WordPress.org

Support

Support » Plugins and Hacks » BuddyPress Docs » [Resolved] How do I secure my BuddyPress Docs attachment directory?

[Resolved] How do I secure my BuddyPress Docs attachment directory?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Boone Gorges

    @boonebgorges

    https://github.com/boonebgorges/buddypress-docs/wiki/Attachment-Privacy is a starting point.

    Can you say more about your server setup? In particular, are you running Apache? What is your setting at Dashboard > Settings > Permalinks?

    Also, can you verify that the message is, in fact, correct? Upload an attachment to a private Doc. Then try to access the attachment directly, while *not* logged in. You should use the true file URL, so instead of (eg) http://example.com/?p=54&bp-attachment=test.pdf, use http://example.com/wp-content/uploads/bp-attachments/54/test.pdf. If the attachment is actually being protected, the latter URL will fail (you’ll be bounced to wp-login.php).

    Thank you for your great support.

    The error message is correct. If I enter the URL

    https://<domain>/wp-content/uploads/bp-attachments/190/test.png

    into a logged-out web browser the document is seen.

    I am using the Bitnami multisite distribution. This uses Apache and in httpd-app.conf I find

    <Directory "/opt/bitnami/apps/wordpress/htdocs">
        Options +MultiViews +FollowSymLinks
        AllowOverride None
    
        <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
        </IfVersion>
        <IfVersion >= 2.3>
        Require all granted
        </IfVersion>
    
       RewriteEngine On
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
    
       # uploaded files
       RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . index.php [L]
    
        <IfDefine USE_PHP_FPM>
           RewriteEngine On
           RewriteOptions Inherit
    
           RewriteRule ^(.*\.php(/.*)?)$ fcgi://uds=%2fopt%2fbitnami%2fphp%2fvar%2frun%2fwordpress.sock/%{REQUEST_FILENAME} [P,L]
        </IfDefine>
    </Directory>

    I understand that this is the wrong setting for AllowOverride.

    Please tell me the correct setting for AllowOverride because this is not obvious from the Apache documentation.

    Many thanks,
    James

    Plugin Author Boone Gorges

    @boonebgorges

    Thanks very very much for testing, James. I’m still trying to hone this system, so your feedback is invaluable.

    You are correct that AllowOverride is the problematic bit. Unless you have a strong reason not to, you should change it to AllowOverride All and restart Apache. Let me know what you find.

    That fix worked.

    The Bitnami distribution comes with

    AllowOverride None

    * Have they made a mistake (in which case I will tell them) or might there be a good reason for this setting?

    James

    Resolved

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[Resolved] How do I secure my BuddyPress Docs attachment directory?’ is closed to new replies.
Skip to toolbar