[pmwiki-users] Securing images
Petko Yotov
5ko at free.fr
Sat Jan 13 02:49:23 CST 2007
On Friday 12 January 2007 18:31, kirpi at kirpi.it wrote:
> Petko's excellent TumbList recipe [1] works nice.
> Now I'm stuck with a "basic", though relevant issue: security.
>
> All the images are stored, either by ftp or the "upload" action, into
> a /listing/uploads/ directory which is external to the pmwiki
> install.[2][3]
>
> Although the vast majority of images are to be displayed openly to the
> world, there is a certain amount of pictures that would better be
> shared just between family and friends, as well as some other
> photographs that I would keep just for my own use.
>
> Would it be an attainable goal?
> If so, how could such a lock be built?[4]
>
> Luigi
>
>
>
> [1] http://www.pmwiki.org/wiki/Cookbook/ThumbList
> [2] http://www.kirpi.it/listing/uploads/
> [3] The /listing/ directory is fine as it allows a straight,
> text-only, filesystem-like browsing of all the images, independent
> from the wiki engine.
> [4] After having read (and re-read) pages like
> http://pmwiki.org/wiki/PmWiki/Uploads
> http://pmwiki.org/wiki/PmWiki/UploadsAdmin
> http://www.pmwiki.org/wiki/Cookbook/SecureAttachments
> I'm still uncertain on the ways to organize things.
> If ever such things *can* be done...
ThumbList should work fine with the recipe Cookbook/SecureAttachments.
This is how I am securing downloads/pictures it on a private,
password-protected PmWiki installation:
I have in (farm)config.php the line "$EnableDirectDownload=0;" and inside
the /uploads directory I have a file named ".htaccess" containing the
line "Deny from all".
You may wish to enable SecureAttachments for one group, i.e. PrivatePictures,
and create a file local/PrivatePictures.php containing:
<?php if (!defined('PmWiki')) exit();
$EnableDirectDownload=0;
And inside your directory /listing/uploads/PrivatePictures create a file
named ".htaccess" containing the line:
Deny from all
Then, you set a read password for the group PrivatePictures:
http://www.kirpi.it/wiki/pmwiki.php?n=PrivatePictures.GroupAttributes&action=attr
PmWiki/ThumbList will not allow visitors to view a file from PrivatePictures,
if they don't know the password.
This way it is easier to administrate it, because you simply change the
password in the wiki form, without worrying about Apache passwords and files.
It gives slightly more server load, as all files are downloaded through
pmwiki.php, but because the pages are private, you will have few visitors and
is worth it.
Petko
More information about the pmwiki-users
mailing list