Feature Request: Folder-Based Access Levels for Users

[aggm0802]

I would like to propose an enhancement to the current authentication system by introducing folder-based access levels for users.

Currently, it is possible to define users in $auth_users, but access control is limited and does not fully restrict navigation across directories. In many real-world use cases, especially when managing multiple users, it is important to ensure that each user can only access a specific folder and its subdirectories.

Proposed Feature

Add support for defining a base directory per user, where:

• Each user is restricted to a specific folder
• Users cannot navigate to parent directories (../)
• Users can only access their assigned folder and its subfolders

Example configuration:

1st step

Replace the following existing code:

$auth_users = array(
    'admin' => '$2y$10$/K.hjNr84lLNDt8fTXjoI.DBp6PpeyoJ.mGwrrLuCZfAwfSAGqhOW', //admin@123
    'user' => '$2y$10$Fg6Dz8oH9fPoZ2jJan5tZuv6Z4Kp7avtQ9bDfrdRntXtPeiMAZyGO' //12345
);

With this code:

$auth_users = array(
    'admin' => [
        'password' => '$2y$10$/K.hjNr84lLNDt8fTXjoI.DBp6PpeyoJ.mGwrrLuCZfAwfSAGqhOW', //admin@123
        'path' => ''
    ],
    'user' => [
        'password' => '$2y$10$Fg6Dz8oH9fPoZ2jJan5tZuv6Z4Kp7avtQ9bDfrdRntXtPeiMAZyGO' //12345
        'path' => 'dashboard'
    ]
);

2st step

Replace the following existing code:

if (!isset($_GET['p']) && empty($_FILES)) {
    fm_redirect(FM_SELF_URL . '?p=');
}

With this code:

$base = $_SESSION[FM_SESSION_ID]['base_path'] ?? '';
$current_path = $_GET['p'] ?? '';

$base = trim($base, '/');
$current_path = trim($current_path, '/');

if (!empty($base)) {
    if ($current_path === '' || strpos($current_path, $base) !== 0) {
        fm_redirect(FM_SELF_URL . '?p=' . urlencode($base));
        exit;
    }
}

3st step

Replace the following existing code:

if (function_exists('password_verify')) {
            if (isset($auth_users[$_POST['fm_usr']]) && isset($_POST['fm_pwd']) && password_verify($_POST['fm_pwd'], $auth_users[$_POST['fm_usr']]) && verifyToken($_POST['token'])) {
                $_SESSION[FM_SESSION_ID]['logged'] = $_POST['fm_usr'];
                fm_set_msg(lng('You are logged in'));
                fm_redirect(FM_SELF_URL);
            } else {
                unset($_SESSION[FM_SESSION_ID]['logged']);
                fm_set_msg(lng('Login failed. Invalid username or password'), 'error');
                fm_redirect(FM_SELF_URL);
            }
        } else {
            fm_set_msg(lng('password_hash not supported, Upgrade PHP version'), 'error');;
        }

With this code:

if (function_exists('password_verify')) {
            $user = $_POST['fm_usr'];
			$pass = $_POST['fm_pwd'];

			if (
				isset($auth_users[$user]) &&
				isset($auth_users[$user]['password']) &&
				password_verify($pass, $auth_users[$user]['password']) &&
				verifyToken($_POST['token'])
			) {
                $_SESSION[FM_SESSION_ID]['logged'] = $_POST['fm_usr'];
				$_SESSION[FM_SESSION_ID]['base_path'] = $auth_users[$user]['path'];
                fm_set_msg(lng('You are logged in'));
                fm_redirect(FM_SELF_URL);
            } else {
                unset($_SESSION[FM_SESSION_ID]['logged']);
                fm_set_msg(lng('Login failed. Invalid username or password'), 'error');
                fm_redirect(FM_SELF_URL);
            }
        } else {
            fm_set_msg(lng('password_hash not supported, Upgrade PHP version'), 'error');;
        }

4st step

To avoid session persistence issues, it's important to also clear the base path when logging out.

Add this line after every occurrence of:

unset($_SESSION[FM_SESSION_ID]['logged']);

Add:

unset($_SESSION[FM_SESSION_ID]['base_path']);

Download Full Code Modified Below:

index.php