[pmwiki-users] Upload protection not working

ccox at endlessnow.com ccox at endlessnow.com
Mon Jun 6 17:37:29 CDT 2016


I've stripped my config.php down to just my AuthUser ldap stuff.. with per
page uploads defined and I can get to the attachment even though I don't
have read permissions for the page.


I know it's asking a lot, but is it possible to do a test with AuthUser
involved?  I'm using ldap but I know that's probably harder to do.

Let me know if you want my config.php (devoid of comments), etc.


> It works as expected on pmwiki.org:
>
>
> http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&upname=pmwiki-32.gif
>
> If you have per-group uploads and want to protect a file, there is no
> interest to protect a single page - a visitor can download the file from
> another, unprotected page. In this case PmWiki will require "read"
> permissions for the whole group, which you set in
> GroupAttributes?action=attr.
>
> If you have per-page uploads, PmWiki requires "read" permissions for the
> page.
>
> "upload" permissions are only required for people to upload files, not
> to download them. To download them they need "read" permissions.
>
> Petko
>
> ---
> Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
> Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
> If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades
>
>
> On 2016-06-06 21:44, ccox at endlessnow.com wrote:
>> Consider the following url.  I have direct downloads disable and
>> htaccess
>> is blocking the uploads area.  So, attachments to get translated like
>> so:
>>
>> https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>>
>> However, I have protected read, edit, attr and upload for the page
>> Test/Directors.. and I can still get to the content.
>>
>> Do I have to protect the group instead?  Perhaps I need to go to per
>> page
>> uploads? Would that fix things?
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>





More information about the pmwiki-users mailing list