www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rainer Jung (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-6345) moinmoin view attachments always 403 for anon users on /solr (and probably /lucene-java
Date Thu, 06 Jun 2013 17:39:20 GMT

    [ https://issues.apache.org/jira/browse/INFRA-6345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13677283#comment-13677283
] 

Rainer Jung commented on INFRA-6345:
------------------------------------

Thanks for the update. I allowed "view" as well and can now also see the full image. There's
no indication that more read-only actions then "get" and "view" exist, so I close this again
as fixed. In case another read URL for attachments show up please feel free to reopen the
ticket.
                
> moinmoin view attachments always 403 for anon users on /solr (and probably /lucene-java
> ---------------------------------------------------------------------------------------
>
>                 Key: INFRA-6345
>                 URL: https://issues.apache.org/jira/browse/INFRA-6345
>             Project: Infrastructure
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: MoinMoin
>            Reporter: Hoss Man
>            Assignee: Rainer Jung
>
> A while back, the /solr and /lucene-java wikis switched to using hte ContributorsGroup
ACL model to cut down on spam.  Shortly after that, contributors noticed that the wiki attachment
screens were working and started using that to upload screenshots to the wiki -- but recently
we've come to realize that these attachments are only visible to users logged into the wiki.
> Based on the "OurWikiFarm" docs, I suspect that the fact that attachments can currently
be uploaded at all is just a fluke of our ACL settings, and no one thought to explicitly request
attachments be enabled when we locked down editing.  
> If i'm correct, please consider this a request to enable attachments on both of these
MoinMoin wikis.
> If i'm wrong, and wiki attachments are enabled, then there is some weird bug happening
here. 
> a concrete example for testing...
> https://wiki.apache.org/solr/SolrOnAmazonEC2
> ...that screen has a dozen or so screenshots, but they are only visible if you are logged
into the wiki (regardless of wether you are in the Admin or Contributor groups).  If you are
an anon user, the URLs for the images return 403 responses...
> <img class="attachment" width="600" title="Launch Instance" src="/solr/SolrOnAmazonEC2?action=AttachFile&do=get&target=1-launch-instance.png"
alt="Launch Instance"></img>
> $ curl -I 'https://wiki.apache.org/solr/SolrOnAmazonEC2?action=AttachFile&do=get&target=1-launch-instance.png'
> HTTP/1.1 403 Forbidden
> Date: Tue, 04 Jun 2013 23:06:48 GMT
> Server: Apache/2.4.4 (Unix) mod_wsgi/3.4 Python/2.7.3 OpenSSL/1.0.0g
> Content-Type: text/html; charset=iso-8859-1

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message