[pmwiki-users] Images in another group
Waylan Limberg
waylan at gmail.com
Wed Dec 7 15:39:55 CST 2005
On 12/7/05, Tegan Dowling <tmdowling at gmail.com> wrote:
> The latter -
>
> Having the uploads/directory automatically receive a .htaccess file
> containing the
> Order Deny,Allow
> Deny from all, along with having $EnableDirectDownload=0; in the
> local/config.php
>
> - is what I was suggesting/requesting, since it (appears to) make things
> work the way I always thought they already did.
Seeing that PmWiki defaults to no restrictions on reading (or anything
for that matter) pages, I would think the default for attachments
would be the same, so this doesn't make sense to me. However...
>
> If not that, then somehow the fact that uploaded files do NOT have the same
> read-protection as the wikigroups with which they're associated should be
> much more prominently discussed. Perhaps as part of the "Securing your Wiki
> Checklist" that's being discussed.
That seems like a reasonable way to address this to me.
Btw, Patrick, I think the following is the best explaination of how
things work that I've seen. It anything like this in the docs? (maybe
it is, but I don't recall and havn't looked recently) If not, you
might want to include is somewhere. Just a suggestion.
> * As far as PmWiki is concerned, uploads are *always* associated
> with specific pages (i.e., uploads are really "attachments").
> * PmWiki's default configuration has all of the pages in a wikigroup
> sharing the same set of attachments. While most people think of the
> attachments as belonging to the "group", the reality is that in
> this configuration uploads are effectively attached to every
> page in the group, and not to the group itself.
> * There are two ways that a browser can access an attachment. One
> is by direct url (http://www.example.com/pmwiki/uploads/Group/file.ext)
> and the other is by using ?action=download on a page
> (.../pmwiki/pmwiki.php/Group/Page?action=download&upname=file.ext).
> * Access to attachments via ?action=download requires read permissions
> on the associated page.
> * Access to attachments via direct urls depends on the webserver
> settings.
> * Setting $EnableDirectDownload=0; causes the Attach: markup to
> generate urls using ?action=download, otherwise direct urls are
> used.
>
> Thus, if the wiki administrator turns off access to uploads via
> direct url (e.g., via a .htaccess file or equivalent), then the only
> way to access uploaded files will be by using ?action=download on a
> page, and this will require read permission to the page.
>
--
----
Waylan Limberg
waylan at gmail.com
More information about the pmwiki-users
mailing list