[Mediawiki-l] img_auth.php
Sullivan, James (NIH/CIT) [C]
sullivan at mail.nih.gov
Thu Nov 15 19:33:50 UTC 2007
I am running php version 5.16, apache version 2.2.2 and Mediawiki
version 1.9.3 on a Fedora Core 5 system.
I decided to follow the directions to use img_auth.php to secure my
images in the /images directory. I followed the directions in
http://www.mediawiki.org/wiki/Manual:Image_Authorisation and have been
successful in:
-preventing direct web access to the images in the images/ directory
(e.g., http://mywiki/images/d/d2/filename.jpg).
-allowed uploading based on group permissions (e.g., only logged in
users can upload).
-Upload works fine.
In other words, it seemed to work well, until I checked accessing the
URL that includes img_auth.php in the path (e.g.,
http://mywiki/img_auth.php/d/d2/filename.jpg). In this case I can see
the file. I am not logged in. I added $wgWhitelistRead = true; to the
LocalSettings.php file since I had seen that mentioned on some archives
as needed but with no result. I can still access the images using that
path. I have also checked that the PHP supports PATH_INFO which is the
method I used on the Manual:Image_Authorisation web site.
Any ideas appreciated since what I have now is no better than what I had
before, security via obscurity.
-Jim
-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com]
Sent: Thursday, November 15, 2007 1:11 PM
To: mediawiki-l
Subject: [Mediawiki-l] AuthPlugins and Overwriting Preferences
Hi,
When AuthPlugin::updateUser() is called I would think that the
preferences that have not changed would be left unchanged in the local
MW DB but that is not the case. Here's my code:
function updateUser( &$user ) {
if (is_array($this->acct)) {
$user->setOption('nickname', $username);
if (isset($this->acct['displayName']))
$user->setRealName($this->acct['displayName']);
if (isset($this->acct['mail']))
$user->setEmail($this->acct['mail']);
$user->setPassword(NULL);
$user->saveSettings();
return true;
}
return false;
}
It seems that even though only the nickname, real name and email address
are updated, all other preferences are reset. How am I supposed to
update only a few fields without wrecking the prefs? From looking at
LdapAuthenticate.php it's not clear to me that it handles this situation
any differently.
Also, when trying to update preferences, if
AuthPlugin::updateExternalDB() returns false an error is displayed:
"There was either an external authentication database error or you are
not allowed to update your external account."
Why does this error occur? I do not want to store preferences
externally. Why does MW not store preferences locally regardless of what
updateExternalDB returns?
Thanks for any help,
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list