diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d2281f4 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,646 @@ +# Changelog + +## Changes 4/6/2025 v1.0.8 + +**May need to log out and log back in if using remember me** + +Changelog: Modularize fileManager.js + +1. **fileListView.js** + • Extracted all table/gallery rendering logic (loadFileList, renderFileTable, renderGalleryView, sortFiles, date parsing, pagination). + • Kept global helpers on window (changePage, changeItemsPerPage). + • Added explicit re‑binding of context‑menu and drag‑drop handlers after each render. +2. **filePreview.js** + • Moved “Preview” and “Share” modal code here (previewFile, openShareModal, plus displayFilePreview helper). + • Exposed window.previewFile for inline onclick compatibility. +3. **fileEditor.js** + • Isolated CodeMirror editor logic (editFile, saveFile, sizing, theme toggles). + • Exported utility functions (getModeForFile, adjustEditorSize, observeModalResize). +4. **fileDragDrop.js** + • Encapsulated all drag‑start and folder drag/drop handlers (fileDragStartHandler, folderDragOverHandler, etc.). +5. **fileMenu.js** (formerly contextMenu.js) + • Centralized right‑click context menu construction and binding (showFileContextMenu, fileListContextMenuHandler, bindFileListContextMenu). + • Now calls the correct single vs. multi‑tag modals. +6. **fileActions.js** + • Consolidated all “Delete”, “Copy”, “Move”, “Download Zip”, “Extract Zip”, “Rename” workflows and their modals. + • Exposed initFileActions() to wire up toolbar buttons on page load. +7. **fileManager.js** (entry point) + • Imports all the above modules. + • On DOM ready: calls initFileActions(), attaches folder tree drag/drop, and global key handlers. + +Changelog: OIDC, Basic Auth & TOTP Integration + +1. **auth.php (OIDC)** + • Detects callback via `?code` or `?oidc=callback`. + • Checks for a TOTP secret after OIDC auth, stores pending login in session, redirects with `?totp_required=1`. + • Finalizes session only after successful TOTP verification. + +2. **login_basic.php (Basic Auth)** + • After password verification, checks for TOTP secret. + • Stores pending login & secret in session, redirects to TOTP modal. + • Completes session setup only after TOTP verification. + +3. **authModals.js & auth.js** + • Detect `?totp_required=1` and open the TOTP modal. + • Override `showToast` to suppress “Please log in…” during TOTP. + • Wrap `openTOTPLoginModal` to disable Basic/OIDC buttons (but keep form-login visible). + • On invalid TOTP code, keep modal open, clear input, and refocus for retry. + +4. **totp_verify.php** + • Consolidates login and setup TOTP flows in one endpoint. + • Enforces CSRF token and authentication guard. + • Verifies TOTP, regenerates session on success, and clears pending state. + • Production‑hardened: secure cookies, CSP header, rate‑limiting (5 attempts), standardized JSON responses, and robust error handling. + +--- + +## changes 4/4/2025 + +- fix(`download.php`): mitigate path traversal vulnerability by validating folder and file inputs +- Fixed OIDC login button DOM. +- Fixed userPermissions calling username before declared. +- Fixed config.php loadUserPermissions issue. +- Chain Initialization After CSRF Token Is Loaded +- loadCsrfTokenWithRetry + +--- + +## changes 4/3/2025 + +Change Log for dragAndDrop.js Enhancements + +- **Header Drop Zone Integration:** + - Added a new header drop zone (`#headerDropArea`) to support dragging cards (Upload and Folder Management) into the header. + - Created functionality to display a compact Material icon in the header when a card is dropped there. + +- **Modal Popup for Header Cards:** + - Implemented a modal overlay that displays the full card when the user hovers or clicks the header icon. + - Added toggle functionality so that the modal can be locked open or auto-hide based on mouse interactions. + +- **State Preservation via Hidden Container:** + - Introduced a hidden container (`#hiddenCardsContainer`) to preserve the original state of the Upload and Folder Management cards. + - Modified logic so that instead of removing these cards from the DOM when dropped into the header, they are moved to the hidden container. + - Updated modal show/hide functions to move the card from the hidden container into the modal (and back), ensuring interactive elements (e.g., folder tree, file selection) remain fully initialized and retain their state across page refreshes. + +- **Local Storage Integration for Header Order:** + - Added `saveHeaderOrder()` and `loadHeaderOrder()` functions to persist the header drop zone order. + - Integrated header order saving/updating with drag-and-drop events so that header placements are maintained after refresh. + +- **General Drag & Drop Enhancements:** + - Maintained smooth drag-and-drop animations and reflow for all drop zones (sidebar, top, and header). + - Ensured existing functionalities (like file uploads and folder tree interactions) work seamlessly alongside the new header drop zone. + +## Brief Description + +The enhancements extend the existing drag-and-drop functionality by adding a header drop zone where cards are represented by a compact Material icon. To preserve interactive state (such as the folder tree’s current folder or file input functionality) across page refreshes, the original cards are never fully removed from the DOM. Instead, they are moved into a hidden container, and when a user interacts with the header icon, the card is temporarily transferred into a modal overlay for full interaction. When the modal is closed, the card is returned to the hidden container, ensuring that its state remains intact. Additionally, header order is saved to local storage so that user-customized layouts persist across sessions. + +--- + +## changes 4/2/2025 + +- **Admin Panel - User Permissions** + - folderOnly - User gets their own root folder. + - readOnly - User can't delete, rename, move, copy and other endpoints are blocked. + - disableUpload - User can't upload any files. + - Encrypted json 'userPermissions.json' + - Created 'updateUserPermissions.php' & 'getUserPermissions.php' + +- **TOTP Confirmation** + - Must confirm code before it will enable TOTP. + - 'totp_verify.php' & 'totp_disable.php' were created + +- **Basic Auth & OIDC fixes** + - Fixed session issues + - Improvements for both Basic Auth & OIDC + +- Path Normalization +- Folder Rendering Adjustments +- Folder Creation Logic adjusted +- User Panel added username +- Admin Panel added version number +- Metadata Adjustments +- Toast moved to bottom right +- Help function 'loadUserPermissions()' +- 'auth.js' split into 'authModals.js' +- Empty 'createdTags.json' added +- Enable MKV video playback if supported +- Custom toast opacity increased +- Fixed fileDragStartHandler to work with tagFiles +- And more + +--- + +## changes 3/31/2025 + +- **Chunk merging logic updated to attempt to clear any resumable issues** + +- **Implemented Video Progress Saving and Resuming** + +- **Context Menu Tagging:** + - "Tag File" option for single files; "Tag Selected" for multiple files. +- **Tagging Modals:** + - Separate modals for single‑ and multi‑file tagging with custom dropdowns. +- **Global Tag Store:** + - Reusable tags persisted via `createdTags.json`; dropdown shows tag color and remove icon. +- **Unified Search:** + - Single search box filters files by name or associated tag(s). + +- **saveFileTag.php:** + - Saves file-specific tags and updates global tags (supports removal). +- **getFileList.php:** + - Returns tag data for each file and the global tag list. + +- Added `openMultiTagModal()` for batch tagging. +- Custom dropdowns with colored tag previews and removal buttons. +- Filtering logic updated in table and gallery views to combine file name and tag searches. + +## changes 3/30/2025 + +- **New Feature:** Generates a QR code for TOTP setup using the Endroid QR Code library. +- **TOTP Secret Management:** + - Retrieves the current user's TOTP secret from the users file. + - If no secret exists, generates a new one using RobThree\Auth\TwoFactorAuth and stores it (encrypted). +- **Global OTPAuth URL Integration:** + - Checks for a global OTPAuth URL in the admin configuration. + - If provided, replaces the `{label}` and `{secret}` placeholders in the URL template; otherwise, falls back to a default otpauth