[pmwiki-users] Protection of attachments!?!

Patrick R. Michaud pmichaud at pobox.com
Wed Nov 30 07:41:02 CST 2005


On Wed, Nov 30, 2005 at 02:16:39PM +0100, Mikael Nilsson wrote:
> Sorry for the spam, here's the solution:
> 
> http://www.pmwiki.org/wiki/Cookbook/SecureAttachments

It's also mentioned on the PmWiki.UploadsAdmin page, in the section
"Password protecting uploaded files".  But perhaps the description
needs improvement (feel free to improve it).

Pm


> ons 2005-11-30 klockan 11:06 +0100 skrev Mikael Nilsson:
> > Hi!
> > 
> > I've just discovered that pmwiki allows everyone to access attachments
> > uploaded to groups to which they do not even have read access. I'm using
> > the authuser mechanism to protect one of the groups in the wiki from
> > outsiders reading it (because it's a private discussion). However, all
> > attachments are unprotected, and can be linked to by anyone, and the
> > browser directed to the right dir on the server to find *all*
> > attachments.
> > 
> > I must say I find this... problematic. I can solve it temporarily by
> > using the same .htpasswd in the group's upload dir as I do for the wiki,
> > but the list of allowed ids must be kept in sync between config.php
> > and .htaccess.
> > 
> > I'd recommend that you add something like
> > action=download&file=attachment.txt to pmwiki, and use that for Attach:
> > links, so that pmwiki can reuse the GroupAttributes settings. Setting
> > access rights to individual uploads is not something I see as a
> > priority.
> > 
> > Or are there other solutions? I did not find a cookbook recipe.
> > 
> > /Mikael
> > 
> > 
> -- 
> Plus ça change, plus c'est la même chose
> 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> 




More information about the pmwiki-users mailing list