KCFinder on D9: You don't have permissions to browse server.
Overview
The issue is very similar to this one:
and the proposed workaround is solving it (reverting this commit), but I think the root cause is different.
Steps to reproduce
- Use CKEditor4 as Wysiwig Editor
- Create Event
- Insert image to description
- Try to browse, or upload image
- Error: You don't have permissions to browse server.
Analysis
In my case classes are found, so it's not namespacing. After some debugging, I think the following happens:
- In
civicrm/packages/kcfinder/integration/civicrm.php
Drupal is bootstrapped, user authenticated and correctKCFINDER
params are added to the$_SESSION
var:$_SESSION['KCFINDER']['disabled'] = false; $_SESSION['KCFINDER']['uploadURL'] = $config->imageUploadURL; $_SESSION['KCFINDER']['uploadDir'] = $config->imageUploadDir;
- Then in
\kcfinder\uploader::construct()
session ID is requested from Drupal (\CRM_Core_Config::singleton()->userSystem->getSessionId()
) - Eventually
Drupal\Core\Session\SessionManager::start()
finds no session so starts a new one, thus removingKCFINDER
array from$_SESSION
. This way kcfinder defaults are used, which is to disable access.
So I thought it's a cookie issue (though $_COOKIE
was populated with all the cookies all the way through).
I changed CRM_Utils_System_Drupal8::loadBootStrap()
to pass cookies to the Symfony request:
$request = new \Symfony\Component\HttpFoundation\Request([], [], [], $_COOKIE, [], $_SERVER);
This way session was found in step 3 above, it was restored, but it also didn't contained the KCFINDER
array as $_SESSION
was overwritten by restoring.
So I'm stuck here, probably I'm missing something obvious, but currently I can't see why should it behave differently.
Has anybody any idea?
Drupal: 9.3.12
Civi: 5.47.4
UPDATE
Relevant issues in other repos: