[pmwiki-users] Upload Enhancement for file deletion

Patrick R. Michaud pmichaud at pobox.com
Wed Dec 14 11:56:53 CST 2005


On Wed, Dec 14, 2005 at 12:34:02PM -0500, Waylan Limberg wrote:
> Now for a few questions: Is there a way to set permissions on who can
> delete etc? And what if I only want to enable delete on some uploads
> but not others on the same page? Or perhaps set different permissions
> for different files etc? Basically, I'm not going to want just anyone
> to be able to delete my files.

By definition, anyone who can upload can effectively "delete" a file 
(or at least destroy it by replacing it with an empty one) unless 
$EnableUploadOverwrite is set to zero.  So, I don't think we need
much more in the away of access control than that.

> While tying the above questions it occurred to me that the attachlist
> is generally only on the upload page which could have permissions set,
> but then I realized that all someone has to do is add (:attachlist:)
> into the wikitext of any page to get a list of attachments (go ahead,
> try it in the sandbox). If that list includes the ability to delete
> the files, that could make for an easy way for someone to sabotage
> your site. Without proper security measures in place, I wouldn't feel
> comfortable using this.

Note that the ability to delete isn't a function of the displayed list, 
but rather of whatever receives the "delete" request.  I haven't looked
at the script yet, but it ought to be checking for upload permissions
and deleting the file only if the person has upload permissions.
(It should also display the delete link only if the person has
upload permissions, but that's cosmetic and not a security issue.)

Others have asked about a delete capability before but it never
received many votes.  (See http://www.pmwiki.org/wiki/PITS/00598.)
But if this is a feature others really need I can see about adding
it to the core.

Pm




More information about the pmwiki-users mailing list