-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration System
MFM's configuration system lets you manage all settings without touching the main PHP file — surviving version upgrades cleanly.
MFM supports two configuration approaches:
| Approach | How | Upgrade-safe? |
|---|---|---|
| Edit the main file | Set values directly in microfilemanager.php
|
❌ Settings lost on file replacement |
External config.php |
Copy config.example.php → config.php, set values there |
✅ File replacement leaves config untouched |
Both approaches work. The external config is recommended for any server where you plan to keep MFM updated.
At startup MFM checks for a config.php in the same directory as microfilemanager.php. If found, it loads it and merges the values with the main file's defaults.
Merge behavior:
- Scalar settings (
$root_path,$default_theme, etc.) —config.phpvalue wins - Array settings (
$auth_users,$readonly_users,$directories_users) — values are merged, not replaced. Main file wins on conflict (same username in both files → main file's hash is used)
This means you can keep a base set of users in the main file and layer additional users on top via config.php — useful if you deploy MFM to multiple servers with shared base config.
cp config.example.php config.phpThen edit config.php. Every available setting is documented in config.example.php with comments.
$auth_users = array(
'admin' => '$2y$10$...', // bcrypt hash — see below
'user2' => '$2y$10$...',
);Generating a password hash:
- Online tool — runs in your browser, nothing sent to a server
- Settings → Password Hash Generator (inside MFM)
- CLI:
php -r "echo password_hash('yourpassword', PASSWORD_DEFAULT);"
$readonly_users = array(
'viewer', // this user can browse but not modify anything
);$directories_users = array(
'admin' => '/', // admin sees everything
'user2' => '/uploads', // user2 only sees /uploads
);$use_auth = false;🚨 Only do this on a completely private/local network. Never expose an unauthenticated MFM to the internet.
$root_path = '/var/www/html'; // Root directory users can browse
$root_url = ''; // Root URL (leave empty for auto-detect)$default_theme = 'dark'; // 'light' or 'dark'
$default_language = 'en'; // Language code — see translation.json
$default_timezone = ''; // '' = server local time, or e.g. 'America/Chicago'$ace_theme = 'monokai'; // ACE editor theme
$ace_font_size = 14; // Font size in px$highlightjs_theme_dark = 'atom-one-dark'; // Theme when UI is in dark mode
$highlightjs_theme_light = 'atom-one-light'; // Theme when UI is in light mode$session_timeout = 14400; // Session lifetime in seconds (default: 4 hours)Expired sessions on AJAX requests return a 401 JSON response — the page automatically reloads to the login screen. See Login-and-Security for full session security details.
$login_max_attempts = 5; // Failed attempts before lockout
$login_lockout_minutes = 15; // Lockout duration in minutesSee Login-and-Security#brute-force-protection for full details.
$max_upload_size_bytes = 512000000; // 512 MB default
$allowed_extensions = []; // Empty = all allowed
$blocked_extensions = ['php', 'exe', 'sh']; // Always blockedEvery setting available in MFM is documented and overridable in config.php. See config.example.php in the repository for the complete annotated reference.
Wiki current as of v3.3
Core
Advanced
Links