• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4891: Document in a clear way how to make access restrictions to attachments

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Documentation Normal Confirmed   minor  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Hi, In a fresh 4.2 rc install, viewfile isn't used to handle access to attachments like in 4.1.2 (see the screenshot of twiki.org -> well it looks like I can't attach a .png here so no screenshot. But go there http://www.twiki.org/cgi-bin/view/Codev/SecuringAttachments and try to download any attachment). Instead we directly access to any attachment via the pub directory which presents some security issues already mentionned. Is there any way to get back the same behavior as in 4.1.2 using viewfile ?

Regards, Eric

-- TWiki:Main/EricCharikane - 25 Oct 2007

There are many good performance reasons why attachments should be accessible via the pub dir and many have reported problems with downloading attachments with the viewfile syntax.

Seems like a case of choosing between plaque and cholera.

The 4.2 behavior is same as Cairo for the links presented in the attachment table.

And the syntax %ATTACHURL%/filename has always lead to the pub directory.

There is a document on twiki.org that describes how to setup rules in the apache config to secure attachments and no matter how we point to the attachments you need to setup this to protect the attachments.

It was a decision to go back to pointing to the pub dir in the attachment table so in principle I should reject this bug report.

But I believe there is a doc task to be added to the standard set of documentation to describe how to add access rights to the attachments in all webs except the TWiki Web.

It is ESSENTIAL that the attachments in the TWiki web are accessed directly. Otherwise you get a major major major performance hit.

I have changed the topic to reflect the action to be taken and lowered priority to normal.

-- TWiki:Main.KennethLavrsen - 26 Oct 2007

Hi Kenneth, thanks for answering. Ok for for the decision to go back pointing to the pub dir if there is some performance hit. In the actual documentation there is already something about how setting some control access to the attachments using Apache. I read them carefully but failed to have it work on my system. So I strongly agree when it comes to add a clearer documentation on how to set access restriction to attachment (it could even be something for dummies ;-). An other solution could also be to add this setting as a choice in the apache config on twiki.org.

Regards, Eric

-- TWiki:Main.EricCharikane - 26 Oct 2007

ItemTemplate
Summary Document in a clear way how to make access restrictions to attachments
ReportedBy TWiki:Main.EricCharikane
Codebase 4.2.0
SVN Range TWiki-4.3.0, Fri, 12 Oct 2007, build 15261
AppliesTo Engine
Component Documentation
Priority Normal
CurrentState Confirmed
WaitingFor

Checkins

TargetRelease minor
ReleasedIn

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2007-10-26 - EricCharikane
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback