On Sun, Sep 6, 2009 at 9:17 AM, Eemeli Aro <[email protected]> wrote: > 2009/9/6 Tegan Dowling <[email protected]>: > > Now I've upgraded to 2.2.5, and looking over all the 2.2.x changes, I see > we > > have > > http://www.pmwiki.org/wiki/PmWiki/UploadVariables#EnableUploadGroupAuth, > > which says: "Set $EnableUploadGroupAuth = 1; to authenticate downloads > with > > the group password. This could be used together with > $EnableDirectDownload = > > 0;." > > > > I'm confused -- if I'm already setting $EnableDirectDownload to 0, what > does > > EnableUploadGroupAuth do? > > With $EnableDirectDownload disabled, downloading an attachment > requires 'read' permissions on the page to which the upload is > attached. However, in the default case uploads are kept in per-group > directories, which means that the same file is accessible from every > page in a group. Previously, and without $EnableUploadGroupAuth, it > would be possible that a page in a group has more lax read permissions > than other pages, and an attachment apparently belonging to a > restricted page would be accessible via this page. With > $EnableUploadGroupAuth enabled, the download permissions are always > checked instead from the GroupAttributes page, which is common to all > files in the group.
So, then, would there be any reason to set $EnableUploadGroupAuth = 1 without also setting $EnableDirectDownload=0? And must uploads/.htaccess be the same in any case?
_______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
