[Mediawiki-l] img_auth.php

Sullivan, James (NIH/CIT) [C] sullivan at mail.nih.gov
Thu Nov 15 19:33:50 UTC 2007 

I am running php version 5.16, apache version 2.2.2 and Mediawiki
version 1.9.3 on a Fedora Core 5 system.

I decided to follow the directions to use img_auth.php to secure my
images in the /images directory.  I followed the directions in
http://www.mediawiki.org/wiki/Manual:Image_Authorisation and have been
successful in:

-preventing direct web access to the images in the images/ directory
(e.g., http://mywiki/images/d/d2/filename.jpg).
-allowed uploading based on group permissions (e.g., only logged in
users can upload).
-Upload works fine.

In other words, it seemed to work well, until I checked accessing the
URL that includes img_auth.php in the path (e.g.,
http://mywiki/img_auth.php/d/d2/filename.jpg).  In this case I can see
the file.  I am not logged in.  I added $wgWhitelistRead = true; to the
LocalSettings.php file since I had seen that mentioned on some archives
as needed but with no result.  I can still access the images using that
path.  I have also checked that the PHP supports PATH_INFO which is the
method I used on the Manual:Image_Authorisation web site.

Any ideas appreciated since what I have now is no better than what I had
before, security via obscurity.

-Jim  

-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com] 
Sent: Thursday, November 15, 2007 1:11 PM
To: mediawiki-l
Subject: [Mediawiki-l] AuthPlugins and Overwriting Preferences

Hi,

When AuthPlugin::updateUser() is called I would think that the
preferences that have not changed would be left unchanged in the local
MW DB but that is not the case. Here's my code:

    function updateUser( &$user ) {
        if (is_array($this->acct)) {
            $user->setOption('nickname', $username);
            if (isset($this->acct['displayName']))
                $user->setRealName($this->acct['displayName']);
            if (isset($this->acct['mail']))
                $user->setEmail($this->acct['mail']);
            $user->setPassword(NULL);
            $user->saveSettings();
            return true;
        }
        return false;
    }

It seems that even though only the nickname, real name and email address
are updated, all other preferences are reset. How am I supposed to
update only a few fields without wrecking the prefs? From looking at
LdapAuthenticate.php it's not clear to me that it handles this situation
any differently.

Also, when trying to update preferences, if
AuthPlugin::updateExternalDB() returns false an error is displayed:

"There was either an external authentication database error or you are
not allowed to update your external account."

Why does this error occur? I do not want to store preferences
externally. Why does MW not store preferences locally regardless of what
updateExternalDB returns?

Thanks for any help,
Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

More information about the MediaWiki-l mailing list