[pmwiki-users] pmwiki-2.0.beta31 released

Patrick R. Michaud pmichaud at pobox.com
Fri Apr 15 15:40:42 CDT 2005


On Fri, Apr 15, 2005 at 09:19:59PM +0100, Hans wrote:
> Friday, April 15, 2005, 8:56:21 PM, Patrick wrote:
> > However, a big disadvantage is that all attachments are publicly 
> > accessible as long as someone knows the URL.
> 
> Do I understand this right that default attachments are publicly
> accessible even though the page or group is read-password protected?

Yes, it's always been this way.  See PITS:00109.

> > As a result, beta31 now offers an ?action=download option, which can be used
> > to retrieve a page's attachment.  For example, with $EnableDirectDownload
> > set to zero, PmWiki will convert the "Attach:gemini.zip" markup into
> > http://www.pmwiki.org/wiki/Cookbook/GeminiSkin?action=download&upname=gemini.zip
> 
> So ?action=download gets used automatically if
> $EnableDirectDownload=0, and there is no need to use it manually in
> links inside pages? Just use normal Attach:filename markup syntax?

Yes.  $EnableDirectDownload changes what Attach:filename generates.

> > This provides some important features:
> >   - it allows PmWiki to use site/group/page permissions to control
> >     access to attachments
> 
> So now a page or group read-password will protect the attachments of
> the page and group?

It can, if the admin takes whatever other steps are needed to
protect the uploads/ directory (see my previous message).

> >   - it means the uploads/ directory no longer needs to be web accessible
> >     and can be anywhere in the filesystem
> 
> How does this work? How does the Attach:filename markup work?
> $UploadUrlFmt could have been pointing anywhere in the filesystem, so
> what is the difference?

At the moment, Attach:filename looks at $EnableDirectDownload to
determine if it should generate a link based on $UploadUrlFmt or
based on ?action=download.  I may change this so that it always
uses $UploadUrlFmt, and the value of $UploadUrlFmt changes depending
on the setting of $EnableDirectDownload (I haven't decided yet).

> >   - the file's Content-Type and semantics can be controlled by PmWiki
> >     which may be easier to configure (e.g., it makes it easier for .php
> >     attachments to be downloaded instead of executed on the server)
> 
> And how does that work?

Well, since with ?action=download PmWiki is taking the place of
the webserver, it has to generate the Content-Type: header that the
webserver would've normally done.  PmWiki does this via the
$UploadExts array.  Thus, if an admin wants .php attachments to
display as text, he sets

    $UploadExts['php'] = 'text/plain';

Similarly, for an OpenOffice .sxw document:

    $UploadExts['sxw'] = 'application/vnd.sun.xml.writer';

And if the admin wants to configure Microsoft word documents to
download instead of being automatically opened within IE:

    $UploadExts['doc'] = 'application/octet-stream';

> Forgive me all these questions, I do wish to understand, it seems
> quite important.

Questions are always welcome here.

Pm



More information about the pmwiki-users mailing list