Integrate Dokuwiki ACL for file endpoint
This commit is contained in:
28
README.md
28
README.md
@@ -31,15 +31,11 @@ It also ships a small file-serving endpoint (`lib/plugins/luxtools/file.php`) us
|
||||
to deliver files and generate cached thumbnails.
|
||||
|
||||
|
||||
## Important security note
|
||||
## Note on security
|
||||
|
||||
The file-serving endpoint (`lib/plugins/luxtools/file.php`) runs inside DokuWiki
|
||||
and can enforce a simple access restriction based on the currently logged-in
|
||||
user.
|
||||
|
||||
This is intentionally *not* full per-page ACL integration; it is a pragmatic
|
||||
allowlist to avoid “anyone with a guessed URL can fetch the file”.
|
||||
|
||||
and enforces access via per-page ACL: the requester must have at least read
|
||||
access to the wiki page that rendered the link.
|
||||
|
||||
## Installation
|
||||
|
||||
@@ -60,33 +56,25 @@ luxtools is configured via its dedicated admin page:
|
||||
|
||||
Key settings:
|
||||
|
||||
- **access_allow**
|
||||
Allowed users/groups for the file-serving endpoint.
|
||||
- Entries can be separated by newlines, commas, or whitespace.
|
||||
- Use `@group` to allow a whole group.
|
||||
- Leave empty to allow any authenticated (logged-in) user.
|
||||
- Anonymous users are always denied.
|
||||
|
||||
- **paths**
|
||||
Allowed base filesystem roots (one per line). Each root can be followed by:
|
||||
- `A> /Alias/` (optional) alias used in wiki syntax and open links
|
||||
- `W> https://...` (optional) web base URL used for links instead of `file.php`
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
/srv/share/Datascape/
|
||||
A> /Scape/
|
||||
W> https://files.example.example/Datascape/
|
||||
```
|
||||
|
||||
If no `W>` line is configured, luxtools links will use the plugin endpoint:
|
||||
luxtools links use the plugin endpoint:
|
||||
|
||||
`lib/plugins/luxtools/file.php?root=...&file=...`
|
||||
|
||||
Note: if you configure a `W>` web URL to an external file server, that server
|
||||
must enforce access itself; DokuWiki ACLs and `access_allow` only apply to
|
||||
`file.php`.
|
||||
The generated URLs also include the current wiki page id (`id=...`) so
|
||||
`file.php` can enforce ACLs for the host page.
|
||||
|
||||
|
||||
|
||||
- **scratchpad_paths**
|
||||
Scratchpad file map (one file path per line, followed by an `A>` alias line).
|
||||
|
||||
Reference in New Issue
Block a user