[pmwiki-users] PmWiki 2.2.3 released
Eemeli Aro
eemeli at gmail.com
Sun Sep 6 09:17:40 CDT 2009
2009/9/6 Tegan Dowling <tmdowling at gmail.com>:
> Now I've upgraded to 2.2.5, and looking over all the 2.2.x changes, I see we
> have
> http://www.pmwiki.org/wiki/PmWiki/UploadVariables#EnableUploadGroupAuth,
> which says: "Set $EnableUploadGroupAuth = 1; to authenticate downloads with
> the group password. This could be used together with $EnableDirectDownload =
> 0;."
>
> I'm confused -- if I'm already setting $EnableDirectDownload to 0, what does
> EnableUploadGroupAuth do?
With $EnableDirectDownload disabled, downloading an attachment
requires 'read' permissions on the page to which the upload is
attached. However, in the default case uploads are kept in per-group
directories, which means that the same file is accessible from every
page in a group. Previously, and without $EnableUploadGroupAuth, it
would be possible that a page in a group has more lax read permissions
than other pages, and an attachment apparently belonging to a
restricted page would be accessible via this page. With
$EnableUploadGroupAuth enabled, the download permissions are always
checked instead from the GroupAttributes page, which is common to all
files in the group.
eemeli
More information about the pmwiki-users
mailing list