Wiki source for FilesManagementSolution
=====Files Management Solution=====
>>Working for 1.1.6.0 to 1.1.6.4 (latest)>>===The principle===
As many Wikka users, I find the upload process cumbersome. So I propose a new way relying on 3 developments and a few principles.
1) There will be a menulet action in the header and/or footer menus that will allow the user to:
- know if there are files attached to the current page (special display of the menulet link)
- browse the attached files by clicking on the menulet link
- manage the attachments (add/delete)
1) If you are allowed to read a page then you can read/download the attached files
1) If you are allowed to write a page then you can manage the attachments (add/delete)
Of course all this has to be compliant with the site policy (authorized mimes and maximum sizes).
It is indeed compliant with the ACLs, so it is with my solution of ACLsWithUserGroups.
===My solution===
Three developments to provide a complete solution:
- A handler (FilesHandlerInfo - FilesHandler) allowing to call the file management tool from any page
- An action (ListfilesActionInfo - ListfilesAction) allowing to list and download the attached documents
- A menulet action (WikkaMenulets : attachments) to call the handler via a menu
===Screenshots===
[[http://131.202.167.33/hostedimages/Image1.png | The menulet: A new header menu links to the attachments (screenshot)]]
[[http://131.202.167.33/hostedimages/Image2.png | The handler activated: One click to get the files management handler (screenshot)]]
[[http://131.202.167.33/hostedimages/Image3.png | The action: A list of all attachments for the WikkaPage (screenshot)]]
[[http://131.202.167.33/hostedimages/MyWikka.png | How it could be with some nice icons: the paper clip icon is the menulet (screenshot)]]
===To Do===
As I cannot have the ModRewrite working on my site, it would be nice if someone could test all this with mod_rewrite.
~&It does work with mod_rewrite, but here are some other comments:
~~1) //If you are allowed to write a page then you can manage the attachments (add/delete)// On most wikkas the SandBox is writeble for everyone, which means the everyone can upload files there. There could be people who won't want that.
~~2) if I upload a file with *.php and use listfiles to list it, and click on it, wikka tries to open it as a method!
~&--NilsLindenberg
~~&Good points Nils, and both have to be solved. I am going for a long WE but will propose solutions next week. For the 1st point, I think we could restrict the upload to registered users; anyway allowing upload is a matter of trust. For the 2nd point I don't think it is hard to solve.
~~&--ChristianBarthelemy
~~~&Why not an extra acl like "filemanipulation", which would allow upload/delete of files? And Standard to registered users? This would allow a maximal flexibility. --NilsLindenberg
~~~&I'm actually a supporter of an extra acl for "actions on page".....the security/access issues around many of my contributions here would be better with just such an acl (and I've been tempted to hack one in). My forum actions and others currently use a "share=" parameter (to set a token) so that users of the action can be restricted to a specific list w/o allowing page write access. But, that means that anybody **with** pagewrite access can add users. I'd prefer a separate acl for actions where the page owner (and, in my case, therefore owner of the wikkaforum which is linked to the page) can set //users// of the action to one group, and permission to write on the page to a (potentially) different group. Such an acl would, I believe, allow a richer collection of actions/embedded programs to accumulate. My 2 cents. --GmBowen
~~&Actually it's worse than Nils suggests - being able to upload a .php file could enable an attacker to execute arbitrary code... **major** security hole! You'd need a filter that looks at allowable files - and not just by extension either: look at the first few bytes to detect **actual** file type. --JavaWoman
~&**Link** to files, rather than upload? Would it be possible to add the functionality so that rather than store the files within the Wikki, there was an option box for 'link' as well as upload. This would be useful on internal wikki deployments where you want to avoid file duplication by allowing users to point at the file to create a link to that file on a separate internal server. - RogerD
----
CategoryUserContributions
>>Working for 1.1.6.0 to 1.1.6.4 (latest)>>===The principle===
As many Wikka users, I find the upload process cumbersome. So I propose a new way relying on 3 developments and a few principles.
1) There will be a menulet action in the header and/or footer menus that will allow the user to:
- know if there are files attached to the current page (special display of the menulet link)
- browse the attached files by clicking on the menulet link
- manage the attachments (add/delete)
1) If you are allowed to read a page then you can read/download the attached files
1) If you are allowed to write a page then you can manage the attachments (add/delete)
Of course all this has to be compliant with the site policy (authorized mimes and maximum sizes).
It is indeed compliant with the ACLs, so it is with my solution of ACLsWithUserGroups.
===My solution===
Three developments to provide a complete solution:
- A handler (FilesHandlerInfo - FilesHandler) allowing to call the file management tool from any page
- An action (ListfilesActionInfo - ListfilesAction) allowing to list and download the attached documents
- A menulet action (WikkaMenulets : attachments) to call the handler via a menu
===Screenshots===
[[http://131.202.167.33/hostedimages/Image1.png | The menulet: A new header menu links to the attachments (screenshot)]]
[[http://131.202.167.33/hostedimages/Image2.png | The handler activated: One click to get the files management handler (screenshot)]]
[[http://131.202.167.33/hostedimages/Image3.png | The action: A list of all attachments for the WikkaPage (screenshot)]]
[[http://131.202.167.33/hostedimages/MyWikka.png | How it could be with some nice icons: the paper clip icon is the menulet (screenshot)]]
===To Do===
As I cannot have the ModRewrite working on my site, it would be nice if someone could test all this with mod_rewrite.
~&It does work with mod_rewrite, but here are some other comments:
~~1) //If you are allowed to write a page then you can manage the attachments (add/delete)// On most wikkas the SandBox is writeble for everyone, which means the everyone can upload files there. There could be people who won't want that.
~~2) if I upload a file with *.php and use listfiles to list it, and click on it, wikka tries to open it as a method!
~&--NilsLindenberg
~~&Good points Nils, and both have to be solved. I am going for a long WE but will propose solutions next week. For the 1st point, I think we could restrict the upload to registered users; anyway allowing upload is a matter of trust. For the 2nd point I don't think it is hard to solve.
~~&--ChristianBarthelemy
~~~&Why not an extra acl like "filemanipulation", which would allow upload/delete of files? And Standard to registered users? This would allow a maximal flexibility. --NilsLindenberg
~~~&I'm actually a supporter of an extra acl for "actions on page".....the security/access issues around many of my contributions here would be better with just such an acl (and I've been tempted to hack one in). My forum actions and others currently use a "share=" parameter (to set a token) so that users of the action can be restricted to a specific list w/o allowing page write access. But, that means that anybody **with** pagewrite access can add users. I'd prefer a separate acl for actions where the page owner (and, in my case, therefore owner of the wikkaforum which is linked to the page) can set //users// of the action to one group, and permission to write on the page to a (potentially) different group. Such an acl would, I believe, allow a richer collection of actions/embedded programs to accumulate. My 2 cents. --GmBowen
~~&Actually it's worse than Nils suggests - being able to upload a .php file could enable an attacker to execute arbitrary code... **major** security hole! You'd need a filter that looks at allowable files - and not just by extension either: look at the first few bytes to detect **actual** file type. --JavaWoman
~&**Link** to files, rather than upload? Would it be possible to add the functionality so that rather than store the files within the Wikki, there was an option box for 'link' as well as upload. This would be useful on internal wikki deployments where you want to avoid file duplication by allowing users to point at the file to create a link to that file on a separate internal server. - RogerD
----
CategoryUserContributions