[pmwiki-users] Securing images

Petko Yotov 5ko at free.fr
Sat Jan 13 08:29:11 CST 2007 

[Forwarding some thoughts Luigi and I exchanged off-list, may be usefull, or 
may bring some new idea from someone :-) ]

> Petko, just one quick question off-list before I start setting up a
> test with your settings: would it still be possible (once you know the
> password, of course) to browse the /listing/ directories?
> I'm not clear about it... (too many new thing for me)
>

If you set in a directory a file ".htaccess" containing "Deny from all" it 
will *not* be possible to browse this directory from the /listings/ url, 
people have to go to your wiki page and provide the password. The files can 
only be downloaded through pmwiki.php. 

You can still have a sort of "listings" though, with the markup (:attachlist:) 
or (:attachlist Group.Page:) somewhere in the wiki.

Note that this still is a PmWiki directory structure, that is, you can not 
have unlimited browsable sub-directories. For files attached to a page to be 
visible to PmWiki, they must be in the directory PmWiki expects, i.e.:

$UploadPrefixFmt = '/$Group'; # this is the default setting
$UploadPrefixFmt = '/$Group/$Name'; # may be better for you, or may not

See http://pmwiki.org/wiki/PmWiki/UploadsAdmin

> And, in case it would, how do I let the action=upload store files in
> the right directory?
> How would I integrate it with pmwiki handling of things?

See http://pmwiki.org/wiki/PmWiki/UploadsAdmin

$UploadDir = $_SERVER['DOCUMENT_ROOT'] . "/listings";
$UploadUrlFmt = "http://www.kirpi.it/listings";

Note that after setting this in config.php, you will need to move all your 
files and directories that are now in uploads/ to /listings/

> Mmmh...
> Have you read the *whole* thread already?

What did I miss?

If you wish to be able to use the "Upload" function in PmWiki, you need to 
have a PmWiki uploads directory structure, not another one. ThumbList is also 
very close to PmWiki, if PmWiki cannot see a file/directory, ThumbList 
neither.



> You missed points [2] and [3] in my original post.
>
> :-)
>
> It is a *feature* to me having photographs which are organized and
> browseable independently from the wiki. Please try and explore the (it
> is of course just in test) http://www.kirpi.it/listing/ directory.
>
> > If you wish to be able to use the "Upload" function in PmWiki, you need
> > to have a PmWiki uploads directory structure, not another one.
>
> Yes.
> If you check http://www.kirpi.it/listing/uploads/ you'll find that
> things work fine with wiki uploads.
>
> The real problem, Petko, to put it in simple words, is maybe to "merge" the
> http://www.kirpi.it/listing/uploads/ directories with the
> http://www.kirpi.it/listing/friends/  (id=kirpi pass=kirpi)
> and
> http://www.kirpi.it/listing/personal  (id=kirpi pass=private)
> folders, which are protected with apache.
>
> Perhaps it is, more or less, a matter of reorganizing directories.
>
> I now have both system working
> a) http://www.kirpi.it/wiki/pmwiki.php?n=Main.ImagesTest
> b) http://www.kirpi.it/wiki/pmwiki.php?n=Pix.Pix
> but cannot find a link between them.
>
> If there was a way to merge the two things, somehow...
>
> :-|
>
> Luigi
>
>
> [2] http://www.kirpi.it/listing/uploads/
> [3] The /listing/ directory is fine as it allows a straight,
> text-only, filesystem-like browsing of all the images, independent
> from the wiki engine.

It is true that PmWiki will not be able to upload files in the "independent 
from PmWiki" directories. I only see two options here:

1. (what I would do:) Think a minute and organize your directories to become 
standard PmWiki directories only. (Only for directories where you want to 
upload from PmWiki, not for the "independent from the wiki engine" 
directories, where you upload otherwise, FTP, etc.) You are using the setting 

$UploadPrefixFmt = '/$Group/$Name';

in your "Pics/" group, you may extend this to the whole site.

In the Private directories or pages, you set either "Deny from all", either 
your current passwords kirpi:private. In the first case noone can browse 
there, in the second, they can if they know the password.

Set passwords to the private pages, as in
http://pmwiki.org/wiki/PmWiki/Passwords

And also in local/ProtectedGroup.php:

$EnableDirectDownload=0;

If you don't, your visitors will have to once again provide a password (first 
was for pmwiki, second for Apache).

If you have "Deny from all", you *must* have "$EnableDirectDownload=0;" 
otherwise the files will not be visable.

If you have both Apache passwords and PmWiki passwords, you will triple your 
time administrating the thing. I really use only PmWiki passwords plus "Deny 
from all".

Standard PmWiki directories are also browsable, except the protected ones.



2. (risky) You can configure PmWiki to have a different upload directory for 
some Groups. In config.php you probably have:

$UploadUrlFmt = "http://www.kirpi.it/listings/uploads";
$UploadDir = $_SERVER['DOCUMENT_ROOT'] . "/listings/uploads";

(or just "../listings/uploads").

In a file local/Friends.php you can have:

<?php if (!defined('PmWiki')) exit();
$UploadUrlFmt = "http://www.kirpi.it/listings/friends";
$UploadDir = $_SERVER['DOCUMENT_ROOT'] . "/listings/friends";

etc. It is risky because when you are in a "default" Group, you cannot refer 
with Attach, attachlist or thumb(list) to a file in the Friends directory and 
vice versa. I am not even sure that you can change this setting in a file 
like local/Friends.php;

Petko

More information about the pmwiki-users mailing list