[pmwiki-users] Securing images

Petko Yotov 5ko at free.fr
Sat Jan 13 02:49:23 CST 2007


On Friday 12 January 2007 18:31, kirpi at kirpi.it wrote:
> Petko's excellent TumbList recipe [1] works nice.
> Now I'm stuck with a "basic", though relevant issue: security.
>
> All the images are stored, either by ftp or the "upload" action, into
> a /listing/uploads/ directory which is external to the pmwiki
> install.[2][3]
>
> Although the vast majority of images are to be displayed openly to the
> world, there is a certain amount of pictures that would better be
> shared just between family and friends, as well as some other
> photographs that I would keep just for my own use.
>
> Would it be an attainable goal?
> If so, how could such a lock be built?[4]
>
> Luigi
>
>
>
> [1] http://www.pmwiki.org/wiki/Cookbook/ThumbList
> [2] http://www.kirpi.it/listing/uploads/
> [3] The /listing/ directory is fine as it allows a straight,
> text-only, filesystem-like browsing of all the images, independent
> from the wiki engine.
> [4] After having read (and re-read) pages like
> http://pmwiki.org/wiki/PmWiki/Uploads
> http://pmwiki.org/wiki/PmWiki/UploadsAdmin
> http://www.pmwiki.org/wiki/Cookbook/SecureAttachments
> I'm still uncertain on the ways to organize things.
> If ever such things *can* be done...

ThumbList should work fine with the recipe Cookbook/SecureAttachments. 

This is how I am securing downloads/pictures it on a private, 
password-protected PmWiki installation:

I have in (farm)config.php the line "$EnableDirectDownload=0;" and inside 
the /uploads directory I have a file named ".htaccess" containing the 
line "Deny from all".


You may wish to enable SecureAttachments for one group, i.e. PrivatePictures, 
and create a file local/PrivatePictures.php containing:

<?php if (!defined('PmWiki')) exit();
$EnableDirectDownload=0;

And inside your directory /listing/uploads/PrivatePictures create a file 
named ".htaccess" containing the line:

Deny from all


Then, you set a read password for the group PrivatePictures:
http://www.kirpi.it/wiki/pmwiki.php?n=PrivatePictures.GroupAttributes&action=attr

PmWiki/ThumbList will not allow visitors to view a file from PrivatePictures, 
if they don't know the password.

This way it is easier to administrate it, because you simply change the 
password in the wiki form, without worrying about Apache passwords and files. 
It gives slightly more server load, as all files are downloaded through 
pmwiki.php, but because the pages are private, you will have few visitors and 
is worth it.

Petko




More information about the pmwiki-users mailing list