You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-issues@apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2013/06/05 01:13:20 UTC

[jira] [Created] (INFRA-6345) moinmoin view attachments always 403 for anon users on /solr (and probably /lucene-java

Hoss Man created INFRA-6345:
-------------------------------

             Summary: moinmoin view attachments always 403 for anon users on /solr (and probably /lucene-java
                 Key: INFRA-6345
                 URL: https://issues.apache.org/jira/browse/INFRA-6345
             Project: Infrastructure
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: MoinMoin
            Reporter: Hoss Man


A while back, the /solr and /lucene-java wikis switched to using hte ContributorsGroup ACL model to cut down on spam.  Shortly after that, contributors noticed that the wiki attachment screens were working and started using that to upload screenshots to the wiki -- but recently we've come to realize that these attachments are only visible to users logged into the wiki.

Based on the "OurWikiFarm" docs, I suspect that the fact that attachments can currently be uploaded at all is just a fluke of our ACL settings, and no one thought to explicitly request attachments be enabled when we locked down editing.  

If i'm correct, please consider this a request to enable attachments on both of these MoinMoin wikis.

If i'm wrong, and wiki attachments are enabled, then there is some weird bug happening here. 

a concrete example for testing...

https://wiki.apache.org/solr/SolrOnAmazonEC2

...that screen has a dozen or so screenshots, but they are only visible if you are logged into the wiki (regardless of wether you are in the Admin or Contributor groups).  If you are an anon user, the URLs for the images return 403 responses...

<img class="attachment" width="600" title="Launch Instance" src="/solr/SolrOnAmazonEC2?action=AttachFile&do=get&target=1-launch-instance.png" alt="Launch Instance"></img>

$ curl -I 'https://wiki.apache.org/solr/SolrOnAmazonEC2?action=AttachFile&do=get&target=1-launch-instance.png'
HTTP/1.1 403 Forbidden
Date: Tue, 04 Jun 2013 23:06:48 GMT
Server: Apache/2.4.4 (Unix) mod_wsgi/3.4 Python/2.7.3 OpenSSL/1.0.0g
Content-Type: text/html; charset=iso-8859-1



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira