Hi, In a fresh 4.2 rc install, viewfile isn't used to handle access to attachments like in 4.1.2 (see the screenshot of twiki.org -> well it looks like I can't attach a .png here so no screenshot. But go there http://www.twiki.org/cgi-bin/view/Codev/SecuringAttachments
and try to download any attachment). Instead we directly access to any attachment via the pub directory which presents some security issues already mentionned. Is there any way to get back the same behavior as in 4.1.2 using viewfile ?
- 25 Oct 2007
There are many good performance reasons why attachments should be accessible via the pub dir and many have reported problems with downloading attachments with the viewfile syntax.
Seems like a case of choosing between plaque and cholera.
The 4.2 behavior is same as Cairo for the links presented in the attachment table.
And the syntax %ATTACHURL%/filename has always lead to the pub directory.
There is a document on twiki.org that describes how to setup rules in the apache config to secure attachments and no matter how we point to the attachments you need to setup this to protect the attachments.
It was a decision to go back to pointing to the pub dir in the attachment table so in principle I should reject this bug report.
But I believe there is a doc task to be added to the standard set of documentation to describe how to add access rights to the attachments in all webs except the TWiki Web.
It is ESSENTIAL that the attachments in the TWiki web are accessed directly. Otherwise you get a major major major performance hit.
I have changed the topic to reflect the action to be taken and lowered priority to normal.
- 26 Oct 2007
Hi Kenneth, thanks for answering. Ok for for the decision to go back pointing to the pub dir if there is some performance hit. In the actual documentation there is already something about how setting some control access to the attachments using Apache. I read them carefully but failed to have it work on my system. So I strongly agree when it comes to add a clearer documentation on how to set access restriction to attachment (it could even be something for dummies ;-). An other solution could also be to add this setting as a choice in the apache config on twiki.org.
- 26 Oct 2007