[dokuwiki] Re: Betr.: Patch Attached: Optionally prevent unknown internet users to browsethe full media file tree with mediamanager
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Mon, 9 Feb 2009 13:29:23 +0100
> Rather than an "openmediamanager" setting, I think the mediamanager should
> only be accessible to visitors with "edit" access, that I believe would
> match actual behaviour to reasonable expectation of what the behaviour
> should be. Ie. If the "proper" access to mediamanager (via toolbar button)
> is prevented by read only access then actual access should attempt to mirror
> that.
Okay it took me a while to grasp the problem :-) This is something
like the dir listing option in webservers. Not exactly a security
problem but it's a good idea to switch it off anyway.
Now, the problem is there is no such thing as 'visitors with "edit"
access' because edit permissions may be given to selected parts of the
wiki. The question is do they have edit access *anywhere*. Checking
this info isn't easily done with the current ACL functions which will
only check a users' permissions on a given namespace...
I'm open for ideas.
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
