[pmwiki-users] Upload protection not working

Patrick R. Michaud pmichaud at pobox.com
Mon Jun 6 18:14:40 CDT 2016


Out of curiosity, what happens if you attempt to access the page
via incognito mode or equivalent?  I'm wondering if somehow you're
obtaining authorization through another path... e.g., perhaps an 
admin authorization that has been cached somewhere.

Also, what happens if you remove the "?action=download" portion?
Do you get something denying immediate access to the Test/Directors
page (e.g., an authentication prompt), or do you see the page itself?
If the latter, then authorization isn't being blocked for some reason
unrelated to uploads/downloads.

Lastly, is there anything the Test.php (group config) that might be
throwing off the authorization stuff?

Pm



On Mon, Jun 06, 2016 at 05:46:30PM -0500, ccox at endlessnow.com wrote:
> So I stripped out AuthUser as well and set a simple password on page and I
> can still get to the attachment using:
> 
> https://www.example.com/Test/Directors?action=download&upname=directors.jpg
> 
> My config.php attached.
> 
> 
> > I've stripped my config.php down to just my AuthUser ldap stuff.. with per
> > page uploads defined and I can get to the attachment even though I don't
> > have read permissions for the page.
> >
> >
> > I know it's asking a lot, but is it possible to do a test with AuthUser
> > involved?  I'm using ldap but I know that's probably harder to do.
> >
> > Let me know if you want my config.php (devoid of comments), etc.
> >
> >
> >> It works as expected on pmwiki.org:
> >>
> >>
> >> http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&upname=pmwiki-32.gif
> >>
> >> If you have per-group uploads and want to protect a file, there is no
> >> interest to protect a single page - a visitor can download the file from
> >> another, unprotected page. In this case PmWiki will require "read"
> >> permissions for the whole group, which you set in
> >> GroupAttributes?action=attr.
> >>
> >> If you have per-page uploads, PmWiki requires "read" permissions for the
> >> page.
> >>
> >> "upload" permissions are only required for people to upload files, not
> >> to download them. To download them they need "read" permissions.
> >>
> >> Petko
> >>
> >> ---
> >> Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
> >> Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
> >> If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades
> >>
> >>
> >> On 2016-06-06 21:44, ccox at endlessnow.com wrote:
> >>> Consider the following url.  I have direct downloads disable and
> >>> htaccess
> >>> is blocking the uploads area.  So, attachments to get translated like
> >>> so:
> >>>
> >>> https://www.example.com/Test/Directors?action=download&upname=directors.jpg
> >>>
> >>> However, I have protected read, edit, attr and upload for the page
> >>> Test/Directors.. and I can still get to the content.
> >>>
> >>> Do I have to protect the group instead?  Perhaps I need to go to per
> >>> page
> >>> uploads? Would that fix things?
> >>
> >> _______________________________________________
> >> pmwiki-users mailing list
> >> pmwiki-users at pmichaud.com
> >> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> >>
> >
> >
> >
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> >

> $WikiTitle = 'Agora';
> $ScriptUrl = 'https://'.$_SERVER['HTTP_HOST'];
> $PubDirUrl = 'https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
> $EnablePathInfo = 1;
> $PageLogoUrl = "$PubDirUrl/skins/pmwiki/skopos-small.png";
> $DefaultPasswords['admin'] = array(pmcrypt('secret'), '@admins');
> $HandleAuth['diff'] = 'edit';
> $DefaultPasswords['edit'] = 'id:*';
> $Author = $AuthId;
> include_once("scripts/xlpage-utf-8.php");
> $EnableGUIButtons = 1;
> include_once("scripts/creole.php");
> $EnableUpload = 1;
> $DefaultPasswords['upload'] = 'id:*';
> $EnableDirectDownload=0; 
> $EnableUploadGroupAuth=1;
> $UploadPrefixFmt = '/$Group/$Name';
> $EnablePageListProtect = 1;
> if ($action == 'refcount') include_once("scripts/refcount.php");
> if ($action == 'rss')  include_once("scripts/feeds.php");  # RSS 2.0
> if ($action == 'atom') include_once("scripts/feeds.php");  # Atom 1.0
> if ($action == 'dc')   include_once("scripts/feeds.php");  # Dublin Core
> if ($action == 'rdf')  include_once("scripts/feeds.php");  # RSS 1.0
> $AutoCreate['/^Category\\./'] = array('ctime' => $Now);
> Markup("'~", "inline", "/'~(.*?)~'/", "<i>$1</i>");        # '~italic~'
> Markup("'*", "inline", "/'\\*(.*?)\\*'/", "<b>$1</b>");    # '*bold*'

> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users




More information about the pmwiki-users mailing list