Revision [4647]
This is an old revision of FilesManagementSolution made by NilsLindenberg on 2005-01-15 16:27:12.
Files Management Solution
The principle
As many Wikka users, I find the upload process cumbersome. So I propose a new way relying on 3 developments and a few principles.- There will be a menulet action in the header and/or footer menus that will allow the user to:
- know if there are files attached to the current page (special display of the menulet link)
- browse the attached files by clicking on the menulet link
- manage the attachments (add/delete)
- If you are allowed to read a page then you can read/download the attached files
- If you are allowed to write a page then you can manage the attachments (add/delete)
It is indeed compliant with the ACLs, so it is with my solution of ACLsWithUserGroups.
My solution
Three developments to provide a complete solution:- A handler (FilesHandlerInfo - FilesHandler) allowing to call the file management tool from any page
- An action (ListfilesActionInfo - ListfilesAction) allowing to list and download the attached documents
- A menulet action (WikkaMenulets : attachments) to call the handler via a menu
Screenshots
The menulet: A new header menu links to the attachments (screenshot)The handler activated: One click to get the files management handler (screenshot)
The action: A list of all attachments for the WikkaPage (screenshot)
How it could be with some nice icons: the paper clip icon is the menulet (screenshot)
To Do
As I cannot have the ModRewrite working on my site, it would be nice if someone could test all this with mod_rewrite.- It does work with mod_rewrite, but here are some other comments:
- If you are allowed to write a page then you can manage the attachments (add/delete) On most wikkas the SandBox is writeble for everyone, which means the everyone can upload files there. There could be people who won't want that.
- if I upload a file with *.php and use listfiles to list it, and click on it, wikka tries to open it as a method!
- Good points Nils, and both have to be solved. I am going for a long WE but will propose solutions next week. For the 1st point, I think we could restrict the upload to registered users; anyway allowing upload is a matter of trust. For the 2nd point I don't think it is hard to solve.
- Why not an extra acl like "filemanipulation", which would allow upload/delete of files? And Standard to registered users? This would allow a maximal flexibility. --NilsLindenberg
- Actually it's worse than Nils suggests - being able to upload a .php file could enable an attacker to execute arbitrary code... major security hole! You'd need a filter that looks at allowable files - and not just by extension either: look at the first few bytes to detect actual file type. --JavaWoman
CategoryDocumentation