SID-01519: Secure attachements doesn't honor topic access rules

Status:	Answered	TWiki version:	5.1.1	Perl version:	5.8.8
Category:	CategoryAttachments	Server OS:	CentOS 2.16.18.274.17.1.e15	Last update:	13 years ago

I have followed the procedure to secure attachments for a secure topic as mentioned in the help document.

After enabling this feature and trying out with various user logins who have privileges and don't privileges for the topic, I get the apache server error that says "attachment not found on this server" for any user, though the attachment is available as an item in a table within the topic.

I am evaluating 5.1.1 twiki using CentOS Linux Virtual Machine on Windows 7 Professional laptop.

-- RaviShankarS - 2012-08-14

Discussion and Answer

Looks like an apache config issue, however, glancing over your twiki.conf I did not spot an issue. It is difficult to help without more details, such as what URL path & rewritten path you get when you see the "attachment not found on this server" message.

-- PeterThoeny - 2012-08-14

Before I get to the actual error message that I see in my browser (Chrome 21.0), let me illustrate the use case for your reference. This should help you understand the context better.

There are 3 users, for simplicity, let us call them Jack, John and Jill.

Jack and John belong to one group that can create a topic, edit topic, delete topic, add attachments for their group. Jack has put topic restrictions using the following topic level access variables

• Set DENYTOPICCHANGE=Jill
• Set DENYTOPICRENAME=Jill

Jill belongs to another group that can only view the topic.

With file attachment access in place, I was expecting Jack and John to be able to view the attachment, download if needed etc but not Jill. However, it turns out in my case, neither Jack and John nor Jill can view the attachments. I get uniformly the same error message in the browser that you can see below (the message is an actual message from a test instance). I checked as root in the VM at the actual path, the attached file exists in the topic directory along with another file that has revision information (,v in the file name).

It is possible that my use case is wrong. Please correct me if this is the case.

Please see below under Enclosed for the details.

Cheers!

Ravi

Enclosed:

Attachment URL in attachment table in the topic: http://192.168.48.128/pub/Main/SecureTopic/blc_15_erd.pdf

Error Message

Not Found

The requested URL /pub/Main/SecureTopic/blc_15_erd.pdf was not found on this server.

Apache/2.2.3 (CentOS) Server at 192.168.48.128 Port 80

-- RaviShankarS - 2012-08-16

As defined in your twiki.conf, the URL path of pub is /twiki/pub but your browser tries to access /pub. Check the {PubUrlPath} setting in configure (or LocalSite.cfg), it needs to match the Alias in twiki.conf.

See also the updated ApacheConfigGenerator, it no longer needs Apache rewrite rules to secure attachments.

-- PeterThoeny - 2012-08-16

It works after changing the {PubUrlPath}. As your indicated correctly, it was configured by default to /pub

Thanks Peter. I didn't actually do anything on the configure part beyond setting up the ip address. Glad I understood the connection parameter.

I shall close the issue now.

-- RaviShankarS - 2012-08-17

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.