[pmwiki-users] Upload protection not working

ccox at endlessnow.com ccox at endlessnow.com
Mon Jun 6 17:46:30 CDT 2016


So I stripped out AuthUser as well and set a simple password on page and I
can still get to the attachment using:

https://www.example.com/Test/Directors?action=download&upname=directors.jpg

My config.php attached.


> I've stripped my config.php down to just my AuthUser ldap stuff.. with per
> page uploads defined and I can get to the attachment even though I don't
> have read permissions for the page.
>
>
> I know it's asking a lot, but is it possible to do a test with AuthUser
> involved?  I'm using ldap but I know that's probably harder to do.
>
> Let me know if you want my config.php (devoid of comments), etc.
>
>
>> It works as expected on pmwiki.org:
>>
>>
>> http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&upname=pmwiki-32.gif
>>
>> If you have per-group uploads and want to protect a file, there is no
>> interest to protect a single page - a visitor can download the file from
>> another, unprotected page. In this case PmWiki will require "read"
>> permissions for the whole group, which you set in
>> GroupAttributes?action=attr.
>>
>> If you have per-page uploads, PmWiki requires "read" permissions for the
>> page.
>>
>> "upload" permissions are only required for people to upload files, not
>> to download them. To download them they need "read" permissions.
>>
>> Petko
>>
>> ---
>> Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
>> Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
>> If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades
>>
>>
>> On 2016-06-06 21:44, ccox at endlessnow.com wrote:
>>> Consider the following url.  I have direct downloads disable and
>>> htaccess
>>> is blocking the uploads area.  So, attachments to get translated like
>>> so:
>>>
>>> https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>>>
>>> However, I have protected read, edit, attr and upload for the page
>>> Test/Directors.. and I can still get to the content.
>>>
>>> Do I have to protect the group instead?  Perhaps I need to go to per
>>> page
>>> uploads? Would that fix things?
>>
>> _______________________________________________
>> pmwiki-users mailing list
>> pmwiki-users at pmichaud.com
>> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>>
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config-php.txt
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20160606/cb63c794/attachment.txt>


More information about the pmwiki-users mailing list