I am running php version 5.16, apache version 2.2.2 and Mediawiki version 1.9.3 on a Fedora Core 5 system.
I decided to follow the directions to use img_auth.php to secure my images in the /images directory. I followed the directions in http://www.mediawiki.org/wiki/Manual:Image_Authorisation and have been successful in:
-preventing direct web access to the images in the images/ directory (e.g., http://mywiki/images/d/d2/filename.jpg). -allowed uploading based on group permissions (e.g., only logged in users can upload). -Upload works fine.
In other words, it seemed to work well, until I checked accessing the URL that includes img_auth.php in the path (e.g., http://mywiki/img_auth.php/d/d2/filename.jpg). In this case I can see the file. I am not logged in. I added $wgWhitelistRead = true; to the LocalSettings.php file since I had seen that mentioned on some archives as needed but with no result. I can still access the images using that path. I have also checked that the PHP supports PATH_INFO which is the method I used on the Manual:Image_Authorisation web site.
Any ideas appreciated since what I have now is no better than what I had before, security via obscurity.
-Jim
-----Original Message----- From: Michael B Allen [mailto:ioplex@gmail.com] Sent: Thursday, November 15, 2007 1:11 PM To: mediawiki-l Subject: [Mediawiki-l] AuthPlugins and Overwriting Preferences
Hi,
When AuthPlugin::updateUser() is called I would think that the preferences that have not changed would be left unchanged in the local MW DB but that is not the case. Here's my code:
function updateUser( &$user ) { if (is_array($this->acct)) { $user->setOption('nickname', $username); if (isset($this->acct['displayName'])) $user->setRealName($this->acct['displayName']); if (isset($this->acct['mail'])) $user->setEmail($this->acct['mail']); $user->setPassword(NULL); $user->saveSettings(); return true; } return false; }
It seems that even though only the nickname, real name and email address are updated, all other preferences are reset. How am I supposed to update only a few fields without wrecking the prefs? From looking at LdapAuthenticate.php it's not clear to me that it handles this situation any differently.
Also, when trying to update preferences, if AuthPlugin::updateExternalDB() returns false an error is displayed:
"There was either an external authentication database error or you are not allowed to update your external account."
Why does this error occur? I do not want to store preferences externally. Why does MW not store preferences locally regardless of what updateExternalDB returns?
Thanks for any help, Mike
-- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l