URL. +- **Security:** + - Enforces session authentication. + - Verifies the CSRF token passed via GET parameters. + +- **New Feature:** Handles AJAX requests to update the user’s TOTP settings from the User Panel. +- **TOTP Enable/Disable Handling:** + - If TOTP is disabled, clears the user's TOTP secret from the users file. + - If TOTP remains enabled, leaves the stored secret intact. +- **Security:** + - Validates user authentication and CSRF token before processing the update. +- **Response:** + - Returns a JSON response indicating whether TOTP has been enabled or disabled successfully. + +- **New TOTP Settings Section:** + - A "TOTP Settings" fieldset has been added to the User Panel modal. +- **Automatic TOTP Setup Trigger:** + - When the "Enable TOTP" checkbox is checked, it automatically triggers the TOTP Setup Modal to display the QR code. +- **State Management** +- **UI Improvements:** + - All modals (User Panel, TOTP Setup, and TOTP Login) now support dark mode styling. + +- **Error Handling & Security:** + - Enhanced error handling across all new TOTP-related endpoints. + - Added extra CSRF and authentication checks to improve security. +- **User Experience:** + - Streamlined the onboarding process for TOTP by integrating automatic modal triggers and real-time configuration updates. + +--- + +## changes 3/29/2025 + +**Frontend (JavaScript)** + +**File:** `auth.js` + +- **Added OIDC Login Flow** + - Created a dedicated OIDC login button (`oidcLoginBtn`). + - Redirects users to OIDC authentication via `auth.php?oidc`. + +- **Admin Panel Button** + - Added an “Admin Panel” button (`adminPanelBtn`) with a Material icon (`admin_panel_settings`). + - Inserted Admin Panel button directly after the Restore button in the header. + +- **Admin Panel Modal** + - Built a fully-featured admin panel modal with fields to edit: + - OIDC Provider URL + - Client ID + - Client Secret + - Redirect URI + - Options to disable Form Login, Basic Auth, or OIDC login methods individually. + - Integrated real-time constraint enforcement to ensure at least one authentication method is always enabled. + - Saved admin preferences into local storage and backend (via `updateConfig.php`). + +- **Dynamic UI Updates** + - Added functions (`updateLoginOptionsUI`, `updateLoginOptionsUIFromStorage`) to dynamically show/hide login elements based on admin preferences. + +⸻ + +**Backend (PHP)** + +**File:** `auth.php` + +- **OIDC Authentication** + - Integrated Jumbojett’s OpenID Connect client to handle OIDC flows. + - Reads OIDC configuration from an encrypted JSON file (`adminConfig.json`). + - Redirects users to OIDC provider and handles callbacks properly, authenticating users and initiating PHP sessions. + +- **Security Enhancements** + - Implemented robust error handling for authentication failures. + - Session regeneration after successful login to mitigate session fixation risks. + +**Configuration Handling** + +**File:** `getConfig.php` + +- **Secure Configuration Retrieval** + - Retrieves encrypted OIDC configuration from disk. + - Decrypts and sends JSON configuration securely to the frontend. + - Defaults provided if configuration does not exist. + +**File:** `updateConfig.php` + +- **Secure Configuration Updates** + - Strictly checks for authenticated admin sessions and validates CSRF tokens. + - Validates and sanitizes user input thoroughly (OIDC URL, client ID, secret, redirect URI). + - Updates encrypted configuration file securely, ensuring atomic writes (`LOCK_EX`). + +- **Consistent Styling** + - Modal dynamically adjusts styling based on dark/light modes. + - Improved accessibility with clear icons, visual hierarchy, and structured form fields. + +- **Enhanced Feedback** + - Toast notifications clearly communicate success/error messages for user/admin actions. + +⸻ + +**Security and Best Practices** + +- OIDC credentials are securely stored in an encrypted JSON configuration file. +- Implemented proper sanitization and validation of input data. +- Protected sensitive admin routes (`updateConfig.php`) with CSRF validation and strict access control. + +⸻ + +**Possible Improvements** + +- **OIDC Logout Support:** Add explicit logout from OIDC providers. +- **OIDC Discovery Endpoint:** Automatically fetch provider details from `.well-known/openid-configuration`. +- **Advanced User Mapping:** Allow administrators to map OIDC claims to internal user roles dynamically. + +--- + +## changes 3/27/2025 + +- Basic Auth added for login. +- Audio files supported for playback mp3|wav|m4a|ogg|flac|aac|wma|opus + +--- + +## changes 3/26/2025 + +- New name change FileRise - Elevate your file management. +- Animated logo that rises up once for 3 seconds and falls back down +- New Side Bar and Top Bar drop areas + - Drag and Drop Upload & Folder Management cards + - Vertical slide up effect when dropping cards +- Fixed double root folders when only root folder exist +- Adjusted side bar drop zone + +--- + +## changes 3/25/2025 + +- **Context Menu Enhancements:** + - **Right‑Click Context Menu:** + - Added context menu support for file list rows so that right‑clicking shows a custom menu. + - When multiple files are selected, options like “Delete Selected”, “Copy Selected”, “Move Selected”, “Download Zip” are shown. + - When a file with a “.zip” extension is among the selections, an “Extract Zip” option is added. + - **Single File Options:** + - For a single selected file, additional items (“Preview”, “Edit”, and “Rename”) are appended. + - The “Edit” option appears only if `canEditFile(file.name)` returns true. +- **Keyboard Shortcuts:** + - **Delete Key Shortcut:** + - Added a global keydown listener to detect the Delete (or Backspace on Mac) key. + - When pressed (and if no input/textarea is focused) with files selected, it triggers `handleDeleteSelected()` to open the delete confirmation modal. +- **Modals & Enter-Key Handling:** + - **attachEnterKeyListener Update:** + - Modified the function to use the “keydown” event (instead of “keypress”) for better reliability. + - Ensured the modal is made focusable (by setting a `tabindex="-1"`) and focused immediately after being displayed. + - This update was applied to modals for rename, download zip, and delete operations. + - **Delete Modal Specific:** + - It was necessary to call `attachEnterKeyListener` for the delete modal after setting its display to “block” to ensure it captures the Enter key. +- **File Editing Adjustments:** + - **Content-Length Check:** + - Modified the `editFile` function so that it only blocks files when the Content-Length header is non‑null and greater than 10 MB. + - This change allows editing of 0 KB files (or files with Content-Length “0”) without triggering the “File too large” error. + +- **Context Menu for Folder Manager:** + - Provided a separate implementation for a custom context menu for folder manager elements. + - Bound the context menu to both folder tree nodes (`.folder-option`) and breadcrumb links (`.breadcrumb-link`) so that right‑clicking on either triggers a custom menu. + - The custom menu for folders includes actions for “Create Folder”, “Rename Folder”, and “Delete Folder.” + - Added guidance to ensure that breadcrumb HTML elements contain the appropriate class and `data-folder` attribute. +- **Keyboard Shortcut for Folder Deletion (Suggestion):** + - Suggested adding a global keydown listener in `folderManager.js` to trigger folder deletion (via `openDeleteFolderModal()`) when Delete/Backspace is pressed and a folder other than “root” is selected. + +- **Event Listener Timing:** + - Ensured that context menu and key event listeners are attached after the corresponding DOM elements are rendered. + - Added explicit focus calls (and `tabindex` attributes) for modals to capture keyboard events. + +--- + +## changes 3/24/2025 + +### config.php + +- **Encryption Functions Added:** + - Introduced `encryptData()` and `decryptData()` functions using AES‑256‑CBC to encrypt and decrypt persistent tokens. +- **Encryption Key Handling:** + - Added code to load the encryption key from an environment variable (`PERSISTENT_TOKENS_KEY`) with a fallback default. +- **Persistent Token Auto-Login:** + - Modified the auto-login logic to check for a `remember_me_token` cookie. + - If the persistent tokens file exists, it now reads and decrypts its content before decoding JSON. + - If a token is expired, the code removes the token, re-encrypts the updated array, writes it back to disk, and clears the cookie. +- **Cookie and Session Settings:** + - No major changes aside from integrating the encryption functionality into the token handling. + +### auth.php + +- **Login Process and “Remember Me” Functionality:** + - When “Remember me” is checked, generates a secure random token. + - Loads the persistent tokens file (if it exists), decrypts its content, and decodes the JSON. + - Inserts the new token (with associated username and expiry) into the persistent tokens array. + - Encrypts the updated tokens array and writes it back to the file. + - Sets the `remember_me_token` cookie using the `$secure` flag and expiry. +- **Authentication & Brute Force Protection:** + - The authentication logic and brute-force protection remain largely unchanged. + +### logout.php + +- **Persistent Token Removal:** + - If a `remember_me_token` cookie exists, the script loads the persistent tokens file, decrypts its content, removes the token if present, re-encrypts the array, and writes it back. +- **Cookie Clearance and Session Destruction:** + - Clears the `remember_me_token` cookie. + - Destroys session data as before. + +### networkUtils.js + +- **Fetch Wrapper Enhancements:** + - Modified `sendRequest()` to clone the response before attempting to parse JSON. + - If JSON parsing fails (e.g., because of unexpected response content), the cloned response is used to read the text, preventing the “Body is disturbed or locked” error. +- **Error Handling Improvements:** + - Improved error handling by ensuring the response body is read only once. + +--- + +## changes 3/23/2025 v1.0.1 + +- **Resumable File Upload Integration and Folder Support** + - **Legacy Drag-and-Drop Folder Uploads:** + - Supports both file and folder uploads via drag-and-drop. + - Recursively traverses dropped folders to extract files. + - Uses original XHR-based upload code for folder uploads so that files are placed in the correct folder (i.e. based on the current folder in the app’s folder tree). + - **Resumable.js for File Picker Uploads:** + - Integrates Resumable.js for file uploads via the file picker. + - Provides pause, resume, and retry functionality: + - Pause/Resume: A pause/resume button is added for each file selected via the file picker. When the user clicks pause, the file upload pauses and the button switches to a “play” icon. When the user clicks it again, the system triggers a resume sequence (calling the upload function twice to ensure proper restart). + - Retry: If a file upload encounters an error, the pause/resume button changes to a “replay” icon, allowing the user to retry the upload. + - During upload, the UI displays the progress percentage along with the calculated speed (bytes/KB/MB per second). + - Files are previewed using material icons for non-image files and actual image previews for image files (using a helper function that creates an object URL for image files). + - **Temporary Chunk Folder Removal:** + - When a user cancels an upload via the remove button (X), a POST request is sent to a PHP endpoint (removeChunks.php) that: + - Validates the CSRF token. + - Recursively deletes the temporary folder (which stores file chunks) from the uploads directory. + - **Additional Details:** + - The file list UI remains visible (instead of auto-disappearing after 5 seconds) if there are any files still present or errors, ensuring that users can retry failed uploads. + - The system uses a chunk size of 3MB and supports multiple simultaneous uploads. + - All endpoints include CSRF protection and input validation to ensure secure operations. + +--- + +## changes 3/22/2025 + +- Change Password added and visibile to all users. +- Brute force protection added and a log file for fail2ban created +- Fix add user and setup user issue +- Added folder breadcrumb with drag and drop support + +--- + +## changes 3/21/2025 v1.0.0 + +- **Trash Feature Implementation** + - Added functionality to move deleted files to a Trash folder. + - Implemented trash metadata storage (trash.json) capturing original folder, file name, trashed timestamp, uploader, and deletedBy. + - Developed restore feature allowing admins to restore individual or all files from Trash. + - Developed delete feature allowing permanent deletion (Delete Selected and Delete All) from Trash. + - Implemented auto-purge of trash items older than 3 days. + - Updated trash modal design for better user experience. + - Incorporated material icons with tooltips in restore/delete buttons. + - Improved responsiveness of the trash modal with a centered layout and updated CSS. + - Fixed issues where trashed files with missing metadata were not restored properly. + - Resolved problems with the auto-purge mechanism when trash.json was empty or contained unexpected data. + - Adjusted admin button logic to correctly display the restore button for administrators. + - Improved error handling on restore and delete actions to provide more informative messages to users. +- **Other changes** + - CSS adjusted (this needs to be refactored) + - Fixed setup mode CSRF issue in addUser.php + - Adjusted modals buttons in index.html & folderManager.js + - Changed upload.php safe pattern + - Hide trash folder + - Reworked auth.js + +--- + +## changes 3/20/2025 + +- **Drag & Drop Feature** + - For a single file: shows a file icon alongside the file name. + - For multiple files: shows a file icon and a count of files. + - Styling Adjustments: + - Modified drag image styling (using inline-flex, auto width, and appropriate padding) so that the drag image only sizes to its content and does not extend off the screen. + - Revised the folder drop handler so that it reads the array of file names from the drag data and sends that array (instead of a single file name) to the server (moveFiles.php) for processing. + - Attached dragover, dragleave, and drop event listeners to folder tree nodes (the elements with the class folder-option) to enable a drop target. + - Added a global dragover event listener (in main.js) that auto-scrolls the page when the mouse is near the top or bottom of the viewport during a drag operation. This ensures you can reach the folder tree even if you’re far down the file list. + +--- + +## changes 3/19/2025 + +## Session & Security Enhancements + +- **Secure Session Cookies:** + - Configured session cookies with a 2-hour lifetime, HTTPOnly, and SameSite settings. + - Regenerating the session ID upon login to mitigate session fixation. +- **CSRF Protection:** + - Ensured the CSRF token is generated in `config.php` and returned via a `token.php` endpoint. + - Updated front-end code (e.g. in `main.js`) to fetch the CSRF token and update meta tags. +- **Session Expiration Handling:** + - Updated the `loadFileList` and other functions to check for HTTP 401 responses and trigger a logout or redirect if the session has expired. + +## File Management Improvements + +### Unique Naming to Prevent Overwrites + +- **Copy & Move Operations:** + - Added a helper function `getUniqueFileName()` to both `copyFiles.php` and `moveFiles.php` that checks for duplicates and appends a counter (e.g., “ (1)”) until a unique filename is determined. + - Updated metadata handling so that when a file is copied/moved and renamed, the corresponding metadata JSON (per-folder) is updated using the new unique filename. +- **Rename Functionality:** + - Updated `renameFile.php` to: + - Allow filenames with parentheses by updating the regex. + - Check if a file with the new name already exists. + - Generate a unique name using similar logic if needed. + - Update folder-specific metadata accordingly. + +### Metadata Management + +- **Per-Folder Metadata Files:** + - Changed metadata storage so that each folder uses its own metadata file (e.g., `root_metadata.json` for the root folder and `FolderName_metadata.json` for subfolders). + - Updated metadata file path generation functions to replace slashes, backslashes, and spaces with dashes. + +## Gallery / Grid View Enhancements + +- **Gallery (Grid) View:** + - Added a toggle option to switch between a traditional table view and a gallery view. + - The gallery view arranges image thumbnails in a grid layout with configurable column options (e.g., 3, 4, or 5 columns). + - Under each thumbnail, action buttons (Download, Edit, Rename, Share) are