<div class="gmail_quote">On Sun, Sep 6, 2009 at 9:17 AM, Eemeli Aro <span dir="ltr"><<a href="mailto:eemeli@gmail.com">eemeli@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/9/6 Tegan Dowling <<a href="mailto:tmdowling@gmail.com">tmdowling@gmail.com</a>>:<br>
<div class="im">> Now I've upgraded to 2.2.5, and looking over all the 2.2.x changes, I see we<br>
> have<br>
> <a href="http://www.pmwiki.org/wiki/PmWiki/UploadVariables#EnableUploadGroupAuth" target="_blank">http://www.pmwiki.org/wiki/PmWiki/UploadVariables#EnableUploadGroupAuth</a>,<br>
> which says: "Set $EnableUploadGroupAuth = 1; to authenticate downloads with<br>
> the group password. This could be used together with $EnableDirectDownload =<br>
> 0;."<br>
><br>
> I'm confused -- if I'm already setting $EnableDirectDownload to 0, what does<br>
> EnableUploadGroupAuth do?<br>
<br>
</div>With $EnableDirectDownload disabled, downloading an attachment<br>
requires 'read' permissions on the page to which the upload is<br>
attached. However, in the default case uploads are kept in per-group<br>
directories, which means that the same file is accessible from every<br>
page in a group. Previously, and without $EnableUploadGroupAuth, it<br>
would be possible that a page in a group has more lax read permissions<br>
than other pages, and an attachment apparently belonging to a<br>
restricted page would be accessible via this page. With<br>
$EnableUploadGroupAuth enabled, the download permissions are always<br>
checked instead from the GroupAttributes page, which is common to all<br>
files in the group.</blockquote><div><br>So, then, would there be any reason to set $EnableUploadGroupAuth = 1 without also setting $EnableDirectDownload=0? And must uploads/.htaccess be the same in any case?<br></div></div>