[Pmwiki-users] Re: Re: Uploading and password proctecting

[Christian Ridderström]

On Wed, 16 Jun 2004, Patrick R. Michaud wrote:

> On Wed, Jun 16, 2004 at 10:05:02AM +0200, Christian Ridderstr?m wrote:
> > On Wed, 16 Jun 2004, Steven Leite wrote:
> > 
> > > I think the idea of having uploaded files in a non-web-accessible
> > > directory is a VERY good idea.  This will extend naturally to the idea
> > > of password protecting downloads in the same way that we password
> > > protect pages.
> > 
> > The drawback, as you mentioned further down, is that we loose the ability
> > to use other tools for browsing uploaded files. 
> 
> Not at all.  Just because PmWiki tries to make certain directories
> web-inaccessible by default doesn't mean they have to be that way
> in order for things to work.  A wikiadministrator is always free to 
> open up any directory to the web (and thus the tools that would be 
> available from doing so).

I meant that we loose the ability if the upload directory is made 
non-public (regardless if it's PmWiki that creates the .htaccess or the 
administrator).

> The real question is simply "what should the default configuration be?"

I'd say unprotected because of the collaboration aspect (altough I have to 
remember and protect my "job wiki"). Maybe we should add some 
documentation pages on how to do this? (I.e. what to put in the .htaccess 
file)

> > I haven't followed this thread seriously, but is there anything wrong with 
> > controlling access by using .htacces in the upload-directory?
> 
> Nothing wrong with it, but here are the arguments against PmWiki using
> that as the primary (or only) means of access control to uploads:
>   - Some people aren't running Apache, so .htaccess may not be an option
>   - Many wikiadmins may not know how to set up .htaccess (*)
>   - .htaccess's authentication model is different
>   - Since PmWiki provides access-control mechanisms for other features,
>     it seems natural that it should provide access-control for uploads
>   - It's annoying to have to maintain passwords in two different locations
> 
> (*) Even those admins who do know how to set up .htaccess often don't
> understand how it works.  About once per month I get email from someone
> who is using .htaccess to control access to pmwiki.php and then wonders
> why PmWiki's page and group passwords no longer work (answer: because the
> HTTP Basic Authentication protocol used by .htaccess and PmWiki only
> allows a single password per request).

So you think it'd be worth the effort to implement some more advanced
"file handling capabilities" then?  (Or just merge some other GPL'd tool
that fits nicely)

/Christian




-- 
Christian Ridderstr?m                           http://www.md.kth.se/~chr