You are here: Foswiki>Tasks Web>Item4891 (14 Mar 2011, ArthurClemens)Edit Attach

Item4891: Document in a clear way how to make access restrictions to attachments

pencil
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: minor
Applies To: Engine
Component: Documentation
Branches:
Reported By: TWiki:Main.EricCharikane
Waiting For:
Last Change By: ArthurClemens
Hi, In a fresh 4.2 rc install, viewfile isn't used to handle access to attachments like in 4.1.2 (see the screenshot of twiki.org -> well it looks like I can't attach a .png here so no screenshot. But go there http://www.twiki.org/cgi-bin/view/Codev/SecuringAttachments and try to download any attachment). Instead we directly access to any attachment via the pub directory which presents some security issues already mentionned. Is there any way to get back the same behavior as in 4.1.2 using viewfile ?

Regards, Eric

-- TWiki:Main/EricCharikane - 25 Oct 2007

There are many good performance reasons why attachments should be accessible via the pub dir and many have reported problems with downloading attachments with the viewfile syntax.

Seems like a case of choosing between plaque and cholera.

The 4.2 behavior is same as Cairo for the links presented in the attachment table.

And the syntax %ATTACHURL%/filename has always lead to the pub directory.

There is a document on twiki.org that describes how to setup rules in the apache config to secure attachments and no matter how we point to the attachments you need to setup this to protect the attachments.

It was a decision to go back to pointing to the pub dir in the attachment table so in principle I should reject this bug report.

But I believe there is a doc task to be added to the standard set of documentation to describe how to add access rights to the attachments in all webs except the TWiki Web.

It is ESSENTIAL that the attachments in the TWiki web are accessed directly. Otherwise you get a major major major performance hit.

I have changed the topic to reflect the action to be taken and lowered priority to normal.

-- TWiki:Main.KennethLavrsen - 26 Oct 2007

Hi Kenneth, thanks for answering. Ok for for the decision to go back pointing to the pub dir if there is some performance hit. In the actual documentation there is already something about how setting some control access to the attachments using Apache. I read them carefully but failed to have it work on my system. So I strongly agree when it comes to add a clearer documentation on how to set access restriction to attachment (it could even be something for dummies ;-). An other solution could also be to add this setting as a choice in the apache config on twiki.org.

Regards, Eric

-- TWiki:Main.EricCharikane - 26 Oct 2007

I would say that AccessControl#Controlling_access_to_attachment is pretty good now.

-- AndrewJones - 09 Sep 2009

ItemTemplate edit

Summary Document in a clear way how to make access restrictions to attachments
ReportedBy TWiki:Main.EricCharikane
Codebase
SVN Range TWiki-4.3.0, Fri, 12 Oct 2007, build 15261
AppliesTo Engine
Component Documentation
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease minor
ReleasedIn n/a
Topic revision: r6 - 14 Mar 2011, ArthurClemens
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy