I have been adding images to the products module, and they upload to the upload folder perfectly.
When I try to view them however in detail view, they do not show up and when I try and view the image directly with the URL I get a 403 forbidden page.
I have experimented loads with permissions so it can’t be that!
What URL are you using to view the images? If by directly viewing you mean looking at example.com/upload/file then this isn’t possible for security reasons. This is controlled by the ‘.htaccess’ file (for apache servers anyway) in the root of the SuiteCRM folder.
Looking at the detail view for Products this displays the image via the upload folder, in essence if you have htaccess rules on then you wont see the product image. This is a bug and we’ll look into sorting this in a future release. A workaround would be to remove the line:
RedirectMatch 403 (?i)/upload
from .htaccess but I would not reccomend this since it means files in the upload folder will be readable.
I was also wondering about this and checked .htaccess and saw the command. Any idea on how you guys will go about fixing this?
I am interested in the fix as well.
Would love to be able to see the product image on the page.
Without read access to the uploads folder the Products/Quotes/Invoices/etc. modules don’t work correctly since they pull the product images from the upload folder. Your workaround works, however as you already pointed out, this is not optimal from a security perspective. In other web applications this is usually “solved” by adding a long random string in front of the uploaded file name, e.g picture1.jpg becomes 132424131314ssdsd1342_picture1.jpg. It’s more a “security by obscurity” approach, but still, guessing filenames becomes impossible.
There are other parts of SuiteCRM that allow file access via an entry point. This means you can restrict access to logged in users or administrators or whatever other restrictions. Changing the product image to use this method is probably the best choice.
Try using set proper folder permission on upload.
Hope this hepls…
Thank you for your feedback. Can you let me know where this can be configured?
This isn’t something that can be configured at the moment. The Product Image code needs to be changed to use the method that I mentioned which will take a bit of development work.
I actually thought there was an issue for this but I can’t find one so have added this as a bug (https://github.com/salesagility/SuiteCRM/issues/164).
You can limit the access to certain files in /upload using the .htaccess in the /upload folder.
Order Deny,Allow Deny from all <Files ~ "(?i)\.(png|jpg|jpeg|bmp)$"> allow from all </Files>
This allows access to image file types with case insensitive extension. You still need to allow access to the /upload folder in the root .htaccess by removing the line
RedirectMatch 403 /+upload
I fix the issue and the images are showing in both Detail View and List view, Please replace the tag code with this and do a quick repair and rebuild and its working fine.
hey sbachala. Tried your fix. Didn’t work for me, still get 403 forbidden error (in console).
Would I have to change .htaccess file also as indicated by nelem to make this work?
So these are my results here: The changes to .htaccess files as indicated by nelem are all that’s needed to make photos show up. While it also works with sbachala’s changes, I don’t see any reason to make those non-update-safe changes, if not necessary…
Question for me: What are the security risks involved in changing the .htaccess settings as described by nelem?
correction: changing .htaccess files only worked on my local installation, not on the webserver. there I got error 500 instead of 403 after applying the .htaccess file changes. Probably due to added restrictions from the apache vhost settings, I’m guessing.