[pmwiki-devel] Password protection of uploaded files via page or group permissions?

Eemeli Aro eemeli at gmail.com
Thu Feb 14 07:10:46 CST 2008

By default, when uploads are enabled and EnableDirectDownload is
disabled, uploaded files are stored in directories by group. My
(incorrect) assumption from this was that the read permissions for the
uploaded files would follow the read permissions of the group in
question, not the page via which the files are accessed.

The current situation means that the level of password protection that
a file has depends on the lowest level of protection any page in the
groups has.

Hence, could an option be added to make download permissions
explicitly depend on the group's permissions instead of the page's
permissions? The code to do this can be rather simple, with a small
addition to upload.php's HandleDownload function:

<   global $UploadFileFmt, $UploadExts, $DownloadDisposition;
>   global $UploadFileFmt, $UploadExts, $DownloadDisposition, $GroupAttributesFmt, $EnableProtectUploadsByGroup;
>   if (IsEnabled($EnableProtectUploadsByGroup,0)) {
>     SDV($GroupAttributesFmt,'$Group/GroupAttributes');
>     $pagename = FmtPageName($GroupAttributesFmt, $pagename);
>   }

The only problem with the above is that when accessing a file for
which the user doesn't have the required permissions, the presented
login page is that of the GroupAttributes page.


More information about the pmwiki-devel mailing list