BuddyPress Docs
[resolved] How do I secure my BuddyPress Docs attachment directory? (6 posts)

  1. xjamesb
    Posted 2 years ago #

    After upgrading to version 1.6.0 I got the message,

    "Your BuddyPress Docs attachments directory is publicly accessible. Doc attachments will not be properly protected from direct viewing, even if the parent Docs are non-public."

    * How do I secure this directory?


  2. Boone Gorges
    Plugin Author

    Posted 2 years ago #

    https://github.com/boonebgorges/buddypress-docs/wiki/Attachment-Privacy is a starting point.

    Can you say more about your server setup? In particular, are you running Apache? What is your setting at Dashboard > Settings > Permalinks?

    Also, can you verify that the message is, in fact, correct? Upload an attachment to a private Doc. Then try to access the attachment directly, while *not* logged in. You should use the true file URL, so instead of (eg) http://example.com/?p=54&bp-attachment=test.pdf, use http://example.com/wp-content/uploads/bp-attachments/54/test.pdf. If the attachment is actually being protected, the latter URL will fail (you'll be bounced to wp-login.php).

  3. xjamesb
    Posted 2 years ago #

    Thank you for your great support.

    The error message is correct. If I enter the URL


    into a logged-out web browser the document is seen.

    I am using the Bitnami multisite distribution. This uses Apache and in httpd-app.conf I find

    <Directory "/opt/bitnami/apps/wordpress/htdocs">
        Options +MultiViews +FollowSymLinks
        AllowOverride None
        <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
        <IfVersion >= 2.3>
        Require all granted
       RewriteEngine On
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
       # uploaded files
       RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . index.php [L]
        <IfDefine USE_PHP_FPM>
           RewriteEngine On
           RewriteOptions Inherit
           RewriteRule ^(.*\.php(/.*)?)$ fcgi://uds=%2fopt%2fbitnami%2fphp%2fvar%2frun%2fwordpress.sock/%{REQUEST_FILENAME} [P,L]

    I understand that this is the wrong setting for AllowOverride.

    Please tell me the correct setting for AllowOverride because this is not obvious from the Apache documentation.

    Many thanks,

  4. Boone Gorges
    Plugin Author

    Posted 2 years ago #

    Thanks very very much for testing, James. I'm still trying to hone this system, so your feedback is invaluable.

    You are correct that AllowOverride is the problematic bit. Unless you have a strong reason not to, you should change it to AllowOverride All and restart Apache. Let me know what you find.

  5. xjamesb
    Posted 2 years ago #

    That fix worked.

    The Bitnami distribution comes with

    AllowOverride None

    * Have they made a mistake (in which case I will tell them) or might there be a good reason for this setting?


  6. xjamesb
    Posted 2 years ago #


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • BuddyPress Docs
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic