[pmwiki-users] Protection of attachments!?!

Mikael Nilsson mini at nada.kth.se
Wed Nov 30 07:16:39 CST 2005

Sorry for the spam, here's the solution:



ons 2005-11-30 klockan 11:06 +0100 skrev Mikael Nilsson:
> Hi!
> I've just discovered that pmwiki allows everyone to access attachments
> uploaded to groups to which they do not even have read access. I'm using
> the authuser mechanism to protect one of the groups in the wiki from
> outsiders reading it (because it's a private discussion). However, all
> attachments are unprotected, and can be linked to by anyone, and the
> browser directed to the right dir on the server to find *all*
> attachments.
> I must say I find this... problematic. I can solve it temporarily by
> using the same .htpasswd in the group's upload dir as I do for the wiki,
> but the list of allowed ids must be kept in sync between config.php
> and .htaccess.
> I'd recommend that you add something like
> action=download&file=attachment.txt to pmwiki, and use that for Attach:
> links, so that pmwiki can reuse the GroupAttributes settings. Setting
> access rights to individual uploads is not something I see as a
> priority.
> Or are there other solutions? I did not find a cookbook recipe.
> /Mikael
Plus ça change, plus c'est la même chose

More information about the pmwiki-users mailing list