[pmwiki-users] Images in another group

Waylan Limberg waylan at gmail.com
Wed Dec 7 15:39:55 CST 2005


On 12/7/05, Tegan Dowling <tmdowling at gmail.com> wrote:
> The latter -
>
>  Having the uploads/directory automatically receive a .htaccess file
> containing the
> Order Deny,Allow
>  Deny from all, along with having $EnableDirectDownload=0; in the
> local/config.php
>
>  - is what I was suggesting/requesting, since it (appears to) make things
> work the way I always thought they already did.

Seeing that PmWiki defaults to no restrictions on reading (or anything
for that matter) pages, I would think the default for attachments
would be the same, so this doesn't make sense to me. However...
>
>  If not that, then somehow the fact that uploaded files do NOT have the same
> read-protection as the wikigroups with which they're associated should be
> much more prominently discussed.  Perhaps as part of the "Securing your Wiki
> Checklist" that's being discussed.

That seems like a reasonable way to address this to me.

Btw, Patrick, I think the following is the best explaination of how
things work that I've seen. It anything like this in the docs? (maybe
it is, but I don't recall and havn't looked recently) If not, you
might want to include is somewhere. Just a suggestion.

>   * As far as PmWiki is concerned, uploads are *always* associated
>     with specific pages (i.e., uploads are really "attachments").
>   * PmWiki's default configuration has all of the pages in a wikigroup
>     sharing the same set of attachments.  While most people think of the
>     attachments as belonging to the "group", the reality is that in
>     this configuration uploads are effectively attached to every
>     page in the group, and not to the group itself.
>   * There are two ways that a browser can access an attachment.  One
>     is by direct url (http://www.example.com/pmwiki/uploads/Group/file.ext)
>     and the other is by using ?action=download on a page
>     (.../pmwiki/pmwiki.php/Group/Page?action=download&upname=file.ext).
>   * Access to attachments via ?action=download requires read permissions
>     on the associated page.
>   * Access to attachments via direct urls depends on the webserver
>     settings.
>   * Setting $EnableDirectDownload=0; causes the Attach: markup to
>     generate urls using ?action=download, otherwise direct urls are
>     used.
>
> Thus, if the wiki administrator turns off access to uploads via
> direct url (e.g., via a .htaccess file or equivalent), then the only
> way to access uploaded files will be by using ?action=download on a
> page, and this will require read permission to the page.
>

--
----
Waylan Limberg
waylan at gmail.com




More information about the pmwiki-users mailing list