displayed for quick access. +- **Preview Modal Enhancements:** + - Updated the image preview modal to include navigation buttons (prev/next) for browsing through images. + - Improved scaling and styling of preview modals for a better user experience. + +## Share Link Functionality + +- **Share Link Generation (createShareLink.php):** + - Generate shareable links for files with: + - A secure token. + - Configurable expiration times (including options for 30, 60, 120, 180, 240 minutes, and a 1-day option). + - Optional password protection (passwords are hashed). + - Store share links in a JSON file (`share_links.json`) with details (folder, file, expiration timestamp, hashed password). +- **Share Endpoint (share.php):** + - Validate tokens, expiration, and passwords. + - Serve files inline for images or force download for other file types. + - Share URL is configurable via environment variables or auto-detected from the server. +- **Front-End Configuration:** + - Created a `token.php` endpoint that returns CSRF token and SHARE_URL. + - Updated the front-end (in `main.js`) to fetch configuration data and update meta tags for CSRF and share URL, allowing index.html to remain static. + +## Apache & .htaccess / Server Security + +- **Disable Directory Listing:** + - Recommended adding an .htaccess file (e.g., in `uploads/`) with `Options -Indexes` to disable directory indexing. +- **Restrict Direct File Access:** + - Protected sensitive files (e.g., users.txt) via .htaccess. + - Filtered out hidden files (files beginning with a dot) from the file list in `getFileList.php`. +- **Proxy Download:** + - A proxy download mechanism has been implemented (via endpoints like `download.php` and `downloadZip.php`) so that every file download request goes through a PHP script. This script validates the session and CSRF token before streaming the file, ensuring that even if a file URL is guessed, only authenticated users can access it. + +--- + +## changes 3/18/2025 + +- **CSRF Protection:** All state-changing endpoints (such as those for folder and file operations) include CSRF token validation to ensure that only legitimate requests from authenticated users are processed. + +--- + +## changes 3/17/2025 + +- refactoring/reorganize domUtils, fileManager.js & folerManager.js + +--- + +## changes 3/15/2025 + +- Preview video, images or PDFs added +- Different material icons for each +- Custom css to adjust centering +- Persistent folder tree view +- Fixed folder tree alignment +- Persistent last opened folder + +--- + +## changes 3/14/2025 + +- Style adjustments +- Folder/subfolder upload support +- Persistent UI elements Items Per Page & Dark/Light modes. +- File upload scrollbar list +- Remove files from upload list + +--- + +## changes 3/11/2025 + +- CSS Refactoring +- Dark / Light Modes added which automatically adapts to the operating system’s theme preference by default, with a manual toggle option. +- JS inlines moved to CSS + +--- + +## changes 3/10/2025 + +- File Editing Enhancements: + - Integrated CodeMirror into the file editor modal for syntax highlighting, line numbers, and adjustable font size. + - Added zoom in/out controls (“A-” / “A+”) in the editor modal to let users adjust the text size and number of visible lines. + - Updated the save function to retrieve edited content from the CodeMirror instance (using editor.getValue()) instead of the underlying textarea. +- Image Preview Improvements: + - Added a new “Preview” button (with a Material icon) in the Actions column for image files. + - Implemented an image preview modal that centers content using flexbox, scales images using object-fit: contain, and maintains the original aspect ratio. + - Fixed URL encoding for subfolder paths so that images in subfolders (e.g. NewFolder2/Vita) load correctly without encoding slashes. +- Download ZIP Modal Updates: + - Replaced the prompt-based download ZIP with a modal dialog that allows users to enter a custom name for the ZIP file. + - Updated the modal logic to ensure proper flow (cancel/confirm) and pass the custom filename to the download process. +- Folder URL Handling: + - Modified the folder path construction in the file list rendering to split folder names into segments and encode each segment individually. This prevents encoding of slashes, ensuring correct URLs for files in subfolders. +- General UI & Functionality: + - Ensured that all global functions (e.g., toggleRowSelection, updateRowHighlight, and sortFiles) are declared and attached to window so that inline event handlers can access them. + - Maintained responsive design, preserving existing features such as pagination, sorting, batch operations (delete, copy, move), and folder management. + - Updated event listener initialization to work with new modal features and ensure smooth UI interactions. + +--- + +## changes 3/8/2025 + +- Validation was added in endpoints. +- Toast notifications were implemented in domUtils.js and integrated throughout the app. +- Modals replaced inline prompts and confirms for rename, create, delete, copy, and move actions. +- Folder tree UI was added and improved to be interactive plus reflect the current state after actions. + +--- + +## changes 3/7/2025 + +- **Module Refactoring:** + - Split the original `utils.js` into multiple ES6 modules for network requests, DOM utilities, file management, folder management, uploads, and authentication. + - Converted all code to ES6 modules with `import`/`export` syntax and exposed necessary functions globally. +- **File List Rendering & Pagination:** + - Implemented pagination in `fileManager.js` to allow displaying 10, 20, 50, or 100 items per page. + - Added global functions (`changePage` and `changeItemsPerPage`) for pagination control. + - Added a pagination control section below the file list table. +- **Date Sorting Enhancements:** + - Created a custom date parser (`parseCustomDate`) to convert date strings. + - Adjusted the parser to handle two-digit years by adding 2000. + - Integrated the parser into the sorting function to reliably sort “Date Modified” and “Upload Date” columns. +- **File Upload Improvements:** + - Enabled multi-file uploads with individual progress tracking (visible for the first 10 files). + - Ensured that the file list refreshes immediately after uploads complete. + - Kept the upload progress list visible for a configurable delay to allow users to verify upload success. + - Reattached event listeners after the file list is re-rendered. +- **File Action Buttons:** + - Unified button state management so that Delete, Copy, and Move buttons remain visible as long as files exist, and are only enabled when files are selected. + - Modified the logic in `updateFileActionButtons` and removed conflicting code from `initFileActions`. + - Ensured that the folder dropdown for copy/move is hidden when no files exist. +- **Rename Functionality:** + - Added a “Rename” button to the Actions column for every file. + - Implemented a `renameFile` function that prompts for a new name, calls a backend script (`renameFile.php`) to perform the rename, updates metadata, and refreshes the file list. +- **Responsive & UI Tweaks:** + - Applied CSS media queries to hide secondary columns on small screens. + - Adjusted file preview and icon styling for better alignment. + - Centered the header and optimized the layout for a clean, modern appearance. + +*This changelog and feature summary reflect the improvements made during the refactor from a monolithic utils file to modular ES6 components, along with enhancements in UI responsiveness, sorting, file uploads, and file management operations.