2009/9/6 Tegan Dowling <tmdowl...@gmail.com>: > Now I've upgraded to 2.2.5, and looking over all the 2.2.x changes, I see we > have > http://www.pmwiki.org/wiki/PmWiki/UploadVariables#EnableUploadGroupAuth, > which says: "Set $EnableUploadGroupAuth = 1; to authenticate downloads with > the group password. This could be used together with $EnableDirectDownload = > 0;." > > I'm confused -- if I'm already setting $EnableDirectDownload to 0, what does > EnableUploadGroupAuth do?
With $EnableDirectDownload disabled, downloading an attachment requires 'read' permissions on the page to which the upload is attached. However, in the default case uploads are kept in per-group directories, which means that the same file is accessible from every page in a group. Previously, and without $EnableUploadGroupAuth, it would be possible that a page in a group has more lax read permissions than other pages, and an attachment apparently belonging to a restricted page would be accessible via this page. With $EnableUploadGroupAuth enabled, the download permissions are always checked instead from the GroupAttributes page, which is common to all files in the group. eemeli _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users