SID-01891: Restrict attachment downloads

Status:	Answered	TWiki version:	5.1.4	Perl version:	5.10
Category:	CategoryAttachments	Server OS:	Cento OS 64 bit	Last update:	10 years ago

Hi all,

We have twiki that is pass protected with apache authorization. One thing we noticed is that attachments can be downloaded using a direct URL.

Supposedly you can restrict this setting by applying the same access control settings to attachments as those applied to topics. http://twiki.org/cgi-bin/view/TWiki/TWikiAccessControl#Securing_File_Attachments

We have this feature enabled in our twiki.conf but as far as I understand, that would require adding a deny access control for each individual file. That's pretty kludgy if I'm understanding that correctly. If that's not how it works please clarify.

I would rather use htaccess to control this for any attachment. I first tried this using referrer but that doesn't seem to work.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} \.(xls|xlsx|pdf|7z|zip|doc|docx|jpg|gif|png|tif)$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.oursite.com/twiki/bin/viewauth/Main/WebHome/.* [NC]
RewriteRule .* - [F]

Then I was thinking it might be better to use a files match and only allow authenticated users access to download the files. Something like:

<FilesMatch "\.(pdf|xls|xlsx|doc|docx|zip)$">
Deny From All
</Files>

(Im not sure how you specify the check against htpasswd in the above example).

Any suggestions? Am I missing something?

-- Bryan Ino - 2014-03-17

Discussion and Answer

For apache login, if you want to simply authenticate all attachments (e.g. user needs to login when viewing a pub URL), you can add the same auth setting you did for twiki/bin to the twiki/pub. Example:

    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith)'
    AuthType Basic
    require valid-user

That is, if you require users to be authenticated at all times you do not need any rewrite rule.

If you want attachments protected based on TWiki access control settings on web or topic level you need rewrite rules.

See also ApacheConfigGenerator.

-- Peter Thoeny - 2014-03-17

Hi Peter thank you for the input. I resolved the problem. I was trying to specify the authentication in an htaccess file inside the pub directory. That wasn't working. Instead I updated the pub section in the twiki.conf file and that did the trick.

Thanks again for your help.

-- Bryan Ino - 2014-03-17

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- Peter Thoeny - 2015-12-03

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.