* + +--- + +## Changes 3/4/2025 + +- Copy & Move functionality added +- Header Layout +- Modal Popups (Edit, Add User, Remove User) changes +- Consolidated table styling +- CSS Consolidation +- assets folder +- additional changes and fixes + +--- + +## Changes 3/3/2025 + +- folder management added +- some refactoring +- config added USERS_DIR & USERS_FILE diff --git a/README.md b/README.md index 0673ec6..97bf5ca 100644 --- a/README.md +++ b/README.md @@ -1,383 +1,178 @@ -# FileRise - Elevate your File Management +# FileRise -**Demo link:** https://demo.filerise.net -**UserName:** demo -**Password:** demo -Read only permissions but can view the interface. +Elevate your File Management – A modern, self-hosted web file manager. +Upload, organize, and share files through a sleek web interface. FileRise is lightweight yet powerful: think of it as your personal cloud drive that you control. With drag-and-drop uploads, in-browser editing, secure user logins (with SSO and 2FA support), and one-click sharing, FileRise makes file management on your server a breeze. **4/3/2025 Video demo:** -https://github.com/user-attachments/assets/221f6a53-85f5-48d4-9abe-89445e0af90e + **Dark mode:** ![Dark Header](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/dark-header.png) -Changelogs & Dockerfile available here: +--- -FileRise is a lightweight, secure, self-hosted web application for uploading, syntax-highlight editing, drag & drop file management, and more. Built with an Apache/PHP backend and a modern JavaScript (ES6 modules) frontend, it offers a responsive and dynamic interface designed to simplify file handling. As an alternative to solutions like FileGator, TinyFileManager, or ProjectSend, FileRise provides an easy-to-set-up experience ideal for document management, image galleries, firmware hosting, and other file-intensive applications. +## Features at a Glance + +- 🚀 **Easy File Uploads:** Upload multiple files and folders via drag & drop or file picker. Supports large files with pause/resumable chunked uploads and shows real-time progress for each file. No more failed transfers – FileRise will pick up where it left off if your connection drops. + +- 🗂️ **File Management:** Full set of file/folder operations – move or copy files (via intuitive drag-drop or dialogs), rename items, and delete in batches. You can even download selected files as a ZIP archive or extract uploaded ZIP files server-side. Organize content with an interactive folder tree and breadcrumb navigation for quick jumps. + +- 📝 **Built-in Editor & Preview:** View images, videos, audio, and PDFs inline with a preview modal – no need to download just to see them. Edit text/code files right in your browser with a CodeMirror-based editor featuring syntax highlighting and line numbers. Great for config files or notes – tweak and save changes without leaving FileRise. + +- 🏷️ **Tags & Search:** Categorize your files with color-coded tags (labels) and later find them easily. The global search bar filters by filename or tag, making it simple to locate that “important” document in seconds. Tag management is built-in – create, reuse, or remove tags as needed. + +- 🔒 **User Authentication & Sharing:** Secure your portal with username/password login. Supports multiple users – create user accounts (admin UI provided) for family or team members. FileRise also integrates with Single Sign-On (OIDC) providers (e.g., OAuth2/OIDC for Google/Authentik) and offers optional TOTP two-factor auth for extra security. Share files with others using one-time or expiring public links (with password protection if desired) – convenient for sending files without exposing the whole app. + +- 🎨 **Responsive UI (Dark/Light Mode):** FileRise is mobile-friendly out of the box – manage files from your phone or tablet with a responsive layout. Choose between Dark mode or Light theme, or let it follow your system preference. The interface remembers your preferences (layout, items per page, last visited folder, etc.) for a personalized experience each time. + +- 🗑️ **Trash & File Recovery:** Mistakenly deleted files? No worries – deleted items go to the Trash instead of immediate removal. Admins can restore files from Trash or empty it to free space. FileRise auto-purges old trash entries (default 3 days) to keep your storage tidy. + +- ⚙️ **Lightweight & Self-Contained:** FileRise runs on PHP 8.1+ with no external database required – data is stored in files (users, metadata) for simplicity. It’s a single-folder web app you can drop into any Apache/PHP server or run as a container. Docker & Unraid ready: use our pre-built image for a hassle-free setup. Memory and CPU footprint is minimal, yet the app scales to thousands of files with pagination and sorting features. + +(For a full list of features and detailed changelogs, see the [Wiki](https://github.com/error311/FileRise/wiki) or the [releases](https://github.com/error311/FileRise/releases) pages.) --- -## Features +## Live Demo -- **Multiple File/Folder Uploads with Progress (Resumable.js Integration):** - - Users can effortlessly upload multiple files and folders simultaneously by either selecting them through the file picker or dragging and dropping them directly into the interface. - - **Chunked Uploads:** Files are uploaded in configurable chunks (default set as 3 MB) to efficiently handle large files. - - **Pause, Resume, and Retry:** Uploads can be paused and resumed at any time, with support for retrying failed chunks. - - **Real-Time Progress:** Each file shows an individual progress bar that displays percentage complete and upload speed. - - **File & Folder Grouping:** When many files are dropped, files are automatically grouped into a scrollable wrapper, ensuring the interface remains clean. - - **Secure Uploads:** All uploads integrate CSRF token validation and other security checks. - -- **Built-in File Editing & Renaming:** - - Text-based files (e.g., .txt, .html, .js) can be opened and edited in a modal window using CodeMirror for: - - Syntax highlighting - - Line numbering - - Adjustable font sizes - - Files can be renamed directly through the interface. - - The renaming functionality now supports names with parentheses and checks for duplicate names, automatically generating a unique name (e.g., appending “ (1)”) when needed. - - Folder-specific metadata is updated accordingly. - - **Enhanced File Editing Check:** Files with a Content-Length of 0 KB are now allowed to be edited. - -- **Built-in File Preview:** - - Users can quickly preview images, videos, audio and PDFs directly in modal popups without leaving the page. - - The preview modal supports inline display of images (with proper scaling) and videos with playback controls. - - Navigation (prev/next) within image previews is supported for a seamless browsing experience. - -- **Gallery (Grid) View:** - - In addition to the traditional table view, users can toggle to a gallery view that arranges image thumbnails in a grid layout. - - The gallery view offers multiple column options (e.g., 3, 4, or 5 columns) so that users can choose the layout that best fits their screen. - - Action buttons (Download, Edit, Rename, Share) appear beneath each thumbnail for quick access. - -- **Batch Operations (Delete/Copy/Move/Download/Extract Zip):** - - **Delete Files:** Delete multiple files at once. - - **Copy Files:** Copy selected files to another folder with a unique-naming feature to prevent overwrites. - - **Move Files:** Move selected files to a different folder, automatically generating a unique filename if needed to avoid data loss. - - **Download Files as ZIP:** Download selected files as a ZIP archive. Users can specify a custom name for the ZIP file via a modal dialog. - - **Extract Zip:** When one or more ZIP files are selected, users can extract the archive(s) directly into the current folder. - - **Drag & Drop (File Movement):** Easily move files by selecting them from the file list and dragging them onto your desired folder in the folder tree or breadcrumb. When you drop the files onto a folder, the system automatically moves them, updating your file organization in one seamless action. - - **Enhanced Context Menu & Keyboard Shortcuts:** - - **Right-Click Context Menu:** - - A custom context menu appears on right-clicking within the file list. - - For multiple selections, options include Delete Selected, Copy Selected, Move Selected, Download Zip, and (if applicable) Extract Zip. - - When exactly one file is selected, additional options (Preview, Edit [if editable], Rename, and Tag File) are available. - - **Keyboard Shortcut for Deletion:** - - A global keydown listener detects Delete/Backspace key presses (when no input is focused) to trigger the delete operation. - -- **File Tagging and Global Tag Management:** - - **Context Menu Tagging:** - - Single-file tagging: “Tag File” option in the right-click menu opens a modal to add a tag (with name and color) to the file. - - Multi-file tagging: When multiple files are selected, a “Tag Selected” option opens a multi‑file tagging modal to apply the same tag to