I'm rewriting large parts of the iCalEvents plugin, which renders iCalendar
files.
One drawback is that it supports only fetching iCalendar files via HTTP. So
you cannot upload your own files just as media files in DokuWiki, unless you
make them publicly available.
Now I've tried to implement support for local media files, i.e., the plugin
just reads a local media file instead of fetching it via HTTP. However, this
creates a security problem if not done properly. Typical media files (e.g.,
images) are fetched and rendered by the client, because the rendered wiki page
just contains a reference to them. If the user that is currently logged in is
allowed to access the page but not the media file, then this restriction will
be enforced.
This would be different in the use case I'm looking for. It would be the
iCalEvents plugin itself that is supposed to access and render the media file.
Then, users with access to a wiki page could read arbitrary iCalendar media
files, even if they do not have the permission the read the media file. (I'm
at least assuming that the plugin will be clever enough to render only *.ics
files, even though that is not simple.)
The plugin could check permissions of course, i.e., it could check if the user
viewing the wiki page has permissions to read the media file, and render the
file only in that case. But this is only secure if caching can reliably
disabled, and I don't know if there are other problems.
So I don't know much about the internals of DokuWiki. Do you have any
suggestions on how to implement this feature a correct and secure way?
(With what I said in mind, client-side rendering would be secure of course.
But this would change the whole plugin, depend on JavaScript, etc...)
Best,
Tim
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
