymce" , plugins: [ "advlist autolink link image lists charmap print preview hr anchor pagebreak" , "searchreplace wordcount visualblocks visualchars insertdatetime media nonbreaking" , "table directionality emoticons paste omen code" ] , toolbar1: "undo redo | bold italic underline | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent | styleselect" , toolbar2: "| omen | link unlink anchor | image media | forecolor backcolor | print preview code " , image_advtab: true , external_filemanager_path: "@omenPath()" , external_plugins: { "omen": "@tinymcePluginPath()" } }); -
About CKEditor
To use with CKEditor no need for iframe autorization. However you will have to set it as the default filemanager. You will have to set
filebrowserImageBrowseUrlwith this directive@omenPath(type=image&editor=ckeditor)and eventuallyfilebrowserBrowseUrlwith this directive @omenPath(editor=ckeditor)CKEDITOR.editorConfig = function(config) { config.language = "en"; config.uiColor = "#F7B42C"; config.height = 300; config.toolbarCanCollapse = true; config.extraPlugins = "omen"; config.filebrowserImageBrowseUrl = "@omenPath(type=image&editor=ckeditor)"; config.filebrowserBrowseUrl = "@omenPath(editor=ckeditor)"; }; CKEDITOR.replace("ckeditor");
Some thing good to know is that it is possible to restrict file types to be used with url directive:
eg: add url GET parameter type=image to use image only or type=archives
-
About standalone button
You can use a standalone button to call the file manager if you want to.
First insert the plugin (requires
jquery) in you html file<html> ... <head> ... @omenButton() </head> ... </html>Create an input on your page
<div class="input-group"> <span class="input-group-btn"> <a id="omenButton" data-input="textInput" class="btn btn-primary"> <i class="fa fa-picture-o"></i> Open file </a> </span> <input id="textInput" class="form-control" type="text" name="filepath"> </div>Call the plugin on your button
$(document).ready(function() { $('#omenButton').omenButton('image'); });omenButtonfunction accepts file, image, audio, video, archive in case you want to restrict file typesYou may want to look at
resources/js/plugins/omen.Button.jquery.plugin.min.jsif you want to call with js the file manager via popup
Whishlit
- cross domain support for tinymce and ckeditor ?
- Video stream, with optionnal ffmepg => Mpeg-Dash or HLS ? https://github.com/pascalbaljetmedia/laravel-ffmpeg
- Resize image keep ratio function
- global search file
- change visibility
- more global actions such as mass delete
- use thumbnails for images
- allow delete non empty dir, confirm delete non empty dirs
- more front end unit test with Dusk
- test functions with chromium
- extensive test on mobile
- make button reset filters
Jérémy Munsch
https://jereymdev.ovh/contact
[email protected]