all selected files. - - **Tagging Modals & Custom Dropdown:** - - Dedicated modals provide an interface for adding and updating tags. - - A custom dropdown in each modal displays available global tags with a colored preview and a remove icon. - - **Global Tag Store:** - - Tags are stored globally (persisted in a JSON file) for reuse across files and sessions. - - New tags added to any file are automatically added to the global store. - - Users can remove a global tag directly from the dropdown, which removes it from the available tag list for all files. - - **Unified Search Filtering:** - - The single search box now filters files based on both file names and tag names (case‑insensitive). - -- **Folder Management:** - - Organize files into folders and subfolders with the ability to create, rename, and delete folders. - - A dynamic folder tree in the UI allows users to navigate directories easily, with real-time updates. - - **Per-Folder Metadata Storage:** Each folder has its own metadata JSON file (e.g., `root_metadata.json`, `FolderName_metadata.json`), updated with operations like copy/move/rename. - - **Intuitive Breadcrumb Navigation:** Clickable breadcrumbs enable users to quickly jump to any parent folder; supports drag & drop for moving files. - - **Folder Manager Context Menu:** - - Right-clicking on a folder brings up a custom context menu with options for creating, renaming, and deleting folders. - - **Keyboard Shortcut for Folder Deletion:** - - A global key listener (Delete/Backspace) triggers folder deletion with safeguards to prevent deletion of the root folder. - -- **Sorting & Pagination:** - - Files can be sorted by name, modified date, upload date, file size, or uploader. - - Pagination controls let users navigate through files with selectable page sizes (10, 20, 50, or 100 items per page) and “Prev”/“Next” buttons. - -- **Share Link Functionality:** - - Generate shareable links for files with configurable expiration times (e.g., 30, 60, 120, 180, 240 minutes, and 1 day) and optional password protection. - - Share links are stored in a JSON file with details including folder, file, expiration timestamp, and hashed password. - - The share endpoint validates tokens, expiration, and password before serving files (or forcing downloads). - - The share URL is configurable via environment variables or auto-detected from the server. - -- **User Authentication & Management:** - - Secure, session-based authentication protects the file manager. - - Admin users can add or remove users through the interface. - - Passwords are hashed using PHP’s `password_hash()` for security. - - All state-changing endpoints include CSRF token validation. - - Password change functionality is supported for all users. - - Basic Auth is available for login. - - **Persistent Login (Remember Me) with Encrypted Tokens:** - - Users can remain logged in across sessions securely. - - Persistent tokens are encrypted using AES‑256‑CBC before being stored in a JSON file. - - On auto-login, tokens are decrypted on the server to re-establish user sessions without re-authentication. - -- **Responsive, Dynamic & Persistent UI:** - - The interface is mobile-friendly and adapts to various screen sizes by hiding non-critical columns on small devices. - - Asynchronous updates (via Fetch API and XMLHttpRequest) keep the UI responsive without full page reloads. - - Persistent settings (such as items per page, dark/light mode preference, folder tree state, and the last open folder) ensure a smooth, customized user experience. - -- **Dark Mode/Light Mode:** - - The application automatically adapts to the operating system’s theme preference by default, with a manual toggle available. - - Dark mode provides a darker background with lighter text, and UI elements (including the CodeMirror editor) are adjusted for optimal readability in low-light conditions. - - Light mode maintains a bright interface suitable for well-lit environments. - -- **Server & Security Enhancements:** - - Apache (or .htaccess) configurations disable directory indexing (e.g., using `Options -Indexes` in the uploads directory), preventing unauthorized file browsing. - - Direct access to sensitive files (e.g., `users.txt`) is restricted via .htaccess rules. - - A proxy download mechanism (via endpoints like `download.php` and `downloadZip.php`) routes all file downloads through PHP, ensuring session and CSRF token validation before file access. - - Administrators are advised to deploy the app on a secure internal network or use the proxy download mechanism for public deployments. - -- **Trash Management with Restore & Delete:** - - **Trash Storage & Metadata:** - - Deleted files are moved to a designated “Trash” folder rather than being immediately removed. - - Metadata is stored in a JSON file (`trash.json`) that records: - - Original folder and file name - - Timestamp when the file was trashed - - Uploader information (and optionally who deleted it) - - Additional metadata (e.g., file type) - - **Restore Functionality:** - - Admins can view trashed files in a modal and restore individual or all files back to their original location (with conflict checks). - - **Delete Functionality:** - - Users can permanently delete trashed files via: - - **Delete Selected:** Remove specific files from the Trash and update `trash.json`. - - **Delete All:** Permanently remove every file from the Trash after confirmation. - - **Auto-Purge Mechanism:** - - The system automatically purges files in the Trash older than three days, managing storage and preventing accumulation of outdated files. - - **Trash UI:** - - The trash modal displays file name, uploader/deleter, and trashed date/time. - - Material icons with tooltips represent restore and delete actions. - -- **Drag & Drop Cards with Dedicated Drop Zones:** - - **Sidebar Drop Zone:** - - Cards (e.g., upload or folder management) can be dragged into a dedicated sidebar drop zone for quick access to frequently used operations. - - The sidebar drop zone expands dynamically to accept drops anywhere within its visual area. - - **Top Bar Drop Zone:** - - A top drop zone is available for reordering or managing cards quickly. - - Dragging a card to the top drop zone provides immediate visual feedback, ensuring a fluid and customizable workflow. - - **Header Drop Zone with State Preservation:** - - Cards can be dragged into the header drop zone, where they are represented by a compact material icon. - - **State Preservation:** Instead of removing the card from the DOM, the original card is moved into a hidden container. This ensures that dynamic features (such as the folder tree in the Folder Management card or file selection in the Upload card) remain fully initialized and retain their state on page refresh. - - **Modal Display:** When the user interacts (via hover or click) with the header icon, the card is temporarily moved into a modal overlay for full interaction. When the modal is closed, the card is returned to the hidden container, keeping its state persistent. - - **Seamless Interaction:** - - Both drop zones support smooth drag-and-drop interactions with animations and pointer event adjustments, ensuring reliable card placement regardless of screen position. - -## 🔒 Admin Panel, TOTP & OpenID Connect (OIDC) Integration - -- **Flexible Authentication:** - - Supports multiple authentication methods including Form-based Login, Basic Auth, OpenID Connect (OIDC), and TOTP-based Two-Factor Authentication. - - Ensures continuous secure access by allowing administrators to disable only two of the available login options at any time. - -- **Secure OIDC Authentication:** - - Seamlessly integrates with OIDC providers (e.g., Keycloak, Okta). - - Provides admin-configurable OIDC settings—including Provider URL, Client ID, Client Secret, and Redirect URI. - - Stores all sensitive configurations in an encrypted JSON file. - -- **TOTP Two-Factor Authentication:** - - Enhances security by integrating Time-based One-Time Password (TOTP) functionality. - - The new User Panel automatically displays the TOTP setup modal when users enable TOTP, presenting a QR code for easy configuration in authenticator apps. - - Administrators can customize a global OTPAuth URL template for consistent TOTP provisioning across accounts. - -- **Dynamic Admin Panel:** - - Features an intuitive interface with