[pmwiki-users] Upload protection not working
ccox at endlessnow.com
ccox at endlessnow.com
Mon Jun 6 17:46:30 CDT 2016
So I stripped out AuthUser as well and set a simple password on page and I
can still get to the attachment using:
My config.php attached.
> I've stripped my config.php down to just my AuthUser ldap stuff.. with per
> page uploads defined and I can get to the attachment even though I don't
> have read permissions for the page.
> I know it's asking a lot, but is it possible to do a test with AuthUser
> involved? I'm using ldap but I know that's probably harder to do.
> Let me know if you want my config.php (devoid of comments), etc.
>> It works as expected on pmwiki.org:
>> http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&upname=pmwiki-32.gif
>> If you have per-group uploads and want to protect a file, there is no
>> interest to protect a single page - a visitor can download the file from
>> another, unprotected page. In this case PmWiki will require "read"
>> permissions for the whole group, which you set in
>> GroupAttributes?action=attr.
>> If you have per-page uploads, PmWiki requires "read" permissions for the
>> page.
>> "upload" permissions are only required for people to upload files, not
>> to download them. To download them they need "read" permissions.
>> Petko
>> ---
>> Change log : http://www.pmwiki.org/wiki/PmWiki/ChangeLog
>> Release notes : http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
>> If you upgrade : http://www.pmwiki.org/wiki/PmWiki/Upgrades
>> On 2016-06-06 21:44, ccox at endlessnow.com wrote:
>>> Consider the following url. I have direct downloads disable and
>>> htaccess
>>> is blocking the uploads area. So, attachments to get translated like
>>> so:
>>> https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>>> However, I have protected read, edit, attr and upload for the page
>>> Test/Directors.. and I can still get to the content.
>>> Do I have to protect the group instead? Perhaps I need to go to per
>>> page
>>> uploads? Would that fix things?
>> _______________________________________________
>> pmwiki-users mailing list
>> pmwiki-users at pmichaud.com
>> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config-php.txt
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20160606/cb63c794/attachment.txt>
More information about the pmwiki-users
mailing list