[pmwiki-users] PmWiki 2.2.3 released
Tegan Dowling
tmdowling at gmail.com
Sun Sep 6 09:36:39 CDT 2009
On Sun, Sep 6, 2009 at 9:17 AM, Eemeli Aro <eemeli at gmail.com> wrote:
> 2009/9/6 Tegan Dowling <tmdowling at gmail.com>:
> > Now I've upgraded to 2.2.5, and looking over all the 2.2.x changes, I see
> we
> > have
> > http://www.pmwiki.org/wiki/PmWiki/UploadVariables#EnableUploadGroupAuth,
> > which says: "Set $EnableUploadGroupAuth = 1; to authenticate downloads
> with
> > the group password. This could be used together with
> $EnableDirectDownload =
> > 0;."
> >
> > I'm confused -- if I'm already setting $EnableDirectDownload to 0, what
> does
> > EnableUploadGroupAuth do?
>
> With $EnableDirectDownload disabled, downloading an attachment
> requires 'read' permissions on the page to which the upload is
> attached. However, in the default case uploads are kept in per-group
> directories, which means that the same file is accessible from every
> page in a group. Previously, and without $EnableUploadGroupAuth, it
> would be possible that a page in a group has more lax read permissions
> than other pages, and an attachment apparently belonging to a
> restricted page would be accessible via this page. With
> $EnableUploadGroupAuth enabled, the download permissions are always
> checked instead from the GroupAttributes page, which is common to all
> files in the group.
So, then, would there be any reason to set $EnableUploadGroupAuth = 1
without also setting $EnableDirectDownload=0? And must uploads/.htaccess be
the same in any case?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20090906/80806e24/attachment.html
More information about the pmwiki-users
mailing list