Server configuration for PHP websites

The number of options are available in server-side configuration file.
They are located in alphamanager/config.json file and will affect to some restrictions including security constraints.

List of options

FILES_ROOT: string
Default value: ./uploads
Root dir path for uploaded files on server. It is recommended to use absolute path instead of relative. If nothing is set, alphamanager/uploads path will be used. To avoid issues we recommend you to set absolute path from server's root like: /custom_uploads (means something like /var/www/custom_uploads). No trailing slash / please.
MAX_FILE_SIZE: integer
Default value: 10000000
Maximum size for each file upload in bytes. If image or file is larger then this value the upload will be rejected.
MAX_IMAGE_WIDTH: integer
Default value: 0
Maximum width allowed for image. If the width of image exceeds it, image will not be uploaded.
MAX_IMAGE_HEIGHT: integer
Default value: 0
Maximum height allowed for image. If the height of image exceeds it, image will not be uploaded.
RESIZE_IMAGE_WIDTH: integer
Default value: 0
If the width of uploading image is larger then RESIZE_IMAGE_WIDTH it will be resized to fit it. 0 value means no image constraints by width.
RESIZE_IMAGE_HEIGHT: integer
Default value: 0
If the height of uploading image is larger then RESIZE_IMAGE_HEIGHT it will be resized to fit it. 0 value means no image constraints by height.
FORBIDDEN_UPLOADS: string
Default value: "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess"
The list of extensions which are forbidden to upload to server. This list will also affect to file rename feature.
ALLOWED_UPLOADS: string
Default value: blank
Available values:
The whitespace separated list of allowed extensions for uploaded and renamed files. If this value is not blank, all other extensions except of listed here will be forbidden by the server.
FILEPERMISSIONS: integer
Default value: 0644
Unix permissions to set to uploaded files. 0644 means read/write to owner, read to group and to others. Read more about Unix permissions format.
DIRPERMISSIONS: integer
Default value: 0755
Unix permissions for new directories
STORE_PREVIEWS_DIR: string
Default value: cache
The path to directory with previews generated for the images. By default this path leads to alphamanager/cache. You can erase contents of this folder at any moment.

Features configuration

All features are enabled by default and leads to correct URLs with according PHP handlers. This is default code fragment for them and you can see it in json.conf:

"DIRLIST":             "php/dirtree.php",
"CREATEDIR":           "php/createdir.php",
"DELETEDIR":           "php/deletedir.php",
"MOVEDIR":             "php/movedir.php",
"COPYDIR":             "php/copydir.php",
"RENAMEDIR":           "php/renamedir.php",
"FILESLIST":           "php/fileslist.php",
"UPLOAD":              "php/upload.php",
"DOWNLOAD":            "php/download.php",
"DOWNLOADDIR":         "php/downloaddir.php",
"DELETEFILE":          "php/deletefile.php",
"MOVEFILE":            "php/movefile.php",
"COPYFILE":            "php/copyfile.php",
"RENAMEFILE":          "php/renamefile.php",
"GENERATETHUMB":       "php/thumb.php"

If you want to disable some feature, just set its handler URL to be blank and File Manager blocks this feature.

For example if you want to block upload files feature, change code in this way:

"UPLOAD":               "",

and the feature will be turned of on server side. Note that the button on the client side will became invisible in this case too.

Security

Use checkAccess function from the alphamanager/php/security.inc.php file to restrict unauthorized access to the Alpha Manager.

You can add any security checks there. For example your CMS sets the username into the $GLOBALS['username'] variable and you need to let ability to work with file manager only for administrator account. In this case this code can help you:

function checkAccess($action){
  if (!session_id())
    session_start();
  if ($GLOBALS['username'] != 'administrator')
    die;
}

In case access to File Manager is public, you do not need to change something in this file.

Cross domain uploads

By default File Manager already supports cross domain file and image uploads. So you do not need anything to configure it.
But if you want to change something in it you need to go to file alphamanager/php/security.inc.php and find this line:

header('Access-Control-Allow-Origin: *');

The code above means that all websites which want to use the server-side of File Manager will have access to it. If you want to fully turn off such access just comment or remove this line:

// header('Access-Control-Allow-Origin: ');

If you website is located on one and only one domain (but your uploader is on another one) and you want to grant access to it only, specify its URL in this option:

header('Access-Control-Allow-Origin: http://your-domain.com');