tinyfilemanager icon indicating copy to clipboard operation
tinyfilemanager copied to clipboard
verified publisher icon prasathmani

Advanced Search not working for read-only users

Open leonardooyama opened this issue 6 months ago • 2 comments

When I am logged as read-only user, the Advanced Search doesn't return the expected results.

  • When I try the search with 0, 1 or 2 characters, it displays "minimum 3 characters required", which is okay.
  • In the other cases, it should return either "No result found" or the files that were found, but I am getting nothing.

For admin users, the Advanced Search works correctly. I am using the latest version (2.6). Any hints?

leonardooyama avatar Jun 10 '25 19:06 leonardooyama

appreciate the report of the issue and will fix it in a future release.

prasathmani avatar Jun 11 '25 00:06 prasathmani

appreciate the report of the issue and will fix it in a future release.

Hi! If possible, I would like to contribute, but I couldn't find the error in the code. Do you have any idea where is it?

leonardooyama avatar Jun 13 '25 11:06 leonardooyama

I asked copilot:

Why Advanced Search Doesn't Work for Read-Only Users in TinyFileManager

Problem Description

  • Admin users: Advanced Search works as expected.
  • Read-only users: For 0–2 characters, "minimum 3 characters required" is shown (this is correct).
    For 3+ characters, the search returns nothing (no files, no "No result found", just blank).
  • Version: TinyFileManager v2.6

Technical Cause

In tinyfilemanager.php (v2.6), the PHP backend only processes the Advanced Search request if the user is NOT a read-only user.

Relevant code excerpt:

if (
    (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']]) || !FM_USE_AUTH)
    && isset($_POST['ajax'], $_POST['token'])
    && !FM_READONLY
) {
    // ...
    if (isset($_POST['type']) && $_POST['type'] == "search") {
        // executes search and returns JSON
    }
    // ...
}

The !FM_READONLY part means:

Read-only users cannot access this code block. As a result, when a read-only user submits a search, the server returns nothing, leading to a blank result in the frontend. Why Is This By Design?

Security: Advanced Search recursively lists all file/folder names. The authors restricted this for read-only users, possibly to prevent information leakage or heavy resource use. Consistency: Most actions are limited for read-only users to keep the permission model simple and secure. How to Enable Advanced Search for Read-Only Users If you want read-only users to have access to Advanced Search, you’ll need to modify the code:

Steps:

Open tinyfilemanager.php in your editor.

Find this line:

&& !FM_READONLY Remove && !FM_READONLY so the condition becomes:

if (
    (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']]) || !FM_USE_AUTH)
    && isset($_POST['ajax'], $_POST['token'])
) {
    // ...
}

Save and upload the file.

Now, read-only users will also be able to use Advanced Search.

Security Note: This change allows all authenticated users (including read-only) to recursively search for files and folders. Make sure this is acceptable for your use case before deploying.

smalos avatar Jun 19 '25 09:06 smalos

I was wondering why this issue was happening and thanks to smalos's comment it was a quick fix. Only change I made was an extra if() check to prevent affecting other code, because without reading the rest of the codebase I have to assume this check is in place to prevent the other AJAX features (such as file uploads) from being used by a conniving readonly user.

This way the only part affected should be the search.

Difference visible in this commit.

ValerioLyndon avatar Nov 12 '25 02:11 ValerioLyndon