As some of you know I'm working on a new uploader for MediaWiki, called
UploadWizard.
I wrote some preliminary docs about the PHP side of the design here:
http://www.mediawiki.org/wiki/Extension:UploadWizard/docs
(more docs, especially about the frontend, will be forthcoming as I
write them).
In particular I'd like to draw people's attention to how it adds new
ways of accessing files in the temporary "stash". Previously we've used
the stash only as a holding area for files that need some sort of
last-minute touch-up, like a new name. This design makes the "stash" an
important part of the entire upload process.
There are security implications to some of these new features. Roan
Kattouw has been reviewing this already, but I wanted it to have a wider
distribution as well.
1) The uploading user can view thumbnails of their own "stashed" files
via a new Special: page. It should not be possible for any other users
to ever obtain anyone else's temporary files, or for them to subvert
this system to do other mischief. However, it does rely on reading the
file out to the user using PHP, thus *potentially* opening the door to
reading other files. I think I've been thorough in eliminating this
possibility, but I'd like extra eyes.
2) In a similar manner, the uploading user can request metadata about
uploaded files before they are published.
The code is in a branch over here:
http://svn.wikimedia.org/svnroot/mediawiki/branches/uploadwizard
You particularly want to check out:
http://svn.wikimedia.org/svnroot/mediawiki/branches/uploadwizard/includes/u…
http://svn.wikimedia.org/svnroot/mediawiki/branches/uploadwizard/includes/s…
http://svn.wikimedia.org/svnroot/mediawiki/branches/uploadwizard/extensions…
http://svn.wikimedia.org/svnroot/mediawiki/branches/uploadwizard/extensions…
--
Neil Kandalgaonkar |) <neilk(a)wikimedia.org>