Material Icons for quick recognition and access. - - Allows administrators to manage authentication settings, user management, and login methods in real time. - - Includes real-time validation that prevents the accidental disabling of all authentication methods simultaneously. - - **User Permissions Options:** - - *Folder Only* gives user their own root folder. - - *Read Only* makes it so the user can only read the files. - - *Disable Upload* prevents file uploads. - ---- - -## Screenshots - -**Admin Panel:** -![Light Admin Panel](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/light-admin-panel.png) - -**Light mode:** -![Dark SideBar](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/dark-sidebar.png) - -**Light mode default:** -![Default Layout](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/light-topbar.png) - -**Dark editor:** -![dark-editor](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/dark-editor.png) - -**Light preview** -![dark-preview](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/light-preview.png) - -**Restore or Delete Trash:** -![restore-delete](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/light-trash.png) - -**Dark TOTP Setup:** -![Login](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/dark-totp-setup.png) - -**Gallery view:** -![Login](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/dark-gallery.png) - - **iphone screenshots:** -

- - -

+Curious about the UI? **Check out the live demo:** (login with username “demo” and password “demo”). *The demo is read-only for security*. Explore the interface, switch themes, preview files, and see FileRise in action! --- ## Installation & Setup -### Manual Installation +You can deploy FileRise either by running the **Docker container** (quickest way) or by a **manual installation** on a PHP web server. Both methods are outlined below. -1. **Clone or Download the Repository:** - - **Clone:** +### 1. Running with Docker (Recommended) - ```bash - git clone https://github.com/error311/FileRise.git - ``` +If you have Docker installed, you can get FileRise up and running in minutes: - - **Download:** - Download the latest release from the GitHub releases page and extract it into your desired directory. +- **Pull the image from Docker Hub:** -2. **Deploy to Your Web Server:** - - Place the project files in your Apache web directory (e.g., `/var/www/html`). - - Ensure PHP 8.1+ is installed along with the required extensions (`php-json`, `php-curl`, `php-zip`, etc.). +``` bash +docker pull error311/filerise-docker:latest +``` -3. **Install Composer Dependencies (Required for OIDC Support):** - - Install Composer if you haven't already ([Installation Guide](https://getcomposer.org/download/)). - - Navigate to the project directory and run: +*(For Apple Silicon (M1/M2) users, use --platform linux/amd64 tag until multi-arch support is added.)* - ```bash - composer install - ``` +- **Run a container:** - - This step will install necessary dependencies like `jumbojett/openid-connect-php` and `phpseclib/phpseclib`. +``` bash +docker run -d \ + -p 8080:80 \ + -e TIMEZONE="America/New_York" \ + -e TOTAL_UPLOAD_SIZE="5G" \ + -e SECURE="false" \ + -v ~/filerise/uploads:/var/www/uploads \ + -v ~/filerise/users:/var/www/users \ + -v ~/filerise/metadata:/var/www/metadata \ + --name filerise \ + error311/filerise-docker:latest + ``` -4. **Directory Setup & Permissions:** - - Create the following directories if they do not exist, and set appropriate permissions: - - `uploads/` – for file storage. - - `users/` – to store `users.txt` (user authentication data). - - `metadata/` – for storing `file_metadata.json` and other metadata. - - Example commands: + This will start FileRise on port 8080. Visit `http://your-server-ip:8080` to access it. Environment variables shown above are optional – for instance, set `SECURE="true"` to enforce HTTPS (assuming you have SSL at proxy level) and adjust TIMEZONE as needed. The volume mounts ensure your files and user data persist outside the container. - ```bash - mkdir -p /var/www/uploads /var/www/users /var/www/metadata - chmod -R 775 /var/www/uploads /var/www/users /var/www/metadata - ``` +- **Using Docker Compose:** +Alternatively, use **docker-compose**. Save the snippet below as docker-compose.yml and run `docker-compose up -d`: -5. **Configure Apache:** - - Ensure that directory indexing is disabled (using `Options -Indexes` in your `.htaccess` or Apache configuration). - - Make sure the Apache configuration allows URL rewriting if needed. +``` yaml +version: '3' +services: + filerise: + image: error311/filerise-docker:latest + ports: + - "8080:80" + environment: + TIMEZONE: "UTC" + TOTAL_UPLOAD_SIZE: "10G" + SECURE: "false" + PERSISTENT_TOKENS_KEY: "please_change_this_@@" + volumes: + - ./uploads:/var/www/uploads + - ./users:/var/www/users + - ./metadata:/var/www/metadata +``` -6. **Configuration File:** - - Open `config.php` and adjust the following constants as necessary: - - `BASE_URL`: Set this to your web app’s base URL. - - `UPLOAD_DIR`: Adjust the directory path for uploads. - - `TIMEZONE`: Set to your preferred timezone. - - `TOTAL_UPLOAD_SIZE`: Ensure it matches PHP’s `upload_max_filesize` and `post_max_size` settings in your `php.ini`. +FileRise will be accessible at `http://localhost:8080` (or your server’s IP). The above example also sets a custom `PERSISTENT_TOKENS_KEY` (used to encrypt “remember me” tokens) – be sure to change it to a random string for security. -### Initial Setup Instructions +**First-time Setup:** On first launch, FileRise will detect no users and prompt you to create an **Admin account**. Choose your admin username & password, and you’re in! You can then head to the **User Management** section to add additional users if needed. -- **First Launch Admin Setup:** - On first launch, if no users exist, the application will enter a setup mode. You will be prompted to create an admin user. This is handled automatically by the application (e.g., via a “Create Admin” form). - **Note:** No default credentials are provided. You must create the first admin account to log in and manage additional users. +### 2. Manual Installation (PHP/Apache) + +If you prefer to run FileRise on a traditional web server (LAMP stack or similar): + +- **Requirements:** PHP 8.1 or higher, Apache (with mod_php) or another web server configured for PHP. Ensure PHP extensions json, curl, and zip are enabled. No database needed. +- **Download Files:** Clone this repo or download the [latest release archive](https://github.com/error311/FileRise/releases). + +``` bash +git clone https://github.com/error311/FileRise.git +``` + +Place the files into your web server’s directory (e.g., `/var/www/html/filerise`). It can be in a subfolder (just adjust the BASE_URL in config as below). + +- **Composer Dependencies:** If you plan to use OIDC (SSO login), install Composer and run `composer install` in the FileRise directory. (This pulls in a couple of PHP libraries like jumbojett/openid-connect for OAuth support.) If you skip this, FileRise will still work, but OIDC login won’t be available. + +- **Folder Permissions:** Ensure the server can write to the following directories (create them if they don’t exist): + +``` bash +mkdir -p uploads users metadata +chown -R www-data:www-data uploads users metadata # www-data is Apache user; use appropriate user +chmod -R 775 uploads users metadata +``` + +The uploads/ folder is where files go, users/ stores the user credentials file, and metadata/ holds metadata like tags and share links. + +- **Configuration:** Open the config.php file in a text editor. You may want to adjust: + + - `BASE_URL` – the URL where you will access FileRise (e.g., `“https://files.mydomain.com/”`). This is used for generating share links. + + - `TIMEZONE` and `DATE_TIME_FORMAT` – match your locale (for correct timestamps). + + - `TOTAL_UPLOAD_SIZE` – max aggregate upload size (default 5G). Also adjust PHP’s upload_max_filesize and post_max_size to at least this value (the Docker start script auto-adjusts PHP limits). + + - `PERSISTENT_TOKENS_KEY` – set a unique secret if you use “Remember Me” logins, to encrypt the tokens. + + - Other settings like `UPLOAD_DIR`, `USERS_FILE` etc. generally don’t need changes unless you move those folders. Defaults are set for the directories mentioned above. + +- **Web Server Config:** If using Apache, ensure `.htaccess` files are allowed or manually add the rules from `.htaccess` to your Apache config – these disable directory listings and prevent access to certain files. For Nginx or others, you’ll need to replicate those protections (see Wiki: [Nginx Setup for examples](https://github.com/error311/FileRise/wiki/Nginx-Setup)). Also enable mod_rewrite if not already, as FileRise may use pretty URLs for share links. + +Now navigate to the FileRise URL in your browser. On first load, you’ll be prompted to create the Admin user (same as Docker setup). After that, the application is ready to use! --- -## Docker Usage +## FAQ / Troubleshooting -For users who prefer containerization, a Docker image is available. +- **“Upload failed” or large files not uploading:** Make sure `TOTAL_UPLOAD_SIZE` in config and PHP’s `post_max_size` / `upload_max_filesize` are all set high enough. For extremely large files, you might also need to increase max_execution_time in PHP or rely on the resumable upload feature in smaller chunks. -**Note:** The Docker image already includes Composer dependencies pre-installed (including OIDC support). +- **How to enable HTTPS?