• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item4891: Document in a clear way how to make access restrictions to attachments
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Documentation | Normal | Confirmed | minor |
Edit Form Data
Detail
Hi, In a fresh 4.2 rc install, viewfile isn't used to handle access to attachments like in 4.1.2 (see the screenshot of twiki.org -> well it looks like I can't attach a .png here so no screenshot. But go there http://www.twiki.org/cgi-bin/view/Codev/SecuringAttachments
and try to download any attachment). Instead we directly access to any attachment via the pub directory which presents some security issues already mentionned. Is there any way to get back the same behavior as in 4.1.2 using viewfile ?
Regards, Eric
-- TWiki:Main/EricCharikane - 25 Oct 2007
There are many good performance reasons why attachments should be accessible via the pub dir and many have reported problems with downloading attachments with the viewfile syntax.
Seems like a case of choosing between plaque and cholera.
The 4.2 behavior is same as Cairo for the links presented in the attachment table.
And the syntax %ATTACHURL%/filename has always lead to the pub directory.
There is a document on twiki.org that describes how to setup rules in the apache config to secure attachments and no matter how we point to the attachments you need to setup this to protect the attachments.
It was a decision to go back to pointing to the pub dir in the attachment table so in principle I should reject this bug report.
But I believe there is a doc task to be added to the standard set of documentation to describe how to add access rights to the attachments in all webs except the TWiki Web.
It is ESSENTIAL that the attachments in the TWiki web are accessed directly. Otherwise you get a major major major performance hit.
I have changed the topic to reflect the action to be taken and lowered priority to normal.
-- TWiki:Main.KennethLavrsen - 26 Oct 2007
Hi Kenneth, thanks for answering. Ok for for the decision to go back pointing to the pub dir if there is some performance hit. In the actual documentation there is already something about how setting some control access to the attachments using Apache. I read them carefully but failed to have it work on my system. So I strongly agree when it comes to add a clearer documentation on how to set access restriction to attachment (it could even be something for dummies ;-). An other solution could also be to add this setting as a choice in the apache config on twiki.org.
Regards, Eric
-- TWiki:Main.EricCharikane - 26 Oct 2007
and try to download any attachment). Instead we directly access to any attachment via the pub directory which presents some security issues already mentionned. Is there any way to get back the same behavior as in 4.1.2 using viewfile ?
Regards, Eric
-- TWiki:Main/EricCharikane - 25 Oct 2007
There are many good performance reasons why attachments should be accessible via the pub dir and many have reported problems with downloading attachments with the viewfile syntax.
Seems like a case of choosing between plaque and cholera.
The 4.2 behavior is same as Cairo for the links presented in the attachment table.
And the syntax %ATTACHURL%/filename has always lead to the pub directory.
There is a document on twiki.org that describes how to setup rules in the apache config to secure attachments and no matter how we point to the attachments you need to setup this to protect the attachments.
It was a decision to go back to pointing to the pub dir in the attachment table so in principle I should reject this bug report.
But I believe there is a doc task to be added to the standard set of documentation to describe how to add access rights to the attachments in all webs except the TWiki Web.
It is ESSENTIAL that the attachments in the TWiki web are accessed directly. Otherwise you get a major major major performance hit.
I have changed the topic to reflect the action to be taken and lowered priority to normal.
-- TWiki:Main.KennethLavrsen - 26 Oct 2007
Hi Kenneth, thanks for answering. Ok for for the decision to go back pointing to the pub dir if there is some performance hit. In the actual documentation there is already something about how setting some control access to the attachments using Apache. I read them carefully but failed to have it work on my system. So I strongly agree when it comes to add a clearer documentation on how to set access restriction to attachment (it could even be something for dummies ;-). An other solution could also be to add this setting as a choice in the apache config on twiki.org.
Regards, Eric
-- TWiki:Main.EricCharikane - 26 Oct 2007
| ItemTemplate | |
|---|---|
| Summary | Document in a clear way how to make access restrictions to attachments |
| ReportedBy |
TWiki:Main.EricCharikane
|
| Codebase | 4.2.0 |
| SVN Range | TWiki-4.3.0, Fri, 12 Oct 2007, build 15261 |
| AppliesTo | Engine |
| Component | Documentation |
| Priority | Normal |
| CurrentState | Confirmed |
| WaitingFor | |
| Checkins | |
| TargetRelease | minor |
| ReleasedIn | |
Topic revision: r3 - 2007-10-26 - EricCharikane
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback