[pmwiki-users] Protection of attachments!?!

[Mikael Nilsson]

Hi!

I've just discovered that pmwiki allows everyone to access attachments
uploaded to groups to which they do not even have read access. I'm using
the authuser mechanism to protect one of the groups in the wiki from
outsiders reading it (because it's a private discussion). However, all
attachments are unprotected, and can be linked to by anyone, and the
browser directed to the right dir on the server to find *all*
attachments.

I must say I find this... problematic. I can solve it temporarily by
using the same .htpasswd in the group's upload dir as I do for the wiki,
but the list of allowed ids must be kept in sync between config.php
and .htaccess.

I'd recommend that you add something like
action=download&file=attachment.txt to pmwiki, and use that for Attach:
links, so that pmwiki can reuse the GroupAttributes settings. Setting
access rights to individual uploads is not something I see as a
priority.

Or are there other solutions? I did not find a cookbook recipe.

/Mikael


-- 
Plus ça change, plus c'est la même chose