KCFinder on D9: You don't have permissions to browse server.
Overview
The issue is very similar to this one:
and the proposed workaround is solving it (reverting this commit), but I think the root cause is different.
Steps to reproduce
- Use CKEditor4 as Wysiwig Editor
- Create Event
- Insert image to description
- Try to browse, or upload image
- Error: You don't have permissions to browse server.
Analysis
In my case classes are found, so it's not namespacing. After some debugging, I think the following happens:
- In
civicrm/packages/kcfinder/integration/civicrm.phpDrupal is bootstrapped, user authenticated and correctKCFINDERparams are added to the$_SESSIONvar:$_SESSION['KCFINDER']['disabled'] = false; $_SESSION['KCFINDER']['uploadURL'] = $config->imageUploadURL; $_SESSION['KCFINDER']['uploadDir'] = $config->imageUploadDir; - Then in
\kcfinder\uploader::construct()session ID is requested from Drupal (\CRM_Core_Config::singleton()->userSystem->getSessionId()) - Eventually
Drupal\Core\Session\SessionManager::start()finds no session so starts a new one, thus removingKCFINDERarray from$_SESSION. This way kcfinder defaults are used, which is to disable access.
So I thought it's a cookie issue (though $_COOKIE was populated with all the cookies all the way through).
I changed CRM_Utils_System_Drupal8::loadBootStrap() to pass cookies to the Symfony request:
$request = new \Symfony\Component\HttpFoundation\Request([], [], [], $_COOKIE, [], $_SERVER);This way session was found in step 3 above, it was restored, but it also didn't contained the KCFINDER array as $_SESSION was overwritten by restoring.
So I'm stuck here, probably I'm missing something obvious, but currently I can't see why should it behave differently.
Has anybody any idea?
Drupal: 9.3.12
Civi: 5.47.4
UPDATE
Relevant issues in other repos: