Hi Neil, On Tue, Nov 19, 2019 at 05:01:42PM -0500, Neil Herber (nospam) wrote: > Caleb and list > > If all you want to do is allow downloads of "hidden" documents, there is > a very easy way to do it with no programming required. > > Suppose your wiki URL is something like > https://secure.eton.ca/neil/index.php/Main/HomePage > > And you want to allow users to download items without logins, but make > them somewhat private. > > In your wiki directory structure, create a randomized folder name such > as "iamrandom" inside "uploads". Place your file(s) in that folder. > > Provide a link like this to your trusted users: > https://secure.eton.ca/neil/uploads/Main/iamrandom/hiddendownload.txt > > Note that the exact path depends on how you store uploads on your site. > > The user has to know BOTH the folder random name and the file name, and > you can make the folder random name as arbitrarily complex as you wish > within the OS filename length limits. > > Does that work for you? (The links above are real if you wish to test > it.) I would be interested to know if there is a way to get around this > other than brute-force name guessing.
Thanks for the suggestion. This is the same approach used by many pastebins which don't have a public index. For my use case I'd like to make sure anyone who has clicked an invitation link has access to the entire wiki. I could include a random string in my wiki root path, but this has some shortcomings: (1) The URLs are longer and uglier than they need to be. (2) If members share links to wiki pages with eachother, they are also sharing the invitation token. I'm not going for high security, but it makes it feel much less private. (3) It might be nice to decouple the invitation token from the authentication token stored in the cookie. Then you could disable an invitation link after some time, without requiring everyone to click a new invitation link. Maybe just using PmWiki's standard password authentication with a single password is enough for (1) and (2), but it adds communication overhead if you have to decide on a password and people have to remember it and type it in. My organization already uses invitation links with other services, so it felt like the most natural way to authenticate members. _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
