jquery file upload behind htaccess

StackOverflow https://stackoverflow.com/questions/22244942

  •  10-06-2023
  •  | 
  •  

Question

I have a problem on my website: I've installed the jquery file upload plugin in admin folder containing an htacces file. This files contains :

php_value upload_max_filesize 60M
php_value post_max_size 60M
php_value max_execution_time 800

AuthUserFile "/path/to/my/htusers"
AuthType Basic
AuthName "ADMIN"
require valid-user
<Files htusers>
deny from all
</Files>

The files are uploaded in the upload folder which is outside the admin folder. The images are displayed but when I click on delete i got this as answer:

401 Authorization Required
Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

And after click on delete I have to login again using htaccess.

Did I miss something ?

Someone answered me that the uploaded files had to be under the same htacces that jquery file upload but not better. My files looks like:

/
    - admin
        - .htaccess
        - upload
        - plugins
            - jquery file upload
                - ...

Files are uploaded into the upload folder.

Edit : maybe the problem comes from the data-url which contains the username : 

http://admin@localhost/fspva/admin/plugins/jfile_upload/server/php/
?file=../../../../../upload/galerie/23/135x135.jpg&_method=DELETE

I tried to set 'access_control_allow_credentials' to false but the URL is the same...

The solution is:

For me the problem was the remote user in the url. So I commented the line :

//(!empty($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'].'@' : '').

And now the user name doesn't appear anymore in the url and the deletion works even if the upload folder is not under the same htaccess.

Was it helpful?

Solution

The solution is:

For me the problem was the remote user in the url. So I commented the line :

//(!empty($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'].'@' : '').

And now the user name doesn't appear anymore in the url and the deletion works even if the upload folder is not under the same htaccess

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top