WordPress.org

Ready to get started?Download WordPress

Forums

BuddyPress Docs
[resolved] How do I secure my BuddyPress Docs attachment directory? (6 posts)

  1. xjamesb
    Member
    Posted 4 months ago #

    After upgrading to version 1.6.0 I got the message,

    "Your BuddyPress Docs attachments directory is publicly accessible. Doc attachments will not be properly protected from direct viewing, even if the parent Docs are non-public."

    * How do I secure this directory?

    https://wordpress.org/plugins/buddypress-docs/

  2. Boone Gorges
    Moderator
    Plugin Author

    Posted 4 months ago #

    https://github.com/boonebgorges/buddypress-docs/wiki/Attachment-Privacy is a starting point.

    Can you say more about your server setup? In particular, are you running Apache? What is your setting at Dashboard > Settings > Permalinks?

    Also, can you verify that the message is, in fact, correct? Upload an attachment to a private Doc. Then try to access the attachment directly, while *not* logged in. You should use the true file URL, so instead of (eg) http://example.com/?p=54&bp-attachment=test.pdf, use http://example.com/wp-content/uploads/bp-attachments/54/test.pdf. If the attachment is actually being protected, the latter URL will fail (you'll be bounced to wp-login.php).

  3. xjamesb
    Member
    Posted 4 months ago #

    Thank you for your great support.

    The error message is correct. If I enter the URL

    https://<domain>/wp-content/uploads/bp-attachments/190/test.png

    into a logged-out web browser the document is seen.

    I am using the Bitnami multisite distribution. This uses Apache and in httpd-app.conf I find

    <Directory "/opt/bitnami/apps/wordpress/htdocs">
        Options +MultiViews +FollowSymLinks
        AllowOverride None
    
        <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
        </IfVersion>
        <IfVersion >= 2.3>
        Require all granted
        </IfVersion>
    
       RewriteEngine On
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
    
       # uploaded files
       RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . index.php [L]
    
        <IfDefine USE_PHP_FPM>
           RewriteEngine On
           RewriteOptions Inherit
    
           RewriteRule ^(.*\.php(/.*)?)$ fcgi://uds=%2fopt%2fbitnami%2fphp%2fvar%2frun%2fwordpress.sock/%{REQUEST_FILENAME} [P,L]
        </IfDefine>
    </Directory>

    I understand that this is the wrong setting for AllowOverride.

    Please tell me the correct setting for AllowOverride because this is not obvious from the Apache documentation.

    Many thanks,
    James

  4. Boone Gorges
    Moderator
    Plugin Author

    Posted 4 months ago #

    Thanks very very much for testing, James. I'm still trying to hone this system, so your feedback is invaluable.

    You are correct that AllowOverride is the problematic bit. Unless you have a strong reason not to, you should change it to AllowOverride All and restart Apache. Let me know what you find.

  5. xjamesb
    Member
    Posted 4 months ago #

    That fix worked.

    The Bitnami distribution comes with

    AllowOverride None

    * Have they made a mistake (in which case I will tell them) or might there be a good reason for this setting?

    James

  6. xjamesb
    Member
    Posted 4 months ago #

    Resolved

Reply

You must log in to post.

About this Plugin

About this Topic