Topic on Project:Support desk

Access to images folder and other folders

3
Mfort123 (talkcontribs)

This is my first website/wiki development project. I'm currently building a wiki using www.example.com/mediawiki for testing and development purposes. I've noticed that I can access, through the browser, all the folders in /mediawiki such as /mediawiki/images and /mediawiki/extensions. I was under the impression that putting "Deny from all" in .htaccess would block the access, but it doesn't work. I currently have an .htaccess file with only one line "Deny from all" and I can still just type www.example.com/mediawiki/images in the browser and can I see all the files and folders from my own filesystem.

I realise that mediawiki is designed to allow all users to edit any page; however, I would simply like to protect against the possibility that one user is able to upload/access a document that I uploaded for another user on a certain page. As it stands, any user can simply get any file by typing www.example.com/mediawiki/images or he can access the files by using . I went through Manual:Image_Authorization. On that page, we have the following:

img_auth.php then checks to see if the user has access to that particular file and if so, streams it back. If not, it displays a standard 403 error.

OK, so how do I block a user from accessing a particular file? The page doesn't tell you how to achieve this apart from setting $wgUploadpath to the img_auth.php file.

In summary, I would like to know the following:

  • Is there a way to block access to www.example.com/mediawiki/folder with folder=images, extensions, etc ?
  • Is there a way to block the ability of users with upload and edit rights to have access to files that have already been uploaded by other users or myself?

Thank you

Mfort123 (talkcontribs)

I put the following in the httpd.conf file:

<Directory /var/www/html/mediawiki/images>

Options -Indexes

</Directory>

and it seems to be blocking access to the images folder.

Ciencia Al Poder (talkcontribs)

You probably want to put Options -Indexes directly on /var/www/html/mediawiki instead of each subfolder.

img_auth.php is meant to block access to images by unregistered users. I don't know if currently it can be configured/extended to allow more granularity. You probably want to open a BUGREPORT requesting that.

Reply to "Access to images folder and other folders"