[Pmwiki-users] Uploading and password proctecting
J. Perkins
jason
Tue Jun 15 17:54:48 CDT 2004
Robin wrote:
> No it won't. For example, my wiki is on /wiki and uploads go
> to /wikifiles/GroupName ... anyone knowing the path can just type the URL in,
> and as it doesn't touch PmWiki at all, it will be downloaded then and their.
> The best bet would probably be to either have the files set so that the
> downloads go through PmWiki (so that it's authentication can be applied) or
> to drop a .htaccess file in the downloads directory.
I would like to see PmWiki control access to uploaded files at some
point. In the meantime, here is something else that I've been meaning to
add to the cookbook. It checks to make sure that you have read (or
whatever action specified by $AuthDownloadType) access to the page
containing the link to the download.
Hope this helps.
Jason
authdownload.php
----------------
<?php
SDV($AuthDownloadType, 'read');
SDV($UploadUrlFmt, '$PageUrl?action=dload&file=');
SDV($HandleActions['dload'], 'HandleAuthDownload');
function HandleAuthDownload($pagename)
{
global $AuthDownloadType, $UploadDir;
$filename = $UploadDir.$_GET['file'];
$filegroup = basename(dirname($filename));
$pagegroup = FmtPageName('$Group', $pagename);
if ($filegroup != $pagegroup) Abort('?access denied');
$page = RetrieveAuthPage($pagename, $AuthDownloadType);
if (!$page) Abort('?access denied');
$fp = fopen($filename, 'rb');
if (!$fp) Abort('?no such filename $filename');
header('Pragma: ');
header('Cache-Control: ');
header('Content-Type: application/x-octet-stream');
header('Content-Disposition: attachment; filename=".
trim(htmlentities(basename($filename))).'"');
header('Content-Length: '.filesize($filename));
fpassthru($fp);
exit;
}
?>
.htaccess - put in your uploads directory
------------------------------------------
Order allow,deny
Deny from all
More information about the pmwiki-users
mailing list