Hi. I've investigated a bit the management of uploaded files in project wikis using the mediawiki plugin.
In the case when project wikis aren't accessible publicly, i.e. unauthenticated and/or non-members aren't granted access to the wiki pages, it is logical to require similar restrictions for access to uploaded files (images, documents, etc.). AFAIU, for uploads to operate, one should configure (zzzz-local.ini on my Debian) : [mediawiki] enable_uploads = 1 so that the cronjob creates the images/ upload dir with correct permissions, so that apache is allowed to access it. Still, I think there's a problem to access the files directly in Apache (should the wiki not be protected) as some directory browsing permissions in that dir are missing, but I haven't taken the time to investigate that issue. Anyway, as explained above, I'm more concerned that direct access isn't possible, and some ACL check will be performed. There seems to be a way that can be done, using upstream's img_auth.php script (see [1], and [0] for the larger picture). It seems this works OK wrt to the fusionforge plugin's wrapper, provided our LocalSettings.php and Apache aliases are prepared for this. I've thus committed the following patch to the trunk [2], which should help in this respect. Now, I think that the last missing bit should be to adapt the cronjob so that it checks the plugin permissions used for each particular project, and adjusts the $wgUploadPath in the ProjectSettings.php accordingly (or some similar mechanism). Maybe I'm overlooking other implications, but as is, at least in 5.2.3 in Debian unstable, the uploaded files management seems quite untested ;) Any comments ? Best regards, [0] http://www.mediawiki.org/wiki/Manual:Image_Authorisation [1] http://www.mediawiki.org/wiki/Manual:$wgUploadPath [2] https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=patch;h=9db394956568e37d00a72b2d8c85978eac9727a8 -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) _______________________________________________ Fusionforge-general mailing list Fusionforge-general@lists.fusionforge.org http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
