Yep, and therein lies my problem. Instead of having a user management system built-in to the web server (basic-auth) and/or server side scripts (store.php), I have to re-build the entire sign-up system to create local user accounts for everyone (to get per-user storage limits) and update the web server configuration to support each new user's sub-directory with proper authentication and access control. A vastly different security model with much higher impact in the event of a remote-code execution vulnerability.
If I switch to Apache (instead of lighttpd), I would be able to create custom handlers for the input methods which could then support managing per-user storage limits. But the way Apache works, it would significantly increase memory usage for more than a couple of simultaneous users. On Wednesday, March 22, 2017 at 2:00:26 AM UTC-4, Sven Wetzel wrote: > > Hi Lost Admin, > when I understood it right, the webdav protocol gives the control of user > rights to the file system that is used to host the files. > > Am 20.03.2017 um 16:59 schrieb Lost Admin: > > *Status Update on my https project* > > Hopefully I'm not wasting people's time with this post. > > Instead of spending the weekend making modifications to store.php (to > support a more secure password file) and some behind the scenes > re-configuring of the web server, I decided to have another look at > Jeremy's suggestion of using WebDAV for saving. > > My initial plan with the VM was to set-up OwnCloud (and hosting my own > tiddlywiki was incidental to that). I abandoned that plan because of the > memory requirements of OwnCloud (I wasn't willing to pay for a VM with > enough RAM). However, just implemeting the WebDAV module of Lighttpd is a > different story. > > So, I spent a chunk of the weekend re-building my set-up to do that. It > works pretty well. Unfortunately it leads to some security issues I'm not > ready to deal with in a multi-user environment. There is no built-in way > (that I found) to limit the files that could be uploaded (I found some ways > to limit per-file size but not per-user size, file names, or file types). > This opens up a problem where it is far too easy for a malicious user to > host nasty things if they find it. It also added a lot of complexity in > setting-up individual repositories with the features I want. I may re-visit > WebDAV in the future as I think these things are resolvable, just not in a > weekend (at least not by me). > > I did manage to swap out password management in store.php such that the > back-end file now uses the same file format as Apache digest authentication > (which is also used by Lighttpd). This doesn't involve changes to > TiddlyWiki, so it is still transmitting the password in clear between the > browser and the server. Only the back-end no longer stores passwords in > clear text. Unfortunately, the WebDAV experiments left the web server all > messed up and I didn't have time to clean things up to be usable. > > I do think that long-term WebDAV is still the way I want to go. I just > need to figure out how to introduce appropriate logic to better control and > separate users. > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to tiddlywiki+...@googlegroups.com <javascript:>. > To post to this group, send email to tiddl...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/tiddlywiki. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/ed536378-0f4f-4120-b0d9-a69898907e33%40googlegroups.com > > <https://groups.google.com/d/msgid/tiddlywiki/ed536378-0f4f-4120-b0d9-a69898907e33%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/1d7b97dc-648e-4cf8-8cd6-70f63aef839d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