** FileRise itself doesn’t handle TLS. Run it behind a reverse proxy like Nginx, Caddy, or Apache with SSL, or use Docker with a companion like nginx-proxy or Caddy. Set `SECURE="true"` env var in Docker so FileRise knows to generate https links. -### Quickstart +- **Changing Admin or resetting password:** Admin can change any user’s password via the UI (User Management section). If you lose admin access, you can edit the `users/users.txt` file on the server – passwords are hashed (bcrypt), but you can delete the admin line and then restart the app to trigger the setup flow again. -1. **Pull the Docker Image:** +- **Where are my files stored?** In the `uploads/` directory (or the path you set for `UPLOAD_DIR`). Within it, files are organized in the folder structure you see in the app. Deleted files move to `uploads/trash/`. Tag information is in `metadata/file_metadata`.json and trash metadata in `metadata/trash.json`, etc. Regular backups of these folders is recommended if the data is important. - ```bash - docker pull error311/filerise-docker:latest - ``` +- **Updating FileRise:** If using Docker, pull the new image and recreate the container. For manual installs, download the latest release and replace the files (preserve your `config.php` and the uploads/users/metadata folders). Clear your browser cache if you have issues after an update (in case CSS/JS changed). - macos M series: - - ```bash - docker pull --platform linux/x86_64 error311/filerise-docker:latest - ``` - -2. **Run the Container:** - - ```bash - docker run -d \ - -p 80:80 \ - -e TIMEZONE="America/New_York" \ - -e TOTAL_UPLOAD_SIZE="5G" \ - -e SECURE="false" \ - -v /path/to/your/uploads:/var/www/uploads \ - -v /path/to/your/users:/var/www/users \ - -v /path/to/your/metadata:/var/www/metadata \ - --name FileRise \ - error311/filerise-docker:latest - ``` - -3. **Using Docker Compose:** - - Create a docker-compose.yml file with the following content: - - ```yaml - version: "3.8" - services: - web: - image: error311/filerise-docker:latest - ports: - - "80:80" - environment: - TIMEZONE: "America/New_York" - TOTAL_UPLOAD_SIZE: "5G" - SECURE: "false" - PERSISTENT_TOKENS_KEY: "default_please_change_this_key" - volumes: - - /path/to/your/uploads:/var/www/uploads - - /path/to/your/users:/var/www/users - - /path/to/your/metadata:/var/www/metadata - ``` - -**Then start the container with:** - - ```bash - docker-compose up -d - ``` - ---- - -## Configuration Guidance - -The `config.php` file contains several key constants that may need adjustment for your deployment: - -- **BASE_URL:** - Set to the URL where your application is hosted (e.g., `http://yourdomain.com/uploads/`). - -- **UPLOAD_DIR, USERS_DIR, META_DIR:** - Define the directories for uploads, user data, and metadata. Adjust these to match your server environment or Docker volume mounts. - -- **TIMEZONE & DATE_TIME_FORMAT:** - Set according to your regional settings. - -- **TOTAL_UPLOAD_SIZE:** - Defines the maximum upload size (default is `5G`). Ensure that PHP’s `upload_max_filesize` and `post_max_size` in your `php.ini` are consistent with this setting. The startup script (`start.sh`) updates PHP limits at runtime based on this value. - -- **Environment Variables (Docker):** - The Docker image supports overriding configuration via environment variables. For example, you can set `SECURE`, `SHARE_URL`, `PERSISTENT_TOKENS_KEY` and port settings via the container’s environment. - ---- - -## Additional Information - -- **Security:** - All state-changing endpoints use CSRF token validation. Ensure that sessions and tokens are correctly configured as per your deployment environment. - -- **Permissions:** - Both manual and Docker installations include steps to ensure that file and directory permissions are set correctly for the web server to read and write as needed. - -- **Logging & Troubleshooting:** - Check Apache logs (located in `/var/log/apache2/`) for troubleshooting any issues during deployment or operation. +For more Q&A or to ask for help, please check the Discussions or open an issue. --- ## Contributing -We welcome contributions! Please check out our [Contributing Guidelines](CONTRIBUTING.md) before getting started. +Contributions are welcome! If you have ideas for new features or have found a bug, feel free to open an issue. Check out the [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. You can also join the conversation in GitHub Discussions or on Reddit (see links below) to share feedback and suggestions. + +Areas where you can help: translations, bug fixes, UI improvements, or building integration with other services. If you like FileRise, giving the project a ⭐ star ⭐ on GitHub is also a much-appreciated contribution! + +--- + +## Community and Support + +- **Reddit:** [r/selfhosted: FileRise Discussion](https://www.reddit.com/r/selfhosted/comments/1jl01pi/introducing_filerise_a_modern_selfhosted_file/) – (Announcement and user feedback thread). +- **Unraid Forums:** [FileRise Support Thread](https://forums.unraid.net/topic/187337-support-filerise/) – for Unraid-specific support or issues. +- **GitHub Discussions:** Use the Q&A category for any setup questions, and the Ideas category to suggest enhancements. + +--- + +## License + +This project is open-source under the MIT License. That means you’re free to use, modify, and distribute FileRise, with attribution. We hope you find it useful and contribute back! diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e08fdd4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ +# Security Policy + +## Supported Versions + +FileRise is actively maintained. Only supported versions will receive security updates. For details on which versions are currently supported, please see the [Release Notes](https://github.com/error311/FileRise/releases). + +## Reporting a Vulnerability + +If you discover a security vulnerability, please do not open a public issue. Instead, follow these steps: + +1. **Email Us Privately:** + Send an email to [error311@gmail.com](mailto:error311@gmail.com) with the subject line “[FileRise] Security Vulnerability Report”. + +2. **Include Details:** + Provide a detailed description of the vulnerability, steps to reproduce it, and any other relevant information (e.g., affected versions, screenshots, logs). + +3. **Secure Communication (Optional):** + If you wish to discuss the vulnerability securely, you can use our PGP key. You can obtain our PGP key by emailing us, and we will send it upon request. + +## Disclosure Policy + +- **Acknowledgement:** + We will acknowledge receipt of your report within 48 hours. + +- **Resolution Timeline:** + We aim to fix confirmed vulnerabilities within 30 days. In cases where a delay is necessary, we will communicate updates to you directly. + +- **Public Disclosure:** + After a fix is available, details of the vulnerability will be disclosed publicly in a way that does not compromise user security. + +## Additional Information + +We appreciate responsible disclosure of vulnerabilities and thank all researchers who help keep FileRise secure. For any questions related to this policy, please contact us at [error311@gmail.com](mailto:error311@gmail.com).