In mojoPortal content management system users with permissions can upload and browse files using the image, link, or media dialog windows in the WYSIWYG editor and optionally you could also grant them access to the File Manager and therefore allow them to also delete files.

Actually, there are 2 versions of File Manager in mojoPortal CMS, the newer one uses jQuery and the older one while less pretty works even with javascript disabled. Neither of these file managers should be confused with the Shared Files feature, which does not really give users access to the server file system the way the File Managers do even though it looks very similar to the older File Manager.

Roles allowed to upload files are configured by 3 related permissions under Administration > Site Settings > Security > Permissions

  • Roles that can upload and Browse Files
  • Roles that Can Upload and Browse Files but only in a User Specific Folder
  • Roles that Can Delete Files Using the File Browser in the Editor (soon to be renamed to just Roles that can delete files)

Users in the Administrators role don't need any special permissions assigned to the role, they can do anything on the site including uploading and deleting files.

Storage Location

By default Administrators in the first site (known as the server admin site or master site) can access the file system starting at: /Data/.

Whereas Administrators in child sites in a multisite installation can access the file system starting at: /Data/Sites/[SiteID]/.

However, you can also limit Administrators so they can only access the file system starting at /Data/Sites/[SiteID]/media/ by adding this to your user.config file: <add key="ForceAdminsToUseMediaFolder" value="true" />.

I created the above setting primarily so I could limit what people do on the demo site, but you may also find it useful. In fact, I recommend making it true and others have said they wish they had made it true in the beginning to keep files from getting scattered at a higher level. For example, some people will map a virtual folder to  /media that maps to a real folder outside of the website or to a file share and therefore they don't want users to upload files higher up from that folder.

All other roles can only access the file system if you explicitly grant them permission If you add the roles to the permission for Roles that can upload and browse files, users in the allowed roles can upload and browse files using the WYSIWYG editor which has dialogs for images, media, and links, that allow browsing the server file system for files and uploading files. Their access to the file system starts at /Data/Sites/[SiteID]/media/.

If you add roles to the permissions for Roles that can upload and browse but only in a user specific location, their access to the file system starts at /Data/Sites/[SiteID]/userfiles/[UserID]/.

If you don't want users to be able to delete any files you should not give them access to the file managers, therefore access to the File Managers is determined by Roles that Can Delete Files in the Editor. Roles added to this permission can delete files from the editor dialog windows but can also use the File Managers (assuming they have one of the upload and browse permissions).

You might think why don't we just let them use the file managers but limit their ability to delete from the file manager? The reason is because other than uploading and downloading files the only benefits to file managers are the ability to delete and rename files and folders. As far as files used in content renaming a file is almost equivalent to deleting it because if the file is already used in content and you rename it, it will result in a broken image or link in your content just the same as if it was deleted. So if you don't want users to be able to do those things you should just not let them use the file managers and instead only let them upload files through the editor dialogs where they cannot delete or rename anything.

So basically for non-administrator users you have 5 choices for user upload permissions

  1. Allow them to upload but not delete starting at the /Data/Sites/[SiteID]/media/ folder by just adding their roles to General Upload and Browse Roles, but not adding them to Roles that can delete files
  2. Same as above but they are allowed to delete files and use File Manager if you add them to both the General Upload and Browse Roles and the Delete roles
  3. Allow them to upload only to a user specific location but not allowed to delete files by adding them to Roles that can upload and browse but only to a user specific location
  4. Same as above but also add them to Roles that can delete and then they can also delete files in the user specific location and use File Manager.
  5. Don't grant them any of the above and they cannot upload files at all.

Allowing Upload of New File Types

If you receive a message that a particular file type is not allowed, you can enable uploading of that type by appending it to one or both of the following configuration keys. We recommend that you copy the key(s) from web.config and place them in user.config to make future upgrades easier. If the key(s) are in user.config, remember to touch web.config after your changes so they will be picked up.

For general browse and upload roles:

<add key="AllowedUploadFileExtensions" value=".gif|.jpg|.jpeg|.png|.zip|.pdf..." />

For roles limited to uploading into a user-specific folder:

<add key="AllowedLessPriveledgedUserUploadFileExtensions" value=".gif|.jpg|.jpeg|.png|.zip|.pdf"/>

Storage Quotas

There are several config settings that you should copy from Web.config into user.config and then customize their values according to your own requirements. Shown here with their default values:

<!-- How much space is allocated -->
<add key="UserFolderDiskQuotaInMegaBytes" value="300" />
<add key="MediaFolderDiskQuotaInMegaBytes" value="6000" />
<add key="AdminDiskQuotaInMegaBytes" value="12000" />

<!-- Maximum size per file being uploaded -->
<add key="UserFolderMaxSizePerFileInMegaBytes" value="10" />
<add key="MediaFolderMaxSizePerFileInMegaBytes" value="30" />
<add key="AdminMaxSizePerFileInMegaBytes" value="2000" />

<!-- Maximum files allowed -->
<add key="UserFolderMaxNumberOfFiles" value="1000" />
<add key="MediaFolderMaxNumberOfFiles" value="10000" />
<add key="AdminMaxNumberOfFiles" value="100000" />

<!-- Maximum folders allowed -->
<add key="UserFolderMaxNumberOfFolders" value="50" />
<add key="MediaFolderMaxNumberOfFolders" value="500" />
<add key="AdminMaxNumberOfFolders" value="1000" />

Note that the above quotas are enforced only for files uploaded from the WYSIWYG editors (CKEditor, TinyMCE) and from the File Manager feature in mojoPortal. These settings are not enforced in other features that upload files such as Image Galleries. In other words, if you reach your quota the Image Gallery isn't going to stop letting you upload files. However, many features such as the Image Gallery may store their files beneath the /Data/Sites/[SiteID]/media folder in order to make it possible to browse images from the gallery and use it in content elsewhere on the site. Files beneath this folder will aggregate towards the quota allowed. So what could happen is you upload a ton of files in the Image Gallery and then you can no longer upload files in the editors or the file manager because the quotas are kicking in and they are enforced there. So you may need to set much higher quotas in some cases. When file uploads are prevented due to quotas it is logged in the mojoPortal system log.

See also:  Supporting Large File Uploads

Created by Joe Audette on Sep 17, 2011
Last Modified by Elijah Fowler on Mar 02, 2017