[pmwiki-users] Securing Directories in PmWiki

Petko Yotov 5ko at 5ko.fr
Thu Sep 2 07:49:15 PDT 2021


On 01/09/2021 23:56, Curtis Stalesky wrote:
> I searched through the archived user questions and answers and found 
> that
> to secure directories requires an htaccess file which I think is 
> generated
> by an apache http server software but not sure though.

A .htaccess file is not generated by the server, it is added by you (or 
by PmWiki).

> So is this the only
> way to secure wiki directories on a server that the PmWiki is on or 
> does
> PmWiki have the capability to secure or lock down specific directories
> within the PmWiki directory listing/tree?

The "directory listing", if you mean the server's directory listings, 
can be disabled again with a directive with a .htaccess file which looks 
like this:

   Options -Indexes

This, however, only disables the directory listings, not the access of 
files to which someone has the URL.

> E.G. create an html/help
> directory that contains some files that's referenced on a wiki page and
> then be able to secure that directory with a PmWiki login or admin
> permissions?

If you mean pages managed by PmWiki, like the links I posted below, then 
yes, PmWiki can restrict these pages or groups with a password.

In PmWiki, you can protect wiki pages and wiki groups (sections of the 
website) from within PmWiki, or with a local configuration, see:

   https://www.pmwiki.org/wiki/PmWiki/Passwords
   https://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin

You usually don't need to worry about .htaccess for the page text 
content, unless you have an unusual installation or a server other than 
Apache.

If you enable uploads (file attachments), by default they are not 
restricted to signed in users, anyone with a link may be able to 
download them. There is a way to restrict this by setting 
$EnableDirectDownload to 0 in config.php, and either locking the uploads 
directory with .htaccess, or moving it outside of the web-accessible 
document root. See:

   https://www.pmwiki.org/wiki/PmWiki/UploadsAdmin#direct_download
   https://www.pmwiki.org/wiki/Cookbook/SecureAttachments

PmWiki can create .htaccess files to protect directories with sensible 
data (wiki.d). If your server is Apache, and you want to lock the 
uploads directory, you can copy the file wiki.d/.htaccess into the 
uploads directory.


If you have some content on the server unrelated to PmWiki, e.g. some 
static html pages, then no, PmWiki cannot restrict the access to it.  
There is a way to do this with Apache configuration and a .htpasswd 
file. In such a case, PmWiki can be configured to also use the .htpasswd 
file for authenticated users. This is a more advanced/complex situation, 
and somewhat difficult to maintain, but see:

   https://www.pmwiki.org/wiki/PmWiki/AuthUser#toc-5.1

Petko




More information about the pmwiki-users mailing list