[pmwiki-users] invitation links?

cm at SDF.ORG cm at SDF.ORG
Tue Nov 19 19:38:58 PST 2019


Hi Neil,

On Tue, Nov 19, 2019 at 05:01:42PM -0500, Neil Herber (nospam) wrote:
> Caleb and list
> 
> If all you want to do is allow downloads of "hidden" documents, there is
> a very easy way to do it with no programming required.
> 
> Suppose your wiki URL is something like
> https://secure.eton.ca/neil/index.php/Main/HomePage
> 
> And you want to allow users to download items without logins, but make
> them somewhat private.
> 
> In your wiki directory structure, create a randomized folder name such
> as "iamrandom" inside "uploads". Place your file(s) in that folder.
> 
> Provide a link like this to your trusted users:
> https://secure.eton.ca/neil/uploads/Main/iamrandom/hiddendownload.txt
> 
> Note that the exact path depends on how you store uploads on your site.
> 
> The user has to know BOTH the folder random name and the file name, and
> you can make the folder random name as arbitrarily complex as you wish
> within the OS filename length limits.
> 
> Does that work for you? (The links above are real if you wish to test
> it.) I would be interested to know if there is a way to get around this
> other than brute-force name guessing.

Thanks for the suggestion.  This is the same approach used by many
pastebins which don't have a public index.  For my use case I'd
like to make sure anyone who has clicked an invitation link has
access to the entire wiki.  I could include a random string in my wiki
root path, but this has some shortcomings:

(1) The URLs are longer and uglier than they need to be.

(2) If members share links to wiki pages with eachother, they are also
sharing the invitation token.  I'm not going for high security, but it
makes it feel much less private.

(3) It might be nice to decouple the invitation token from the
authentication token stored in the cookie.  Then you could disable
an invitation link after some time, without requiring everyone to
click a new invitation link.

Maybe just using PmWiki's standard password authentication with a
single password is enough for (1) and (2), but it adds communication
overhead if you have to decide on a password and people have to
remember it and type it in.  My organization already uses invitation
links with other services, so it felt like the most natural way to
authenticate members.



More information about the pmwiki-users mailing list